Credit card fraud prevention using PHP and MYSQL database

Credit card fraud is widespread on the Internet. According to MasterCard International, account takeover fraud has increased 369% since 1995. It has become one of the fastest growing types of fraud and one of the most difficult to combat. More than $700 million in online sales were lost to fraud in 2001, representing 1.14 percent of total annual online sales of $61.8 billion, according to GartnerG2. Even if the credit card company has given clearance as to the validity of the card, there are several ways fraudulent cards can be used on your site. The card may have been lost or stolen, but the card owner has not yet reported its loss. Or the card number (and not the card itself) may have been stolen without the owner’s knowledge. There is also a scam called identity theft, in which the card is issued under false pretenses using someone else’s identity and details.

As an online merchant, you must have a system in place to verify the authenticity of orders placed to protect your business. While the effort may require additional time and money, it can save you the cost and stress caused by chargebacks for fraudulent orders. You lost your physical products; you lose the sale price; lose another business opportunity; and an additional $15-$50 return fee will be assessed. If you have a high rate of chargebacks, your card service company may even blacklist you and cancel your merchant account. You will also spend time looking up the order and providing the requested information to your card service company. All these annoyances are things that you can surely do without.

How can you protect your business from credit card fraud? Here are some steps that can be taken to ensure that the real cardholder is requesting the transaction.

Suspicious shipping address.

According to ClearCommerce Corporation, a provider of payment processing and fraud protection software for e-commerce, orders from Ukraine, Indonesia, Yugoslavia, Lithuania, Egypt, Romania, Bulgaria, Turkey, Russia, and Pakistan have a very high incidence of fraud and often have unverifiable addresses.

Untraceable email address.

In many fraudulent orders, the customer’s email address is usually in one of the free email services, such as hotmail.com and yahoo.com, which are relatively untraceable.

Expensive items.

Beware of expensive orders, especially expensive brand name items.

Various items.

It can be a bad sign, for example, if someone orders three X-Boxes or three DVD players at once, especially when the items have a high resale value.

Express delivery.

Most of the fraudulent orders specify next day or 1 day shipping without hesitation.

The shipping address differs from the billing address.

The receiving point and billing address are different for fraudulent orders. If you are selling valuable items, it may be a good policy to only ship to the cardholder’s billing address.

Suspicious billing address.

The address seems too simple or invalid. If the billing address is 123 Main St, New York, the order is likely fraudulent. You can use an online locator tool to see if the address can be verified.

Leave at the door or post office box.

If the courier cannot guarantee delivery of the goods, the risk of fraud is very high.

The advancement of geographic segmentation on the Internet allows us to identify the geographic region of an order. The information can be used to reduce fraud by verifying it against the billing address and delivery address. This method can identify the scenario where credit card data from country Y has been stolen by someone from country X. The IP address lookup service will reveal the real country instead of relying on the country that was filled in the form from order.

IP2Location(TM) provides technology to translate the IP address to the country of origin. The lookup table is available in various formats, such as database and COM. It’s the perfect solution for automating fraud detection using client-side programming languages ​​like C++ and Visual Basic; or service-side programming languages ​​such as ASP, PHP, JSP, and CFML.

For example, Company XYZ received a credit card order from the IP address 161.139.12.3. The order details are as follows:

Name: Juan Ma

Address: Main Street 123

City: New York

ZIP Code: 11111

Country: United States

Phone: (503) 111-1111

Credit card number: 1234 5678 9012 3456

Expiration date: December 2010

The merchant credit card processor will authorize this order if the billing address matches the order details. Unfortunately, the credit card details were previously stolen by Mr. ABC from another country through the Internet. Subsequently, he made a purchase of digital products from company XYZ using the information. His order was approved by the merchant because all the details matched John’s record in the bank’s database. IP2Location(TM) technology can filter the difference between order country and registration country in advance to protect business from it. You can classify this type of order for manual inspection before the merchandise is delivered. You will be surprised how much this method will help identify fraudulent orders.

In this tutorial, we use the IP2Location(TM) IP-Country database to look up the country of origin from the visitor’s IP address. Instead of loading the entire database with over 50,000 records, we could simplify this tutorial by assuming only two different IP address ranges in the world. IP addresses 0.0.0.0 – 126.255.255.255 originate from the United States. Meanwhile, IP addresses 127.0.0.0 – 255.255.255.255 originate from Japan. Here we are creating an “IP2Location” database with “IPCountry” table consisting of two IP address range records.

Step 1: Create and connect to the ‘IP2Location’ database

mysql> CREATE DATABASE IP2Location

mysql> CONNECT IP2Location

Step 2: Create the table ‘IPCountry’

mysql> CREATE IPCountry TABLE

–> (

–> ipFROM DOUBLE NOT NULL,

–> ipTO DOUBLE NOT NULL,

–> country SHORT VARCHAR(2) NOT NULL,

–> countryLONG VARCHAR(100) NOT NULL,

–> PRIMARY KEY (ipFROM, ipTO)

–> );

Step 3. Import the ‘ipcountry.csv’ database into the ‘IPCountry’ table

mysql> INSERT INTO IPCountry VALUES(0, 2130706431, ‘US’, ‘UNITED STATES’);

mysql>INSERT INTO IPCountry VALUES(2130706432, 4294967295,’JP’,’JAPAN’);

The full version of the IP-Country database is available by subscription for $49/year at http://ip2location.com. If you have the full version of the IP2Location(TM) IP-Country database, the import process is made much easier by using the LOAD DATA function available in MYSQL.

mysql> LOAD THE DATA FILE “/IPCountry.csv” INTO THE IPCountry TABLE FIELDS ENDED IN ‘,’ SHOULDERED IN ‘”‘ LINES ENDED IN ‘r’;

We create a script to compare the search country and the data provided in the order authorization flow. It serves as a filter to reduce fraud. All rejected orders will be manually verified by merchants.

verify.asp

</p> <p> <?php // país en la dirección de facturación, en este ejemplo, asignamos "US" para Estados Unidos. <br />$countrySHORTbilling = &#8220;USA&#8221;; <br />// Replace the variables of this MYSQL server with the actual configuration <br />$mysql_server = &#8220;mysql_server.com&#8221;; <br />$mysql_user_name = &#8220;Username&#8221;; <br />$mysql_user_pass = &#8220;Password&#8221;; <br />// Retrieve the IP address of the visitor from the server variable REMOTE_ADDR <br />$ipaddress = getenv(REMOTE_ADDR); <br />// Convert IP address to IP number to query database <br />$ipno = Dot2LongIP($ipaddress); <br />// Connect to the database server <br />$link = mysql_connect($mysql_server, $mysql_user_name, $mysql_user_pass) <br />or die(&#8220;Could not connect to MySQL database&#8221;); <br />// Connect to the IP2Location database <br />mysql_select_db(&#8220;IP2Location&#8221;) or die(&#8220;Could not select database&#8221;); <br />// SQL query string to match the set of records that <br />// the IP number is within the valid range <br />$query = &#8220;SELECT * FROM IPCountry WHERE $ipno <= ipTO AND $ipno>=ipFROM&#8221; ; <br />// Execute SQL query <br />$result = mysql_query($query) or die(&#8220;IP2Location query failed&#8221;); <br />// Retrieve the recordset (only one) <br />$row = mysql_fetch_object($result); <br />// Keep the country information in two different variables <br />$countrySHORT = $row->countrySHORT; <br />$countryLONG = $row->countryLONG; <br />// Release recordset and close connection to database <br />mysql_free_result($result); <br />mysql_close($link); <br />if ($countrySHORT == $billingCountrySHORT) { <br />// IP address same as country in billing address <br />// Low risk of fraud <br />} else { <br />// IP address different from the country in the billing address <br />// High risk of fraud <br />} <br />// Function to convert IP address (xxx.xxx.xxx.xxx) to IP number (0 to 256^4-1) <br />function Dot2LongIP ($IPaddr) <br />{ <br />if ($IPaddr == &#8220;&#8221;) { <br />return 0; <br />} else { <br />$ips = split(&#8220;.&#8221;, &#8220;$IPaddr&#8221;); <br />return ($ips)[3] + $ips[2] * 256 + $ips[1] * 256 * 256 + $ips[0] *256*256*256); <br />} <br />} <br />?> <br />