Showing results for 
Search instead for 
Did you mean: 

CIM create customer payment profile ripe for card spamming

The process for creating a customer payment profile doesn't have any method to stop card spamming.  


When someone uses a bot to attempt to add credit cards to their account in order to test to see if they are valid, there is no method for capturing and restricting access.


I recently had someone bot spam my add payment page with 25,000 credit card attempts.  None of them were approved due to AVS mismatches or other errors.  Unfortunately I racked up $2,500 in AVS charges from my payment processor.


The Advanced Fraud Detection Suite will freeze your account if there is a certain volume of activity, but that stops everyone from processing transactions - an unacceptable solution.  It also has an IP Address check, but there is no IP Address being accepted when adding payment profiles.


Since CIM is a paid service, I would think that a basic fraud detection of how many transactions from a single customer in a period of time would be appropriate as part of that service.   This would limit the transactions sent to the processor from a restricted IP address.


If you are using CIM on your website, understand that someone can easily write a bot script to submit forms or make ajax calls.  There is nothing built in to restrict it.