guest shopping cart empty after 3 card declined / timeout or logoff

[jjone]

In guest checkout mode, after 3 card declined, zen cart will redirect to logoff or timeout. Guest shopping cart items will be gone after that. (fix: maybe keep guest cart seession?)

Logically, if this guest customer wants to checkout again, he/she will have to add all items back.

Registered customers are not affected.

Thank you.

[drbyte]

That's standard Zen Cart behavior, intended to discourage "credit card slamming", which is when someone tries to test/validate stolen credit card numbers using your store's checkout process.

Most legitimate customers are capable of entering their own valid credit card details on the first try, or at least within 3 tries.

If you wish to change the threshold from 3 to something else, you can edit /includes/modules/checkout_process.php:

// BEGIN CC SLAM PREVENTION
$slamming_threshold = 3;

and change the 3 to a slightly higher number that reflects the capability of your store's typical customer.

[jjone]

Thank you drbyte! This is great for fraud prevention.

Is there anyway to keep only the GUEST cart items in one page checkout after logoff?

Customers, who are not registered would have to add 100 items back to their carts when their cards failed for 3 or more times.

what do you think ?

[jjone]

Please see my view for this issue below :

Registered customer - no change. card failed 3 or more times logoff for fraud pervention. Guest checkout - card failed for 3 or more times, instead of logoff, redirect to contact us page instead. Guest still can call customer service to complete their orders instead of emptying their carts and leave them no where to go.

is this logic more customer friendly ?

thanks again!

[jjone]

this code below, keeps Guest carts and redirect Guest user to contact us page. Hope it helps. thanks

/includes/modules/checkout_process.php

// BEGIN CC SLAM PREVENTION $slamming_threshold = 3; if (!isset($_SESSION['payment_attempt'])) $_SESSION['payment_attempt'] = 0; $_SESSION['payment_attempt']++; $zco_notifier->notify('NOTIFY_CHECKOUT_SLAMMING_ALERT', $_SESSION['payment_attempt'], $slamming_threshold); if ($_SESSION['payment_attempt'] > $slamming_threshold) { $zco_notifier->notify('NOTIFY_CHECKOUT_SLAMMING_LOCKOUT'); //$_SESSION['cart']->reset(TRUE); // keep the cart after card 3 max failures zen_session_destroy(); zen_redirect(zen_href_link(FILENAME_CONTACT_US)); // redirect Guest to contact us }

[lat9]

The possible problem for guest-checkout is that some nefarious person could, as @drbyte indicated above, use this change to find a credit-card in a stolen list that they have ... and keep trying until they eventually find one.

It's not a change that I will incorporate in the 'base' OPC release, due to the fraud that that could introduce, but it's your site so you can choose to accept that condition!

[jjone]

HI, lat9. no change to zen cart fraud prevention in the code. its still default one. the only change is the customer checkout expericence flow. thanks

[drbyte]

The reason the cart gets emptied is to create more pain for the fraudster because they'd have to add something back to their cart before being able to continue testing credit cards. This is especially important for guest checkout, because that is where the card-slamming fraud will be targeted.

I think it's sensible to simply increase the threshold to 4 or 5 on your own store if you find that your legitimate guest checkout customers are having problems typing in their own card details. And, if you're already editing that file for your own needs, you're welcome to redirect them to Contact-Us as you proposed.