The case would be that someone with stolen credit card registers on my site, and uses the stolen credit card details to purchase services through my site.
How can I protect my eCommerce site from stolen credit cards? What actions can I take to validate the card before it is used?
Normally when using the card with an official payment gateway, a reported, stolen credit card should be marked as unusable. The card will be refused by the gateway.
If you really need advanced authentication before allowing a card to be used by the client, you should verify his identity by making the client send you a copy of his ID card or passport and a recent bill (water, electricity,...) which states his name and address. This address should be the same as on the credit card. Do note that this will make transaction a lot more difficult and cumbersome and make some clients go away.
Also make sure that when performing credit card transactions you are completely PCI-DSS compliant if you have to be. If your business is not PCI compliant there are various measures that the card brands can take, ranging from warnings and monetary fines to revoking your ability to process transactions entirely. More importantly, the PCI DSS allows you to assure your customers that you're protecting their credit card data appropriately. In case of a breach you can also be held legally liable by your customers.
I'm not sure how this would be possible. The only way to verify if the card is stolen would be to confirm with the issuer. If the user hasn't reported it stolen, the issuer will not be aware and will allow it to be used. If the user has reported it stolen then the card issuer will block the card.
Whether or not the transaction is successful is your only protection from a stolen card, surely?
It depends on your business? Do you deliver your product/services electronically? Or to a physical address? Can your products easily be fenced, resold, or converted to cash? Do your products/services have a higher rate of buyer's remorse? Is your product controversial?
In addition to the card number, the security code at the back, or verifying/logging the signature by fax/scan, you can also validate credit cards by verifying their billing address, verifying the billing zip code (for the US only, otherwise it's 00000 for foreigners on US soil), and verifying the billing phone number (all of these additional checks are optional, but you could make them required if you wanted).
If you need to further limit your exposure, you could refuse to ship to a physical address that is not their official billing address (obviously, if your site was an online flower shop, such a strategy wouldn't work).
You could share your blacklist of suspicious buyers and potential scammers with some of your competitors (Watch out! The legality of this practice will entirely depend on the jurisdiction you're in).
You could check their credit report (again, check your local laws)
You could have your own 800 number for US customers (to screen some of your customers' transactions by phone). Having an 800 number would insure that they can't easily hide their caller id from you even if they're the ones calling you. You could also achieve that same purpose by asking for a call-back number, or a call-back sms, or a call-back email address, that your system could easily call back or email back immediately to validate that they gave you the right piece of information.
You could also refuse to do business with specific geographical locations and specific ip ranges (again, check your local laws, in fact, assume that I'm placing this disclaimer at the end of each paragraph I write). You could buy vetted lists of mailing addresses that are known to exist and known not to be Post Office Boxes (or known not to be private post office boxes like Mailboxes, etc.).
You could limit your exposure by implementing a referral/invitation program where people refer their family and friends, or a company/organization refers their employees/members. So if you find that one person is committing fraud, it's more likely that the people they're connected to may commit fraud as well (and vice versa).
You could limit the reselling value of what you have to offer by personalizing and tailoring your products/services specifically to the initial buyer.
You could limit your exposure by placing spending caps and shipping delays based on the past history of a buyer or the amount of the order (again, check your local laws, blah blah). And you could create loyalty programs and preferential/exclusive treatment for a specific class of vetted customers (like Amazon Prime, book clubs, or Costco Memberships).
You could also limit your exposure by selling a subscription service at a discounted rate, or packaging your products/services differently, and limit the throughput of your inventory immediately out the door. Again, a lot of what you could do would really depend on the type of ecommmerce site you have.
