Fog Creek Software
Discussion Board

Fog Creek and online order fraud

From a thread on the other side I get the idea this will not be a popular question with Joel, but I'm going to ask it anyway.

Some time back Joel wrote an article that FG dumped Digital River and set up their own online order fullfillment system.  Saves money as DR no longer gets their cut, which varies depending on which DR outfit you use, but is generally someone between 10% and 20% of the sale.

One thing you get when using DR is fraud screening, since as anyone who has sold software online knows this can be a real problem.  If you are processing your own transactions you know that once chargebacks get much over 2% of your total sales you may be in trouble with your merchant account processor.

My question to Joel:  how (in general terms of course) has it gone doing your own online order fullfillment with respect to fraud?  Better than you expected, worse, the problem is on your radar, it is not - share your experience in this area without exposing Fog Creek to any more of this kind of thing than you may already have.  We don't want to know the details of your fullfillment system, just an idea on how it has all worked out.

Mitch & Murray (from downtown)
Sunday, March 7, 2004

Digibuy was charging us 13.9%. Credit card companies usually charge around 2.5%. There was just no way to justify digibuy's fee. Also, Digibuy took an average of 30 days to pay us and credit card companies take a couple of days. When we did the switchover we got, effectively, a free month of extra revenues that we'll never have to pay back. That alone paid the cost of developing our own solution.

The number of people in the world who wish to purchase bug tracking software using stolen credit cards is rather slim, but they do find their way to us. However ever since implementing certain anti-fraud measures, we haven't had a single chargeback. I expect that credit card fraud is like spam: as we develop counter measures, the lowlife will develop counter-counter measures, and we'll have to develop counter-counter-counter measures.

Joel Spolsky
Fog Creek Software
Sunday, March 7, 2004

Fair enough Joel, thank you for the straightforward answer.

FWIW, M&M Co. has been in the software business since 1987 and we never lost a single dime on a bad transaction until we went live with ESD over the 'net.  Even in the developer tools area such as yours and ours, you can't underestimate the fraud angle I think.  It is not just script kiddies out there hijacking credit cards anymore - actually it never was.

Good luck and be well ...

Mitch & Murray (from downtown)
Sunday, March 7, 2004

OK, one more interesting bit about the software business that not everyone here may know.

If you are selling a traditional shrink wrap package (CD and manual in a box) through a traditional retailer like (for example) Programmer's Paradise (to use Joel's recent reseller's experience, but there are obviously others) every month their purchasing person calls you up and orders so many boxes (SKU's - Stock Keeping Units).  Fine, you ship them 25, 50, or 100 new boxes of your stuff, they pay you (eventually) anywhere from 50% to 80% of the list price of your stuff.

Now, here is the interesting bit, hence the discussion of fraudulent transactions.  If Programmer's Paradise sells to a script kiddie with a stolen card, they shipped a box and they eat this - they do not call you up and say "we had a bad sale, we need a freebie to compensate us".  Sorry pal, you authorized the sale, you shipped the box, pay me anyway. 

On the other hand, if you are selling online via Digital River and a "chargeback" occurs, you eat the sale PLUS some fee - right now around $25.  This all occurs even though you did not authorize the sale (Digital River did), and your code is now gone into the great script kiddie beyond.  Not only do they not eat the bad sale, the charge you a penalty fee for the bad transaction even though it was not you that authorized the sale - it was Digital River.

How about that?

Mitch & Murray (from downtown)
Monday, March 8, 2004


That's a total bummer.

Mr. Fancypants
Monday, March 8, 2004

Mr. Fancypants ...

You think this is OK?

Mitch & Murray (from downtown)
Monday, March 8, 2004


Mitch & Murray (from downtown)
Monday, March 8, 2004

How much does PP charge for their service, and what percentage of purchases generally result in a chargeback?

I've never dealt with PP, but I've been selling software over the internet for half a year or so, and had 2 chargebacks, a negligable percentage.

I can see that PP offers other services as part of the package, but you're still paying 20-50% per sale, regardless of chargeback.

Seems like apples and oranges. Besides, if you're with PP and get a good number of chargebacks, they'll drop you just as quickly as your merchant account provider would.

Shareware Guy
Monday, March 8, 2004

I worked with Register Now, another Digital River company, for over five years. They charge a hefty 20% but they protect you from chargebacks. (I can only recall one chargeback in five years though. I'm selling fractal software and I guess there are few people wanting to buy that with a fake/stolen credit card.)

Lately, they've started flagging certain orders as risky, for example with hotmail or yahoo email addresses. They seem to refund these at random to avoid chargebacks, without prior notice to vendors. We have to beg them to approve the order or it will cost us a significant part of our sales.

I've switched to SWREG about a week ago, which charges 4% + $1, and so far I'm very happy. I get the feeling that Register Now is losing vendors because of their high commision rate (they hinted at lowering it to 16%) and they are looking into other ways of saving money, for example avoiding chargebacks at all costs. They also introduced a new Bounceback feature to sell upgrades that essentially ties you to Register Now forever.

To M&M: it makes more sense for Programmer's Paradise to swallow the costs of chargebacks because their commision is generally much larger.

Frederik Slijkerman
Monday, March 8, 2004

M&M - that's interesting. Thanks.

Monday, March 8, 2004

Joel, are you willing to share with us your fraud counter-measures?  Or are you worried that doing so will speed up the counter-countermeasure development?

Jim Crawford
Monday, March 8, 2004

"Joel, are you willing to share with us your fraud counter-measures?  Or are you worried that doing so will speed up the counter-countermeasure development? "

He might tell you in person, but I doubt he'll post the answer on the board.  ;)

Monday, March 8, 2004

Since April 1st, 2003, any loss caused by costumer order repudiation must be assumed by the credit card emissor, not the commerce, due to Visa and Mastercad new security measures. This is only applicable if the seller's site is compliant with this measures, of course.

Wednesday, March 10, 2004

*  Recent Topics

*  Fog Creek Home