Feature Requests
Share ideas, discuss and vote on requests from other users in community

Perform fraud check upon each manual credit card payment attempt

NK5 LLC shared this idea 1 year ago
Under Consideration

It would be beneficial to me if an additional fraud check was performed each time an invoice is manually paid via creditcard.php.

I have reason to believe carders are placing orders, passing the initial fraud-check, but the provided card details are declined. They then use the creditcard.php page to attempt different stolen card details until a payment is authorized.

My particular merchant gateway levies a fee for declined transactions, so this is costing me money, in addition to the charge-backs which later occur due to the use of stolen card details.

Therefore I propose performing an additional fraud check on manual payments on creditcard.php to block such behavoiur.

Comments (3)


Hi there,

Thanks for your suggestion.

I'm interested to hear your thoughts on how an additional fraud check upon creditcard.php would operate. For example:

  1. Upon submission, should the payment attempt be deferred whilst the fraud check is performed?
  2. If it fails, should the invoice be cancelled immediately and order be marked as fraud?
  3. At this point should the card details be dropped from WHMCS?
  4. What criteria would you use to determine when this additional check is performed? Eg. Is it done for every invoice being manually paid, only the first invoice in a client's account, if the invoice is associated with and order, or something else?

Some general questions I had:

  1. How does the cost of the fraud check compare to the charge from your merchant gateway for declined transactions?
  2. What about users who do not want to perform additional fraud checks?


Hey John,

1. The check should work just as it does now during the checkout process. Once you hit the submit button with the payment details, there is a pause while WHMCS contacts the enabled fraud service, then either accepts the order and proceeds, or fails the fraud check and shows the user the fraud template.

2. Let's say MaxMind is the fraud service in use. Once the transaction has failed their tests, the invoice should be canceled and marked as fraud, then the user should receive the standard "fraud" message and whatever email template is attached to that process.

3. I'm not sure about the card details. We don't store them on our system, as we use authorize.net CIM. It would be handy to have a checksum or MD5 SUM of the card so it can be blacklisted, however.

4. The option should honor the existing setting/preference in WHMCS regarding fraud checking existing customers with active services.

Your other questions:

1. MaxMind Insight is $0.015/transaction, but authorize.net starts around $0.35. We've managed to reduce that significantly due to volume over the last couple of years, but the price difference is still staggering. Our business is mostly transactions under $5.00, so $0.35/transaction by a single carder with a huge list of stolen credit cards can wipe out a day's profits in a couple of hours.

2. Not sure what you mean. Which users? WHMCS admins or end-users?


We currently use MaxMind fraud checking.

I'd like to see a verification also based on the existing model used in MaxMind.

Score the transaction if it's not in the threshold then deny and remove and then notify the client and admin.