Why We Do Use CSC Codes
April 6, 2006 on 10:19 pm | In Business, Insider View, Rants by Josh Jones |
What a difference slevin months makes!
If you paid us with a credit card today, you may have noticed a tiny little difference with the form…
We removed the “(optional)” bit after the Security Code section.
WHY would we go and do a thing like that?
Didn’t we already say those CSC codes have about a 0% effectiveness against fraud?
Weren’t we proud of not requiring their use in our system?
Isn’t it just one more annoying hoop between us and your money?
Yes, yes, and for sure!
The reason we’re now requiring CSC codes on all credit card transactions on our site is actually pretty simple.. Discover required us to!
Why the sudden enforcement?
Because it’s a fraud, fraud, fraud, fraud world!
Apparently, in March, an insane 19% of our monthly total with Discover was charged back!
“Zuh? For real?” I couldn’t believe that it was that high… typically credit cards start getting mad at you when your chargebacks get above one or two percent.. how did we ever get to nineteen?! Was our fraud checking that horrible? Were Discover card holders super-susceptible to phishing scams? Did they maybe just have the decimal point in the wrong place?
As it turns out, it wasn’t exactly for real. The 19% included transactions we had already refunded after detecting fraud! The total for chargebacks we didn’t catch was just under 1%. Phew!
You see, what’s been happening is as follows:
Somebody signs up for a DreamHost account with a stolen Discover card.
We charge the card say, $119.40.
We notice the account looks fraudulent, so disable it and refund the $119.40 to the credit card.
The credit card owner, Steve McGinty, gets their bill, and either sees the $119.40 and no refund (yet), or sees both the charge and the refund.
Steve gets angry/hurt/confused, and calls Discover.
Discover answers the phone on the first ring.
Mr. McGinty says to Discover, “Who, or what, the hell, is DreamHost?”
Discover says, “Don’t you worry about those jerk-nuts, we’ll handle them but good!”
Satisfied, Steve-o gets off the phone and quickly gets back to dealing with his urgent SECURTITY RELAT3D EMAILs from paypal, ebay, amazon, bofa, wamu, citibank, and Nigeria.
Discover sends us a “chargeback notice.”
We tell Discover, “Hey, check your records, we ALREADY refunded that charge.”
“So you did, our bad, this is still going on your record!” they reply.
In summary, it’s kind of a waste of everybody’s time.
Fortunately, Discover has the perfect solution!
“Require CSC Codes.”
BASTARDS!
23 Responses to “Why We Do Use CSC Codes”
Categories:
Archives:
- June 2009 (3)
- May 2009 (3)
- April 2009 (4)
- March 2009 (2)
- February 2009 (3)
- January 2009 (3)
- December 2008 (3)
- November 2008 (4)
- October 2008 (5)
- September 2008 (2)
- August 2008 (5)
- July 2008 (2)
- June 2008 (3)
- May 2008 (6)
- April 2008 (2)
- March 2008 (3)
- February 2008 (5)
- January 2008 (7)
- December 2007 (3)
- November 2007 (3)
- October 2007 (5)
- September 2007 (3)
- August 2007 (4)
- July 2007 (4)
- June 2007 (7)
- May 2007 (3)
- April 2007 (3)
- March 2007 (8)
- February 2007 (4)
- January 2007 (6)
- December 2006 (5)
- November 2006 (2)
- October 2006 (4)
- September 2006 (4)
- August 2006 (5)
- July 2006 (3)
- June 2006 (3)
- May 2006 (5)
- April 2006 (6)
- March 2006 (7)
- February 2006 (6)
- January 2006 (8)
- December 2005 (7)
- November 2005 (5)
- October 2005 (8)
- September 2005 (19)
- August 2005 (11)
- July 2005 (4)
Other Sites
- DreamHost Status - An off-network page for all DreamHost Announcements! (Not as silly as this blog.)
- DreamHost! - The host behind the blog.
- Forum - Discuss DreamHost and web hosting!
- Web Control Panel - Manage your account.
- Wiki - On DreamHost and web hosting.
Powered by WordPress. Pool theme by Borja Fernandez, modified by DreamHost.
Like WordPress? Consider attending WordCamp LA.
Entries and comments feeds.
^Top^
April 6th, 2006 at 10:37 pm
and THAT is why I do not take discover cards anymore. 30% of my discover card charges were frauds, compared to 2% of the rest. I stopped taking discover cards, and my legitimate sales INCREASED.
Discover is a fraud, if you ask me. Apparently they’re even charging new merchants to sign up with them.
April 6th, 2006 at 10:57 pm
I hope you don’t store the CSC codes (which you indicated you thought was an option in the last post on this topic). Merchants cannot store CSC codes, even in an encrypted form.
April 7th, 2006 at 3:11 am
Leave it to Discover to break a perfectly good system. Bastards indeed!
April 7th, 2006 at 3:28 am
Sounds like a perfectly good excuse to quit accepting Discover. ;-)
April 7th, 2006 at 4:52 am
CSC security codes: because phishing for 19 digits is SO much harder than phishing for 16 digits.
“Fraud may be tough, but for everything else, there’s MasterCard.”
April 7th, 2006 at 7:32 am
There’s no problem for me, i trust you :)
April 7th, 2006 at 7:56 am
josh: did you discover ;) whether phishers are actually successfully getting CSC codes through phishing?
April 7th, 2006 at 8:33 am
The automatic billing update form still lists “(optional)” even though the field is now mandatory.
April 7th, 2006 at 8:59 am
I like the slander thing with the b*stard at the end :P
April 7th, 2006 at 5:27 pm
*All* credit cards suck! I *hate* ‘em *All*. But I’m lazy, and PayPal sucks more…so, years ago, I killed ‘em all but *one* which I use *only* for online stuff where “it is just easier” with a charge card. By complete coincidence (it happened to be at the “bottom” of my wallet) the “last card standing” happened to be a Disc*ver Card…so that is the only one that lived. I’d like to kill it too, but then it would be harder to pay my DH bill, and by books online, etc.. I wish I wasn’t as lazy as I am and that I was willing to put up with the inconvenience of not having *any* credit card. If there was ever a business model that is “evil”, the traditional credit card is it. It’s own fault…we keep using them.
“We have met the enemy, and he is us” -Pogo
April 7th, 2006 at 7:50 pm
Of course it naturally follows that the Nigerian scams will also start collecting CSC Codes.
April 8th, 2006 at 1:36 pm
No, You MUST NOT use CSC code.
In my case, the MasterCard.
See and learn this flow of “secure shopping”.
http://www.mastercard.com/us/merchant/security/what_can_do/SecureCode/demo_small.html
And also you don’t have the MasterCard SecureCode Logo too.
http://www.mastercard.com/us/merchant/security/what_can_do/SecureCode/logo.html
You are wrong !
Checking CSC is not your business !
April 9th, 2006 at 11:40 am
>>”dealing with his urgent SECURTITY RELAT3D EMAILs from paypal, ebay, amazon, bofa, wamu, citibank, and Nigeria.”
April 9th, 2006 at 11:41 am
I still don’t get why the cc companies haven’t just started putting smartcards/SIM’s on all of their cards. They could then distribute readers with mac, windows, and API documentation for Linux and everyone else. It would be a huge up front investment but it would basically turn online fraud into a non-issue, as it would require them to physically posses the card.
American Express seemed to start in on this with their Blue credit card line, but their regular charge cards still don’t have them. It would also require browser upgrades across the board, and merchant integration, but had they started in on this a few years ago it could have been integrated by now into most people’s browsers. Either way, for all the stink thats made over SSL certificates I would think they would have something worked out by now. Send a token, sign it against the key on the card, and send it back. “Easier said than done.” I know, but it seems like the cost to implement it could have been overcome by now in the costs dealing with fraud.
Heck they could encourage merchants to accept/require it during the startup period by giving them a break on processing fees for a year or something for each transaction signed by a smartcard.
April 9th, 2006 at 11:41 am
now without the html…
“dealing with his urgent SECURTITY RELAT3D EMAILs from paypal, ebay, amazon, bofa, wamu, citibank, and Nigeria.”
Hey hey hey! Come on now! Nigeria may be a 2nd or even 3rd world country, and sure there may be a lot of fraud that originates from Nigeria, but that’s unfair and slanderous to list it in the company of those other entities.
April 10th, 2006 at 11:36 am
itomaki (post #11): I can’t tell if you think CSC codes and MasterCard’s SecureCode are the same thing, or if you just want DreamHost to start participating in MasterCard’s SecureCode program.
To clarify, CSC codes are not the same as MasterCard’s SecureCode. DreamHost can (and probably should) check the CSC codes, they just can’t store them.
April 11th, 2006 at 12:06 am
I was told by you CSC which Dreamhost requres is not MasterCard’s SecureCode,
Thank you.
I mistook these two.
I get “Card Secure Code”(CSC) is not MasterCard’s “SecureCode(TM)”.
Then, how much secure when Dreamhost stores the CSC code?
I enter my MasterCard’s number without “CSC” at “Automatic Credit Card Rebill Settings”
and I get Error.
> Failure! Please correct the errors below.
> INVALID: CSC must be a 3 or 4 digit number.
so,I am afraid that Dreamhost STORE my CSC code.
April 11th, 2006 at 12:26 am
This was like, the ONLY useful post I’ve ever read on your blog. Ever. Usually, um. It sucks.
Thanks for not disappointing me 100%. Just 99.
April 11th, 2006 at 6:06 pm
that’s why i use their secure online account numbers
random generated numbers that works and protects your real credit card number
i dont get it.. if someone stole a card… wouldn’t they have the CSC code too?
April 13th, 2006 at 7:48 pm
I’m not at all surprised that McGinty is associated with this story.
April 14th, 2006 at 5:43 am
I stopped accepting discover after two months. First two months my webstore was up, I got about 25% chargeback on discover cards. The only sane thing to do after that was to stop. While on average, the rest were about 1% ;/
Of all the purchases I end up having to charge back because the purchase seems shady. Like some random guy in washington, connecting to the webpage using a russian IP, using a credit card from kansas… Even taking those into consideration, the amount of chargebacks I do myself and the credit card company screams at me to do, doesn’t even get close to how many are done with discover.
I think discovery should take a look at their own practices, and security. Maybe even teach each of their customers not to use their credit card info except when making a purchase on a secure website.
April 14th, 2006 at 6:17 am
Shouldn’t “Steve” or Discover be excited instead of angry/hurt/confused? Because when he sees the Dreamhost charge/refund, he knows that _his card number was stolen_ !!
July 25th, 2008 at 2:39 am
I’m not at all surprised that McGinty is associated with this story.