We use PayPal exclusively (for better or worse) to collect payments on one of the e-commerce sites I manage. Recently, we noticed a lot of suspicious transactions being allowed through PayPal. High dollar value, Overnight Shipping, to shipping addresses that didn’t match billing addresses. What was odd is it seemed like it was happening all of a sudden. Turns out, we’d been hit be what appeared to be the same group for about 12 days.
I was really shocked this problem just popped up because you’d think PayPal would be on top of this sort of thing and let us know of suspicious transactions. Well, that isn’t the case. I’m not 100% sure if PayPal changed something in account settings or not, but it turns out that we had all of our Risk Controls set to Accept. Now, I’ve never seen this stuff before in our PayPal profile, but I also don’t manage the PayPal account on a daily basis.
What I found shocking, and absolutely ridiculous, is that PayPal didn’t set the defaults for these settings to the safest possible, but the unsafest. We were set to accept all transactions, regardless of address verification, credit card security verification, and a whole bunch of other settings. I couldn’t believe it when I saw it. The only reason I actually looked was that I had posed my problem to the PayPal Developer Community. Needless to say I locked the entire account down so we were as safe as possible, but I just couldn’t believe PayPal would do this by default.
It seems obvious, since PayPal isn’t a bank or even your typical credit card processor, that PayPal is just interested in collecting its fees. They probably could care less about you as a merchant and how you need protected. I’m sure we’ll be investigating other processors (which I know there are plenty of out there) to use in the future. PayPal just doesn’t seem to be the safest way to pay (pun totally intended).