topic CIM create customer payment profile ripe for card spamming in Integration and Testing https://community.developer.cybersource.com/t5/Integration-and-Testing/CIM-create-customer-payment-profile-ripe-for-card-spamming/m-p/75132#M46806 <P>The process for creating a customer payment profile doesn't have any method to stop card spamming.&nbsp;&nbsp;</P><P>&nbsp;</P><P>When someone uses a bot to attempt to add credit cards to their account in order to test to see if they are valid, there is no method for capturing and restricting access.</P><P>&nbsp;</P><P>I recently had someone bot spam my add payment page with 25,000 credit card attempts.&nbsp; None of them were approved due to AVS mismatches or other errors.&nbsp; Unfortunately I racked up $2,500 in AVS charges from my payment processor.</P><P>&nbsp;</P><P>The Advanced Fraud Detection Suite will freeze your account if there is a certain volume of activity, but that stops everyone from processing transactions - an unacceptable solution.&nbsp; It also has an IP Address check, but there is no IP Address being accepted when adding payment profiles.</P><P>&nbsp;</P><P>Since CIM is a paid service, I would think that a basic fraud detection of how many transactions from a single customer in a period of time would be appropriate as part of that service.&nbsp; &nbsp;This would limit the transactions sent to the processor from a restricted IP address.</P><P>&nbsp;</P><P>If you are using CIM on your website, understand that someone can easily write a bot script to submit forms or make ajax calls.&nbsp; There is nothing built in to restrict it.&nbsp;</P><P>&nbsp;</P> Wed, 24 Feb 2021 10:36:00 GMT lcmj 2021-02-24T10:36:00Z CIM create customer payment profile ripe for card spamming https://community.developer.cybersource.com/t5/Integration-and-Testing/CIM-create-customer-payment-profile-ripe-for-card-spamming/m-p/75132#M46806 <P>The process for creating a customer payment profile doesn't have any method to stop card spamming.&nbsp;&nbsp;</P><P>&nbsp;</P><P>When someone uses a bot to attempt to add credit cards to their account in order to test to see if they are valid, there is no method for capturing and restricting access.</P><P>&nbsp;</P><P>I recently had someone bot spam my add payment page with 25,000 credit card attempts.&nbsp; None of them were approved due to AVS mismatches or other errors.&nbsp; Unfortunately I racked up $2,500 in AVS charges from my payment processor.</P><P>&nbsp;</P><P>The Advanced Fraud Detection Suite will freeze your account if there is a certain volume of activity, but that stops everyone from processing transactions - an unacceptable solution.&nbsp; It also has an IP Address check, but there is no IP Address being accepted when adding payment profiles.</P><P>&nbsp;</P><P>Since CIM is a paid service, I would think that a basic fraud detection of how many transactions from a single customer in a period of time would be appropriate as part of that service.&nbsp; &nbsp;This would limit the transactions sent to the processor from a restricted IP address.</P><P>&nbsp;</P><P>If you are using CIM on your website, understand that someone can easily write a bot script to submit forms or make ajax calls.&nbsp; There is nothing built in to restrict it.&nbsp;</P><P>&nbsp;</P> Wed, 24 Feb 2021 10:36:00 GMT https://community.developer.cybersource.com/t5/Integration-and-Testing/CIM-create-customer-payment-profile-ripe-for-card-spamming/m-p/75132#M46806 lcmj 2021-02-24T10:36:00Z