At 3/3/00 9:08 PM, Jeff Dafoe wrote:
> Item D, to me, seems quite bizarre.
>in item D your statements indicate
>that you are not willing to address the risks and accept responsibility
>for the parts of the transactions that are yours.
Hmmm.
I've been selling digital goods over the Internet for five years, and I
can tell you that (despite what other people have recently said) in a
"card not present" transaction, where you didn't get a point-of-sale or
delivery signature, you have no defense against a chargeback. Absolutely
none.
It doesn't matter whether the address verification matched. All the
customer has to say if they don't want to pay for such a transaction is
"I didn't authorize the charge." When that happens, you won't get paid.
There are no exceptions, because you have no proof it wasn't someone
impersonating the customer who happened to know the customer's name and
address.
It's happened to me plenty of times, and there are hundreds of thousands
of stolen card numbers floating around the Internet. The accepted figure
is that about 1% of Internet credit card sales result in a chargeback
where the customer claims the charge wasn't authorized, so it will happen
to you.
Now, when it is impossible to collect the money owed, it's reasonable
that we have a way to cut off the service we've sold to that person,
whether it was the actual owner of the card or not. That's not "bizarre":
if someone uses fraud to "buy" ten years of domain service, it isn't
right that I'll lose the $100 AND they can use the service for the next
ten years for free.
If word gets out that people can defraud any OpenSRS reseller and their
domains will never be shut off, then the credit card kiddies are going to
have an absolute field day. They'll come to your site and register dozens
of domains just to impress their friends, and you'll lose thousands and
thousands of dollars before you even see the names of the domains if you
have a fully automated system.
Here's a question for the TUCOWS folks: if someone uses a stolen credit
card to buy a ten year domain from Domain Direct, and you get a
chargeback two months later, do you shut off the domain or leave it going
for the next ten years?
If Domain Direct would turn it off, we should have the same power.
Otherwise, they have a competitive advantage in that people committing
fraud will avoid them and target us.
I have no problem with the power being restricted (for example, requiring
a liability release form to be signed by the reseller before OpenSRS
turns off a domain).... but it ought to be available.
-- Robert L Mathews Tiger Technologies
This archive was generated by hypermail 2.1.3 : Tue Oct 19 2004 - 23:35:23 EDT