Hello! We're a YC group (in the latest batch) building a tool that has potential for abuse. For example, a spammer might find our stuff helpful for running a mail server.<p>Anyway, is there anything we can do to protect ourselves from people signing up with fraudulent credit cards, racking up a bunch of hosting fees, and having the financial liability fall back on us? AWS must have this problem all the time, any idea how someone like them deals with it?
You've got 2 major risks here.<p>Your question indicates you're concerned about someone using a bogus card, using your site, and then you're out the money/fees (this is indistinguishable from a chargeback due to an unhappy customer). As far as I can tell, this is a "cost of doing business" and other than some common sense rules (don't accept business from Nigerians, East Europeans, or whoever is the "land of hackers" this week - check the address and IP addresses - log everything), I don't think anyone will be able to assist you (including law enforcement, who has a hard time getting involved for less than 6-digits of losses). One of the applications I'm responsible for accepts/processes credit cards, and we have 0 chargebacks, but that's mainly because this application is a add-on for a desktop application that costs several hundred dollars.<p>The other one you didn't seem to address is PCI-DSS compliance. If you store the credit card number in any place (including log files), you (and your customers) could be in for a world of hurt if you're hacked (like TJ Maxx did).
<a href="https://www.pcisecuritystandards.org/index.shtml" rel="nofollow">https://www.pcisecuritystandards.org/index.shtml</a> (see chart on page 4 of the spec, and the checklists at the end may be helpful as well).