FAQ - ECOMMERCE
Can I use my xman online shopping cart online store as a stand-alone web site?
Yes. xman online shopping carts are just as powerful as a stand-alone site.
Will I have my own domain name or will it be a part of xman online shopping cart?
Your store belongs to you with your own products. xman online hosts your store using your own domain address. Your store address will be something like: www.yourdomain.com, or www.yourdomain.com/shop . Your store will NOT be an extension of the xman online domain.
Can I sell downloadable goods in my shopping cart?
Yes, xman online shopping carts can sell digital or downloadable products.
Some examples of these are:
- Software
- E-books
- games
What are the costs to start an xmanonline store?
xman online shopping cart software offers several affordable payment plans to accommodate any size business. Click here to view our pricing plans. Plans provide you with store set up, FREE tech support, 2checkout or Eway merchant account, SSL security and all future upgrades to the software for free.
Will it take long to setup my store?
Depending on the size of your store, it will take us between 2-3 weeks to fully customise your store so that you are satisfied with your purchase once we have received all of your information.
How do I modify my xman online shopping cart after my initial setup?
You will be able to modify your cart through your very own admin area.
Do I need any other tools to get started?
No. xman online's shopping cart software is complete and controlled by you from a web-based control panel. You have the ability to control your e-business from any computer connected to the Internet, anywhere in the world. There are no installations, plug-ins or downloads.
Your shopping cart will be on xman online's extremely reliable servers. When you're with xman online your store will have a guaranteed 99.5% uptime.
Can I customise my online stores design and content?
Not a problem! In your admin area you can modify every aspect from site colours and fonts to button designs and curved page edges. Your store can change products, categories, shipping methods, discounts, payment types, product descriptions and much, much more. xman online's software enables you to add, edit and delete at will. This can be done from any computer connected to the Internet in the world! No software to install.
Is there any HTML knowledge required to set up my Store?
You don't need any HTML knowledge to use xman online's shopping carts. You do not need to understand HTML or other programming languages to build or maintain your store.
I don't have a merchant account yet. Does xman online's shopping carts require this to start selling?
Your shopping cart comes with your very own merchant account either from 2Checkout or eWay, depending on the plan that you choose.
What are the security features for transactions?
Our shopping carts provides 128 bit Secure Socket Layer protection. This is the highest industry-standard encryption to transmit credit card information securely on its way from the shopper to our computers, and from our computers to you, the merchant.
What browsers/computers can I use to access my store admin and view my storefront?
You can access your store's admin panel and storefront using both a Macintosh and PC using any of the main web browsers where there is an internet connection.
Eway Payment Gateway
Eway is an Australian payment gateway, that allows you to receive money online from customers when they make purchases using your shopping cart. Their website is: www.eway.com.au
Do eWAY prices include merchant facility fees?
No, Merchant fees are additional to eWAY fees. You will need to contact your bank to discuss merchant fees.
What is the cost per transaction with eWay?
Through eWay, each transaction is only 50 cents. That's it! There are no other fees.
How long does it take to get setup?
It will only take a couple of business working days to set up.
Do I need to open an Internet Merchant Facility to use eWAY?
Yes, to process credit cards with eWAY you MUST have an Internet Merchant Facility.
- St George
- Bank SA
- ANZ
- Commonwealth
- NAB
- Westpac
- BankWest.
I have a merchant facility / EFTPOS can I use it with eWAY?
No. Contact your bank and ask them to setup an Internet Merchant Facility.
Do I have to change banks and close my other accounts?
No. You can arrange to have the funds transferred FREE of charge to any other Australian bank account. The transfer occurs daily and does NOT incur any bank or government charges.
Do I have to write a business plan to open a merchant facility?
Maybe, it depends on your bank. The following information may be required
- General Information
- Business Information
- Business Sales Information
- Current Credit Card Processing Information
- Business Owner Information
Can my merchant bank deposit money to an account held in another bank eg. NAB bank?
Yes, the transfer takes place overnight. There is no charge for the transfer. Your bank will be able to assist with this setup.
What is the cost of a merchant facility?
Pricing for an internet merchant facility varies for each merchant. Please contact your bank for pricing.
Which credit cards are accepted by eWAY?
VISA, MasterCard and Bankcard are supported with a standard merchant facility. You can also have AMEX, Diners and JCB.
Am I liable for risks associated with credit cards?
Yes, the banks treat online transactions the same as transactions taken via the telephone. Please contact the relevant bank for more information regarding risk and liability.
I am already able to accept credit cards. Do I need a merchant account?
If you are already accepting credit cards via their shop then you have a standard merchant facility. You will need to contact your bank and setup an "Internet Merchant Facility" to use eWAY.
Are there any refund limits imposed by the bank on my merchant facility?
Yes, the banks usually impose a $1000 refund limit on your account. If you wish to process a refund larger than this please request the refund in your eWAY admin area, and then ring the bank and ask them to increase your refund limit. They will usually only do this for a short period of time so you will need to ring eWAY on 1800 10 65 65 and request that we process the refund on the spot for you.
I have an eWAY account and I have processed some transactions. The problem is that the funds have not appeared in my bank account.
You need to contact the bank you have your merchant facility and make sure that they have linked to the correct bank account. The exception to this is Westpac where you need to provide the correct BSB and Account number to eWAY.
Note: It can take up to 2-3 days for the money to transfer from your merchant facility to your bank account.
How can I reconcile my bank statement with my internet merchant facility?
All the information about your eWAY transactions can be found in your eWAY reports. These will help you to reconcile your bank statement. If a transaction appears to be missing but is in your eWAY reports you will need to contact your bank to query the transaction. Your bank will usually settle your funds into your working bank account once per day. This means that all your transactions minus your refunds will be transferred in one lump sum into your bank account.
Can eWAY pass information so it is printed on my merchant statement from the bank?
No.
I think I have processed a stolen card what should I do?
Refund the transaction, login to eWAY, view the reports and select the transactions you wish to refund.
Do I require an SSL certificate to use eWAY with my shopping cart?
Yes.
Will my customers receive an email from eWAY when a purchase is made through my account?
By default yes. If you do not wish your customers to receive transaction receipts from eWAY you can turn this off in your eWAY admin area under "Email Receipts".
Can eWAY configure the email receipt sent to our customer?
You can add additional information to the footer of each Email sent. If you require a more customised Email that this you can switch off the customer Email receipt and generate your own Email from your website.
Once my customers click to purchase an item, will they be transferred from my site while the order is being processed ?
No, eWAY is processed in the background.
Can I view current transactions?
Yes, the eWAY administration area of eWAY provides full transaction reporting and many other services. To log into your web based eWay account, please go to eway.com.au , click 'Login', and enter in your eWay details.
Are the credit card number and expiry date details passed from my site to eWAY?
Yes, the credit card details are passed from your site to the eWAY website, but you must have your own SSL certificate to encrypt the information passed.
Can eWAY do automatic rebilling?
Yes, eWAY has released reBILL, which completely automates recurring billing.
Do my customers have to have a credit card from the same bank as my merchant account?
No any valid VISA, MasterCard or Bankcard from any bank will work. In fact the card does not even need to come from Australia. Any valid MasterCard or VISA from any country can be processed using eWAY. However it will be billed in Australian dollars. On the card holders statement the transaction will be converted to their local currency by their credit card provider.
Can I accept AMEX, DINERS or JBC cards?
Yes, you must apply for these separately. You need to contact DINERS/AMEX/JBC directly. They will issue you with a merchant number. Please supply this information to your merchant facility bank. Then request eWAY to setup your account for AMEX/DINERS.
Can eWAY process credit cards from overseas?
Yes, as long as the card is a valid VISA, MasterCard or Bankcard (AMEX or DINERS) it does not matter what country the card holder lives in. The transaction will be processed in Australian dollars.
What currency will overseas customer be charged in?
All transactions are in Australian dollars. The customers credit card statement will show a currency conversion to Australian dollars.
Can you charge in other currencies?
No, at the moment the only currency is Australian dollars. We have many merchants that do most of their business overseas and charge in Australian dollars with no problems. Australia is considered by overseas customers to be a very safe place to order from due to our strict trading laws.
Is there a minimum OR maximum number of transactions that can be performed each month ?
No.
Can I place a limit on the maximum dollar value of a transaction put through on my eWAY account?
No.
Can I process mail, fax and email credit card payments?
Yes, we provide a manual payment service in which you can enter your customer details yourself. You need to login to eWAY admin area to process manual transactions.
How do I process a refund using eWAY?
You simply need to log in to your eWAY admin area and find the transaction you wish to refund and click on the refund button. The refunds will be processed within 48 hours manually by eWAY staff. The cost of this transaction is the same as a normal credit transaction.
I have a refund pending that I need to cancel. How do I do this?
As long as the refund has not been processed by eWAY you can cancel it in your eWAY admin area under "Pending Refunds".
I need to refund a customer but their credit card has now expired. How do I do this?
You will need to obtain the new expiry date from the customer and email it to support@eway.com.au with the subject "expired card". eWAY will then update the transaction and process the refund. There is currently no charge for this update.
I need to refund a customer more than the amount of the original transaction, can this be done?
No, for security reasons you cannot refund a transaction for more than the original amount.
I need to refund a transaction for less than the original amount. Can this be done?
Yes, you can refund a partial amount. Simply amend the amount when you request the refund in your eWAY admin area.
I need to refund a transaction that has already had a partial refund. Can this be done?
No, for security reasons it is not possible to refund a transaction twice.
Does eWAY support pre-authorisation of credit card transaction, ie so I can put a hold on a transaction and process it later?
No, Due to the large amount of issues for you and your customers in doing this eWay does not offer a pre-authorisation transactions and would recommend against it.
I am getting an error message processing a particular transaction. What does the error message mean?
For full listings of common bank error messages please see "Banking Documentation" under the eWay support page. Alternatively you can find a similar listing in your eWAY admin area. However its best if you contact your bank as the message is from them and noteWAY.
I am concerned about the risk of fraud through my website, does eWAY have any suggestions on reducing my risk?
Yes, please have a look at "Fraud Protection" on the eWay support page. Please scroll down to the bottom of that page.
Maxmind is a third party credit card anti-fraud system that allows you to greatly reduce improper purchases, saving you time and money.
Purchases using stolen credit card numbers can not only result in costly, and time consuming chargebacks, but can also lead to unrecoverable products sent out to "dodgy" clients.
For the majority of businesses, the $5(US)/month Standard minFraud Service will be more than sufficient. A one time $399 set up fee is charged by xman online to integrate Maxmind into your shopping cart.
How can I have Maxmind set up on my shopping cart?
Yes. If you already have a shopping cart with us, we can set that up for you. Otherwise, Maxmind comes with the Gold E-Commerce Plan found here.
What information does maxmind output about the credit card purchase?
The following information is provided from each credit card purchase:
Geographical IP address location checking
- countryMatch - Whether country of IP address matches billing address country (mismatch = higher risk)
- countryCode - Country Code of the IP address
- highRiskCountry - Whether IP address or billing address country is in Egypt, Ghana, Indonesia, Lebanon, Macedonia, Morocco, Nigeria, Pakistan, Romania, Serbia and Montenegro, Ukraine, or Vietnam.
- distance rounded - Distance from IP address to Billing Location in kilometers (large distance = higher risk)
- ip_region - Estimated State/Region of the IP address, ISO-3166-2/FIPS 10-4 code ip_city string Estimated City of the IP address
- ip_latitude - Estimated Latitude of the IP address
- ip_longitude - Estimated Longitude of the IP address
- ip_isp - ISP of the IP address
- ip_org - Organization of the IP address
Proxy Detection
- anonymousProxy - Whether IP address is Anonymous Proxy (anonymous proxy = very high risk)
- proxyScore - Likelihood of IP Address being an Open Proxy
- isTransProxy - Whether IP address is in our database of known transparent proxy servers, returned if forwardedIP is passed as an input.
E-mail and Login Checks
- freeMail - Whether e-mail is from free e-mail provider (free e-mail = higher risk)
- carderEmail - Whether e-mail is in database of high risk e-mails
- highRiskUsername - Whether username is in database of high risk usernames
- highRiskPassword - Whether password is in database of high risk passwords
Issuing Bank BIN Number Checks
- binMatch - Whether country of issuing bank based on BIN number matches billing address country*
- binCountry - Country Code of the bank which issued the credit card based on BIN number*
- binNameMatch - Whether name of issuing bank matches inputted binName. A return value of Yes provides a positive indication that cardholder is in possession of credit card.*
- binName - Name of the bank which issued the credit card based on BIN number*. Available for approximately 96% of BIN numbers.
- binPhoneMatch - Whether customer service phone number matches inputted binPhone. A return value of Yes provides a positive indication that cardholder is in possession of credit card.*
- binPhone - Customer service phone number listed on back of credit card*. Available for approximately 75% of BIN numbers. In some cases phone number returned may be outdated.
Address and Phone Number Checks
- custPhoneInBillingLoc - Whether the customer phone number is in the billing zip code. A return value of Yes provides a positive indication that the phone number listed belongs to the cardholder. A return value of No indicates that the phone number may be in a different area, or may not be listed in our database. Currently we only support US Phone numbers.
- shipForward -Whether shipping address is in database of known mail drops
- cityPostalMatch - Whether billing city and state match zipcode. Currently available for US addresses only.
- shipCityPostalMatch - Whether shipping city and state match zipcode. Currently available for US addresses only.
Risk Score
- score - Overall fraud score based on outputs listed above. This is the original fraud score, and is based on a simple formula. It has been replaced with riskScore (see below), but is kept for backwards compatibility.
- explanation -A brief explanation of the score, detailing what factors contributed to it, according to our formula
- riskScore - New fraud score representing the estimated probability that the order is fraud, based off of analysis of past minFraud transactions. Requires an upgrade for clients who signed up before February 2007.
Account Information
- queriesRemaining - Number of queries remaining in your account, can be used to alert you when you may need to add more queries to your account
- maxmindID - Unique identifier, used to reference transactions when reporting fraudulent activity back to MaxMind. This reporting will help MaxMind improve its service to you and will enable a planned feature to customize the fraud scoring formula based on your chargeback history.
- err string - Returns an error string with a warning message or a reason why the request failed. List of possible error strings.
What do the Maxmind service outputs stand for?
Risk Score Information
score - This field displays a risk score that ranges from 0-10 where a score of zero is low risk and a score of ten is high risk. The risk score is calculated using many but not all of the data fields addressed below. For the majority of orders, the risk score tapers off at either end of the 0-10 spectrum. Finding the magic threshold number may take some experimenting since different businesses have their own unique customer bases as well as different tolerance levels for risk. Generally speaking, for Business-to-Business (B2B) environments, we recommend that orders with a risk score of 2.5 or above be flagged for review. For Business-to-Consumer (B2C) environments, the recommended risk score will depend on the kind of e-mail address that the customer uses. This will be explained in more detail in the e-mail section.
The risk score can also be customized since we output all the raw information as part of the output string. To customize how the fraud score is calculated, one would modify the formula we use to calculate the risk score, and using the outputs returned by the minFraud service as inputs for the modified formula.
IP Address Information
countryMatch - This field determines whether or not the customer's country location based on their IP address matches their billing address country. For the majority of orders, the customer's IP country should match the corresponding country of the billing address. In some cases, a legitimate order may result in a mismatch. Usually, this results from customers who are making purchases while they are traveling or if a company has office branches in different countries. How you handle a country mismatch should be dependent on your specific customer base or the context of the particular order. For example, if you sell pre-charged phone cards, you may have more orders with mismatches since travelers often purchase such products while traveling. If you sell computer parts, it would be less likely that someone would be making a purchase while traveling.
A positive countryMatch does not mean that an order is legitimate, as fraudsters have been known to use proxies or anonymizing services as a way of creating a country match for the IP address and billing address. A negative countryMatch does not mean that an order is fraudulent but the order should warrant further review. If there is a negative countryMatch, it is recommended to check where the user is actually making a purchase from by looking at the other IP address fields. For example, a customer making a purchase from the United Kingdom will generally be less risky than one from Nigeria. Accuracy for countryMatch is around 99%.
countryCode - This field displays the country code of the customer's IP address country. This field should be examined if there is a negative countryMatch. A country code of US(United States) is generally less risky than, for example, GH (Ghana). However, risk levels would again depend on your typical customer base and the context of the order. In addition, a negative countryMatch of a France IP address and a Belgium billing address is less risky due to the proximity of the two countries in most situations. The distance between IP and billing addresses is expressed through the "distance" field.
This field can also be used to automatically flag, limit, or block orders from certain countries. For example, if you primarily serve only customers from Spain and do not want to sell orders placed from other countries, you can use the country code "ES" as a filter. MaxMind uses an extended ISO-3166 Country Code.
highRiskCountry - This field determines if the transaction's billing address or IP address is located in a country that MaxMind has flagged as high risk. A positive matches means that either the IP address or billing address is located in Egypt(EG), Ghana(GH), Indonesia(ID), Lebanon(LB), Macedonia(MK), Morocco(MA), Nigeria(NG), Pakistan(PK), Romania(RO), Serbia and Montenegro(CS), Ukraine(UA), or Vietnam(VN).
Please note that these countries were not flagged randomly because of the perceived risks of accepting orders from these countries. These countries were flagged because, statistically, the majority of the transactions on the minFraud Network placed from those countries were fraudulent. Countries may be added or removed based on our analysis of the orders being placed on the minFraud Network. There are other countries where many fraudulent transactions stem, but, we will typically not mark a country as high risk if there are also a large number of legitimate transactions coming from that country.
This field will directly affect the risk score. If you do cater to customers from the countries listed as high risk, you can customize your own risk score model so that this field would not trigger a higher score. Obviously, if your shop caters to customers within these countries, this field may create many false positives and should be modified. Consider the risks and context of your customer base before considering making a change to this field.
Distance - This field expresses the distance between the IP address and the billing address in kilometers (1 kilometer = 0.6214 mile). The distance can provide additional information for situations where there is a positive and negative countryMatch as indicated above. Generally, an increase in distance means an increase in risk. However, smaller distances doesn't automatically legitimize an order. Fraudsters have been seen to make use of proxies located in close proximity to the billing address. In some cases, sophisticated carders will even use proxies that are located in the same city as the billing city, in which case, the distance would be close to zero. Use this field in conjunction with the other fields. This field also directly affects the risk score (larger distance = higher risk score). For B2B and some B2C transactions, the distance field will not always make sense at first since the customer may be connecting through a corporate proxy. Corporate proxies will be discussed more in the "ip_organization" section.
ip_region - If the ip_region matches the billing region, the risk is likely lower if there is no indication that a proxy has been used. If it does not match, you should check the distance field.
ip_city - If the ip_city matches the billing city, the risk is likely lower if there is no indication that a proxy has been used. If it does not match, you should check the distance field.
ip_latitude - This field provides the latitude of the IP address location.
ip_longitude - This field provides the longitude of the IP address location.
Note: We also provide ip_region, ip_city, ip_latitude, ip_longitude etc, for contextual information so the end client can match up the city with additional location information besides the billing location. This is also useful if we can't recognize the billing city and return a CITY_NOT_FOUND error.
ip_isp - This field provides the name of the Internet Service Provider (ISP) that the customer's IP address was allocated to. In many cases, knowing the ISP can provide additional insight. For example, some ISPs route their user traffic through proxies. As a result, hundreds or even thousands of users can share the same IP address. For example, users from California and New York can be sharing the same IP address. As a result, IP geolocation is not as effective. The most well known ISP that does this is AOL. Generally, we will blank out the associated location fields for ISPs that route traffic in this manner. For example, only the IP address country field will be available for AOL address. Fraudsters know that using ISPs like AOL can blur and disable IP geolocation tools and that is one of the reasons why it has been a popular medium for making fraudulent orders.
While there are still many users that use AOL, transactions that come from AOL IP addresses (not necessarily aol.com e-mail) for B2B transactions are very high risk. Many AOL IP addresses used for B2B purchases logged within the minFraud Network were fraudulent. Typically, established businesses will not be using AOL as their Internet Service Provider since AOL pre-dominantly caters to consumers.
Important: If the ISP field shows the name of a hosting provider, the transaction should be flagged for further review. Having a hosting provider in the ip_isp field means that the customer making the purchase is connecting to a server provided by a hosting provider with his existing Internet connection before connecting to the e-commerce site. It is likely that a fraudster leased or hijacked the server as a way of bypassing geolocation controls. If the server is based in the US, IP geolocation lookups will likely identify the transaction as coming from the US or wherever the server is physically located. Most of the transactions that have identified within the minFraud Network that are coming from hosting providers have been fraudulent. To know if the ISP is a hosting provider, you can search the ISP name with one of the popular search engines. Visit the site. It should be fairly apparent if the ISP is a hosting provider. Make sure not to confuse a hosting provider from an actual ISP. An example of a hosting provider is "Verio" whereas an example of an ISP is "AOL".
The ISP can also determine how different IP addresses should be handled. Some merchants will block certain IP addresses or ranges if they sense fraud or receive a chargeback from those IP addresses. Merchants that utilize this strategy should be aware that different ISPs have different ways of handling their allocation assignments. For example, Comcast IP addresses are relatively static and do not change very frequently (every 30-90 days). On the hand, ISPs like AOL and SBC cycle their IP addresses more frequently. For AOL dial-up, every time someone connects, he is assigned a different IP address while SBC cycles their IP address every few days. As a result, blocking specific IP addresses may result in blocking of legitimate orders in the future once the IP address has been reassigned or re-allocated.
ip_org - This field provides the name of the organization or company that the IP address has been allocated to. Knowing this information can provide some additional insight for dealing with legitimate and suspicious orders. Like with ip_isp, if the ip_org field displays the name of a hosting provider, the transaction would be suspicious and warrants further review.
Additionally, looking at this field may also provide insight for orders that may seem suspicious at first but are really legitimate. For example, if there are many orders with multiple billing addresses coming from the same IP address, it may seem like a suspicious batch of orders. Many merchants may flag that IP address as a proxy and block any other orders from that IP address. A closer look at the ip_org output may provide an explanation. If the ip_org is assigned to a large company, it is likely that the customer is connecting through some type of corporate proxy or using a computer from one of the office branches. As a result, the various customers connecting through the corporate proxy would share the same IP address but the billing addresses being used may be very different. For example, XYZ corporation may have offices in New York, California, and Florida where the all of the company's traffic is routed through a corporate proxy. The corporate proxy IP address would then potentially have orders associated with it with billing addresses from various parts of the country.
The same case can be applied to IP addresses that have been allocated to universities who will tend to route outbound traffic through a few IP addresses. Since many students will send their statements to their home address, this will explain the difference in billing addresses. Many large universities will have a national/global student base.
It is entirely possible that a fraudster can somehow hack their way into a corporate proxy or an university IP address which could explain the various billing addresses in the scenarios posed above. However, large companies and universities generally have fairly good security in place so the outbound IP addresses are not very likely to be hijacked by fraudsters.
Proxy Detection
anonymousProxy - This field verifies whether or not an IP address has been marked as an anonymous proxy. Anonymous proxies are servers set up by the server's owner to provide “legitimate” anonymizing services. Examples of anonymous proxies include services provided by anonymizer.com and Tor. Anonymous proxies will be represented in the "countryCode" field as "A1" while the associated region and city fields will be blanked out to prevent false positives. We do this because the user of that IP address can technically be coming from anywhere around the world and providing the location of the server hosting the anonymizing service provides little useful information. Anonymous proxies are used legally by customers who are concerned about their online privacy. However, they are also used by fraudsters who understand the effects these proxies have on circumventing IP geolocation controls. Anonymous proxies essentially disable and prevent the use of IP geolocation tools. Orders placed from anonymous proxies are considered to be high risk. We recommend that merchants either do not accept orders from anonymous proxies or process those orders with extra care. A positive anonymousProxy match will directly affect the risk score.
proxyScore - This field provides a score that can be used to evaluate the riskiness of the IP address that was used on the online transaction. The proxyScore deals more with open proxies. Open proxies are compromised or hijacked computers/servers that have been hacked or infected with trojans and/or viruses, which allow users to connect to those computers without the computer owner's knowledge. In effect, it allows fraudsters to simulate that they are making a transaction from that specific computer. Unlike anonymous proxies that evade IP geolocation controls by blurring the resolution, open proxies bypass IP geolocation by spoofing the location of where the transaction is coming from. For example, a fraudster can find a compromised computer located in the same general area as his stolen credit card's billing address so that there will be a IP address and billing location match. The proxyScore will directly affect the overall risk score.
Please Note: while the score range is between 0-10, the numeric value does not translate to a direct percentage likelihood of the IP address being a proxy. For example, a proxy score of 3.0 does not mean that there is 30% chance that the IP address is an open proxy. In fact, a 3.0 proxy score or above signifies that the order is 90% likely to be fraudulent. Please see the following data:
Proxy Score Fraud Likelihood
0.5 = 15%
1.0 = 30%
2.0 = 60%
3.0 or higher = 90%
IP addresses that have been marked with a proxy score of 3.0 or above have at some point been manually reviewed by MaxMind. As a result, if a transaction receives a proxy score of 3.0 or above, the likelihood that the transaction is fraudulent is very high. Since open proxies are more dynamic and harder to detect, the proxyScore should have high importance in your processing decisions. Orders with "high" proxyScore should be flagged for review even if the IP address matches the billing address. The proxyScore in many cases would reverse any positive indicators that IP geolocation tools may have provided about the transaction.
Different factors and variables are considered when generating the proxyScore. The most common instances where an IP address may generate a high proxyScore is if there is 1) increased and inconsistent activities 2) associations with previous suspicious activities or chargebacks. Unfortunately, we are not able to go into more detail about how our proxyScore is generated. There are no good reasons why someone should be making a purchase from an open proxy unless the person making the purchase is actually the owner the of the computer, the coincidence being highly unlikely. In most countries, connecting to or taking control of someone else's computer without their permission is illegal. People concerned with privacy should be using anonymizing services which are legal and not open proxies which are illegal.
If you are customizing your own risk model, we highly recommend that the proxyScore be given a heavy weight. We consider proxyScore to be one of the best direct indicators of fraud within the minFraud service. The proxyScore is an additional layer of defense against carders who are sophisticated enough to bypass IP geolocation or any of the other checks within our system. We did some statistical analysis of the actual fraudulent orders (not perceived) placed through the minFraud Network and have the following results:
Statistics of Where Fraud Comes From Within the minFraud Network
32% High Risk Countries
21% Country Mismatch
6% Anonymous Proxies
4% Satellite Providers
26% Open Proxies
11% Not Detected
Please note that you should not worry if you are not seeing these kind of statistics for you specific site. The numbers above represents the aggregate of fraudulent transactions placed in the minFraud Network. Different sites may attract different kinds of fraudsters who may have different levels of sophistication. More sophisticated fraudsters tend to use open proxies as oppose to anonymous proxies because they are dynamic and harder to detect. According to our analysis, the minFraud service should be able to help merchants detect an estimated 89% of stolen card fraud. In fact, many clients have seen higher detection rates. If you are seeing detection rates that are not even close to 89%, you should consider re-evaluating your order process cycle as well as how you are utilizing and interpreting the minFraud data.
isTransProxy - This field determines whether the forwardedIP address is in our database of known transparent proxy servers. Transparent proxies are proxies that do not fully anonymize the details of the end user that is connecting to the transparent proxy. Many transparent proxies will also pass on the IP address of the end user that is connecting to the proxy. For example, if the forwardedIP is an open proxy, then the transaction would be riskier even if the transparent proxy looked legitimate.
E-mail and Login Checks
freeMail - This field checks if the e-mail domain used by the customer is from a free e-mail provider. Examples of free e-mail providers include the following: Yahoo.com, Gmail.com, and MSN.com. The MaxMind system currently has categorized 31,000 free e-mail domain providers around the world. In terms of how to handle free e-mail providers, the discussion will be broken up into the following two categories: Business-to-Business (B2B) and Business-to-Consumer (B2C).
B2C - While the adoption of free e-mail addresses is very high, orders coming from free e-mail domains are inherently more risky. The reason is that free e-mail accounts can easily be created or recycled and cannot be traced back the rightful owner which is exactly why fraudsters prefer them. With the current minFraud risk model, e-mail domains from free e-mail providers will automatically increase the risk score by 2.5. If free e-mails are not a concern for you, you can write code that will subtract 2.5 from the risk score or you can completely customize the risk model and give your own weight to certain parameters. We recommend that you continue passing the domain field because we perform checks on domains on the back-end and may mark certain domains as high risk which will indirectly affect the other output fields like the proxyscore. From statistical analysis of transactions within the minFraud Network, free e-mail addresses double the likelihood that a transaction would be fraudulent. For example, if a typical transaction has a 1% likelihood of being fraudulent, then the same order placed with a free e-mail address will have a 2% likelihood of being fraudulent.
B2B - For B2B transaction, free e-mail domains should warrant additional review. While the use of free e-mail is relatively common, most established e-commerce sites should have an e-mail domain that is associated with their e-commerce site. Free e-mails for B2B transactions are higher risk. If the customer is not using a free e-mail address and the order looks slightly suspicious, it would be wise to perform a quick whois lookup on the domain or search Google for the domain. Whois lookup will tell you if the domain was recently registered while the Google search should generate some reference points if the customer's business is an established one. If it is a new business, see if the customer has previous sites or domains that you can review.
carderEmail - This field checks if the customer's e-mail address has been associated with previous fraudulent orders or chargebacks within the network. Fraudsters will often re-use the same e-mail address to reduce overhead and simplify the number of e-mail accounts they have to manage. If there is a carderEmail match then that increase the riskiness of the associated transaction(s).
highRiskUsername - This field checks if the customer's Username has been associated with previous fraudulent or suspicious activity within the network. Like the situation with carderEmail, carders will often use the same username and/or password across various networks, to simplify what they need to remember.
highRiskPassword - This field checks if the customer's password has been associated with previous fraudulent or suspicious activity within the network.
Issuing Bank BIN Number Checks
binMatch - This field checks to see if the billing address matches the country of the issuing bank. It is unlikely and rare for a person to have their billing address country differ from their issuing bank's country. Having a positive binMatch does not necessarily mean that a transaction is legitimate. Fraudsters have been known to have access to limited and incomplete BIN lists and will select cards that will match up accordingly. MaxMind uses a self-developed BIN database and the accuracy for binMatch is around 99%.
binCountry - The field outputs the country code of the submitted BIN. This field will be present for Premium minFraud queries or if there is a positive binMatch. Knowing where the issuing bank is located can provide more information for making your decision. For example, generally, the risk of a transaction is higher for credit cards issued in a developing country than one from a developed country.
binNameMatch - This field determines whether name of issuing bank matches inputted binName. A return value of Yes provides a positive indication that card holder is in possession of credit card. This field is only active if you are requesting your customer to input the name of the issuing bank.
binName - This field displays the name of the bank which issued the credit card based on BIN number. Available for approximately 96% of BIN numbers, this field is only available for Premium minFraud queries.
binPhoneMatch - This field determines whether the number of the issuing bank matches the inputted binPhone. A return value of Yes provides a positive indication that card holder is in possession of credit card. This field is only active if you are requesting your customer to input the customer service number.
binPhone -This field displays the phone number of the bank which issued the credit card. Available for approximately 75% of BIN numbers, this field is only available for Premium minFraud queries.
Address and Phone Number Checks
custPhoneInBillingLoc - This field checks whether the customer phone number is located in the billing zip code. Currently, this field only supports US phone numbers. A return value of “Yes” provides a confirmation that the phone number listed is located within the same area as the card holder. A return value of No indicates that the phone number may be in a different area, or may not be listed in our database. For example, someone who is using a cell phone may have a completely different prefix or local number exchange than what would match up against his billing zip code. This field should be used as secondary support data and decisions should not be based solely on this field. Fraudsters have been known to purchase VoIP numbers so that the prefix and local exchange of the number will match with the zip code listed on the billing address.
shipForward - This field checks to see if the shipping address listed for the order is in our database of known mail drops. Many e-commerce merchants will not ship abroad due to the risks involved. As a result, fraudsters will often use mail forwarding services. This field should be examined in conjunction with the other fields. A shipping address to a known mail drop does not mean the order is fraudulent since mail forwarding services do serve legitimate transactions as well. However, orders with a positive ShipForward match is more risky because the product is not necessarily being shipped or to the given billing address in the end.
cityPostalMatch / shipCityPostalMatch - This field checks whether the city and state portion of the billing address match up with the zip code of the billing address. Currently, this feature is only available for US addresses. The Address Verification Service (AVS) only checks to see if the zip code matches the numeric portion of the street address. In order to save time while testing stolen cards, some fraudsters will type in bogus values (e.g. "asdf") since they know that AVS only matches the street address to zip code. Generally, when fraudsters are inputting fake or blank data for region or city fields, they know the order will not go through but are trying to test whether or not the credit card is alive and checking the credit limit available on the card. While that does not necessary pose a risk to your site, it poses a risk to other sites that those tested cards will likely be used against. However, it may increase your gateway/processing fees.
This field displays a risk score that ranges from 0-10 where a score of zero is low risk and a score of ten is high risk. The risk score is calculated using many but not all of the data fields addressed below. For the majority of orders, the risk score tapers off at either end of the 0-10 spectrum. Finding the magic threshold number may take some experimenting since different businesses have their own unique customer bases as well as different tolerance levels for risk. Generally speaking, for Business-to-Business (B2B) environments, we recommend that orders with a risk score of 2.5 or above be flagged for review. For Business-to-Consumer (B2C) environments, the recommended risk score will depend on the kind of e-mail address that the customer uses. This will be explained in more detail in the e-mail section.
The risk Score field ranges from 0 to 100, to help give a clearer, percentage-based idea of how risky a given order may be. For example, an order with a score of 20 has a 20% likelihood of being fraudulent.