Wolfpaw Antifraud - Credit Card Fraud Screening and Prevention - MaxMind
Credit Card Fraud Screening and Prevention for Zen Cart - Free
Version: zc 1.0.1
Compatibility: for Zen Cart versions 1.5.0, 1.5.1
"Some criminal was using my website to test credit card numbers. Your module has saved my business. Thank you for your product." .... Joe Knoche, Echo Records
This module has taken several weeks of work, with none of the time being paid for by anyone, so if you find it useful, please support us - just click the donate button.
It would be greatly appreciated - Thanks!
Hosting LLC has teamed up with MaxMind, makers of the GeoIP® location
database, to bring the minFraud credit card fraud screening and prevention
system to Zen Cart. For less than one-half cent per
query the minFraud system provides a Risk Score indicating
the probability that a customer order is fraudulent. The
Risk Score is based on a number of factors including:
the geographical distance between the location of the
customer's browser to the claimed billing address; high
risk IP address analysis; location of customer's telephone
number; free and high-risk e-mail analysis; open proxy
detection; shipping remailer detection, etc. As explained below, the Risk Score is then used by the module to decide whether the order should be accepted or declined.
This module protect you against credit card fraud, card testers, chargebacks, unwarranted bank fees, etc. by rejecting orders exceeding user selectable risk thresholds. By blocking fraudulent orders before they're sent to your payment gateway, the module can save you hundreds of dollars in authorization fees, harm to your reputation and possible account termination that can result from a card tester attack.
Use of this module is governed by the terms of the GNU Gneral Public License provided with module distribution package. By installing this module you agree to its terms and conditions.
more information on the minFraud system and risk scoring
Signup for a minFraud account
Download this module
the module works
The module does it's work in your Zen Cart right after payment selection but before order confirmation. This insures all orders are
checked for fraud - credit card, even COD,
Manual Credit Card Validation, Purchase Order and offsite payment gateways such as PayPal, Google and Amazon. Further, this insures
fraudulent orders can be declined prior to credit card authorization thereby reducing authorization fees, improving your merchant
decline ratio, refund ratio and chargebacks - and possibly
qualifying you for lower credit card fees. Please note that because of its location in the checkout process orders paid via PayPal Express Checkout are not checked by this module.
The module collects the customer's IP address; billing and shipping city, state, country and postal code; customer's email domain; and, telephone number area code and exchange and sends that information to MaxMind's minFraud server for analysis. No credit card or customer identifiable information is sent. In less than a second MaxMind sends back a fraud Risk Score and an analysis including IP address location, ISP, network information, proxy information, free email, shipping remailer infomation, etc. A copy of the analysis is shown below under 'email notification.' The Risk Score (0 - 100) is result of the analysis and represents the probability that the order is fraudulent. MaxMind has written a White Paper on the minFraud system and how it works which you can read here.
The module allows you to set a Risk Score threshold for sending email notifications and a Risk Score threshold for declining orders. Until
you become familiar with the module we recommend that
you set the email notification threshold
to '0', and the decline threshold to 100. This
will insure that all legitimate orders are accepted and
you can manually review suspect orders before you ship.
Afterwards you can raise the email notification threshold
and lower the decline threshold to numbers you are comfortable
with. Although MaxMind suggests that the order decline threshold be set between 3 and 6% we think that's a bit low and you could run the risk of declining legitimate orders.
The module maintains a log file in your cache directory - /cache/wph_antifraud.log - that captures all error messages, queries to and results from MaxMind, and information on accepted and declined orders. Any error condition that prevents the module from working properly is also logged. Once the log file reaches 20MB it's rotated and saved.
* Important *- Be sure to backup your website and database before proceeding.
1. Download the Wolfpaw Hosting Antifraud - MaxMind Integration module from Zen Cart or the Wolfpaw Hosting website and unzip on your
local PC. Included are the following files and directories.
- docs directory - contains installation and configuration instructions
- index.html - open in your browser
- files - contains php scripts and mysql patches
- LICENSE.txt - GNU General Public license
- wph-antifraud_install.sql - mysql script to add this module to your database
- wph-antifraud_uninstall.sql - mysql script to remove this module from your database
2. To run the wph-antifraud_install.sql file. Open your Zen Cart's admin dashboard.
3. Pull down the Tools menu and click on Install SQL Patches.
4. Click on Browse to locate the SQL patch on your PC.
5. Navigate to the wph-antifraud_install.sql file, click on it and then click on Open.
6. Click on 'upload' on your Zen Cart's SQL Query Executor. That will run the mysql database script for the module.
7. Copy php files to proper locations. In this tutorial we use WS_FTP but any good FTP program will work.
8. Unzipped module files are already in the correct sub-directories. Just copy the include directory from the module distribution to the root of your Zen Cart.
9. Admin files are also in the correct directories. However, before FTP'ing change the name of the admin directory in the distribution on your PC to match the name of your Zen Cart's admin directory. In the example above our Zen Cart admin directory is named 'wph-admin'. So, before FTP'ing, we changed the name of the admin directory in the module distribution to match. Then you can copy the admin directory to your Zen Cart.
Follow the MySQL script instructions above but run 'wph-antifraud_uninstall.sql' instead. Then remove the module files from the locations listed above.
11. Open your Zen Cart's admin dashboard and pull down the Configuration menu.
12. Click on 'Wolfpaw Antifraud' to open the configuration options.
13. Configuration Items.
- Enable Wolfpaw Antifraud: Turns the module on or off. True enables the module. False disables it. Save this item for last. Don't enable the module until you have configured the other items on the screen.
- Whitelisted IP's: If you ever process orders manually enter your local PC's IP address here. Otherwise your manually processed order may be considered fraudulent and blocked by the module - especially if the billing address of the customer is many thousands of miles from your location. Orders coming from whitelisted IP's will not be analyzed by the module. You can enter multiple IP addresses separated by commas and you can whitelist entire IP blocks by just entering the first three octets. (e.g. 127.0.0.1, 64.208.94, 188.8.131.52).
Your local PC's IP address normally appears on the Zen Cart administrative screen's top nav bar on the right of the date and time. However that may not be accurate if your webserver is behind a proxy (see next item.)
If you cannot find your IP you can get it here.
- Cart Behind a Proxy, Load Balancer or CDN: The Risk Score calculation is dependent upon getting the correct IP address of the person placing the order. If there is any device or service between the webserver hosting your Zen Cart and the person placing the order such as a reverse proxy, load balancer, content delivery network or server cluster, then the IP of the user will incorrectly appear to be the IP address of that device. If that's the case then select 'True' and the module will use an alternate method of deriving the user's IP address.
If you're not sure then select 'False' and check the first dozen fraud analyses you get. If the Risk Scores are high and you see Open Proxy Scores (see email notifications below) all above zero then there's a proxy type device between you and the customer. Change this selection to 'True' and see if the problem clears. Typically only very high volume websites and shopping carts use these kinds of devices. Most Zen Carts do not.
A couple of caveats: First, you'll get high Open Proxy Scores if you process manual orders and forget to whitelist your IP. Second, don't select 'True' on this item unless you have to. A high Open Proxy Score can be a fraudster trying to hide his true location through a special proxy and you'll want to reject that order.
- minFraud License Key: You'll need a license from MaxMind to access the minFraud system. You can purchase 1,000 queries for $5/month here http://www.maxmind.com/app/ccv_buynow? When you sign up you'll have a choice of minFraud versions. You should select version 1.3
- Service Type: When you signup for a minFraud account you can select Standard or Premium service. Premium is more expensive and provides a little more information on the customer's IP address. Standard service is fine for our purposes and the RiskScore calculation is the same.
- minFraud URL1: minfraud has several servers that can be used. The module will try this server first. You can use 'https' or 'http' since no credit card or customer identifiable information is passed to MaxMind.
- minFraud URL2: If URL1 cannot be reached the module will automatically try URL2.
- Risk threshold for email notifications: You can set this to 0 and get a fraud analysis email for every order or minimize the emails by raising the threshold slightly. You should set this to 0 at the outset so you can develop an understanding of how the system works and the risk scores for normal orders. On busy stores we find '0.50' is usually a good setting.
Click on the thumbnails below for examples of merchant notification emails.
- Email Subject: The subject line to appear on email notifications. The Risk Score and whether the order was accepted or declined will also appear on the subject line of the email.
- Risk Threshold for Declining Orders: The Risk Score at which you will decline an order. You may wish to set this 100 and reject orders later based upon the email notifications or set it to a lower number and minimize your credit card decline ratio, chargebacks and dings to your Merchant reputation. MaxMind suggests a setting between 3 and 6. We think that may be too low and you may reject too many legitimate orders. See the discussion at the end of this page for tips on a setting the decline Risk Score.
- Screen Message on Order Decline Due to Fraud Risk: Message that will appear on the screen notifying the customer that his order has been declined. Our default message asks the user to go back and check his billing and shipping address or to call a telephone number for assistance. If you use this message be sure to add your correct phone number.
- Email Notifications - From Address: Enter the address you want to show on the 'From' line in the header of the email notifications.
- Email Notifications - To Address: Enter the email address(es) your want the module to send notifications to. Separate multiple email addresses with commas.
- On Processing Error - Order Disposition: In the event of a processing error choose whether the module should accept or decline orders. Generally you'll want the module to accept orders. However, if you're selling very high dollar items and are worried about fraud you may want to refuse orders until the problem is cleared.
- On Processing Error - Send Email : In the event of a processing error choose whether the module send out a notification email. I can't imagine why you wouldn't want to be notified but we provide the option anyway.
- On Processing Error - Email Subject: Enter the subject you would like to have appear on the processing error email.
- Screen Message on Order Decline Due to Processing Error: If you've choosen to refuse orders in the event of a processing error enter the message you'd like to have appear on the screen. Our default message asks the user to call a telephone number for assistance. If you use this message be sure to add your correct phone number.
Tips and Hints
- Change the 'email-to' address for notifications to your email address and put your phone number in the screen decline and processing error messages.
- Be sure to whitelist your IP address.
- The default email notification and decline threshold settings are very conservative. The risk score for email notifications is set to 0 - this means you'll get a fraud analysis email for every order attempt. The risk score for order decline is set to 100. This means no orders will be declined by the module.
- After you get used to the email notifications try raising the risk score for email notifications to 0.50. We find that most legitimate orders have risk scores of 0.10.
- If you want to block fraudulent orders from passing to your payment gateway then reduce the Risk Score threshold for order declines to a level you're comfortable with. MaxMind suggests a number between 3 and 6 but that might be too low. Best bet is to observe the Risk Scores of your normal orders and pick a slightly higher number. You will occasionally block a legitimate order so be sure that the 'decline message' in the module's configuration says what you want (correct phone number, etc) - so a legitimate customer will call you if he inadvertently gets declined.
- Mathematically you can calculate the risk score to use. You want to make sure that the average profit gained by accepting an order is greater than the average cost of accepting it. Here's a simplified formula to help you with this calculation. Please note that this is a generalization and does not apply in every case:
If (profit on the order) * (100 - riskScore) > (fraud loss) * riskScore, then process the order.
Here the 'profit on the order' is the money you would make if the order is legitimate and the 'fraud loss' is how much you would lose if the order were fraudulent (e.g. shipping, chargeback fees, cost of goods, etc.).
On a very simplified basis if you assume no shipping cost or chargeback fees then if your gross margin is 25% you would decline any order with a fraud probability higher then 25%.