Visa no more
A few weeks ago (in June 2009), Magnatune stopped being able to accept VISA/Mastercard payments directly, and switched over to using Paypal as our exclusive payment processor.
Update: as of November 2009 we're able to accept all credit cards for album purchases, both through Google Checkout and also through Paypal
You can still buy albums from Magnatune with your VISA/Mastercard. The change is that now it will be Paypal that will charge your credit card.
For one-time purchases, this change is quite minor: you're redirected to Paypal when you make your purchase, and you can use your credit card number there if you like (or your paypal account, of course)
For recurring payments, the change is more significant. Because we can no longer directly charge people's credit cards, we have to ask them to use a paypal account for their membership fees. You have to have a paypal account to have a Magnatune membership, unless you buy a lifetime membership, in which case no paypal account is needed.
What happened? Getting slammed by VISA fraud
A few months ago, a bunch of people who trade in stolen credit cards decided to harass the hell out of Magnatune. I'm not sure why they chose to do this, but the cat-and-mouse game that ensued caused enough bad charges on our VISA merchant account, that our charge processor decided to cancel our merchant account.
At the worst of it, we were getting hundreds of fake credit card purchases per day. These people used a different credit card number and a different tcpip address for every purchase. They had the CVV number for each credit card, as well as the billing address. There really wasn't any way to differentiate them from normal charges, except for the huge volume increase in sales that occurred on days when we were targeted (which was most days, for a while).
Each morning, I would go through the previous day's charges and try to figure out which were fraudulent. For instance, the fraudsters liked to buy the same album over and over, using different accounts. Sometimes it would be an artist who normally sells very little, so that was a tip-off. Or, they'd use variations on the same name or password. Needless to say, I didn't catch all the fraud. Since we pay half to the musician, it's likely that Magnatune paid musicians royalties on charges that were eventually rolled back.
The problem got so bad that I made a big change at Magnatune: every new credit card used to buy something would need a 10 minute verification wait, and your purchase success information would delivered by email. That slowed the fraudsters down for about a week, and then the fraud picked up again, with disposable email addresses from hotmail, yahoo and google being used. The 10 minute wait did have an impact on sales, but I didn't really know what else to do to stop the daily fraud.
Because of the scale of the fraud, and the fact that they used a different tcpip address and email address for every purchase, I think these people are highly sophisticated, and probably are using bots to create many disposable email addresses, and possibly zombie machines to "proxy" to magnatune, thereby using a different tcpip address every time. There was no geographical pattern to the fraud.
Eventually, the fraudsters found our "gift card" sales page, which allowed them to put in whatever dollar amount they wanted. Not limited to $8 purchases, they started hitting us with huge numbers of $100 gift cards. That really started to upset VISA.
Meanwhile, VISA was telling us that they would drop us if we didn't become PCI Compliant. The main thing that PCI Compliance requires of you is to not permanently store the credit cards you receive, but instead to pass them onto your VISA processor and then get a "customer code" back from the processor, and use that in the future. That's fine, and a good idea, since it helps prevent the case where your computer is hacked and all your VISA card numbers are stolen.
However, PCI compliance would do absolutely nothing for us in stopping the daily deluge of fraudulent transactions. When someone has the visa number, CVV number and postal address, the charge is going to go through, and the fact that the card is stolen isn't anything VISA can deal with. What is needed is a personal PIN, like they have in Europe for in-person charges, so that a stolen card can't be used without the PIN number. The "Verified by Visa" program does that over the web, which is great, and some processors support it (ours didn't)
In the end, VISA wasn't happy with my answer that "PCI Compliance won't stop this fraud" and so they dropped us.
For one-time purchases of downloads and CDs, there isn't much of a difference. Your purchase gets routed to paypal for credit card processing, instead of our doing it.
For memberships, we can now only take paypal members. If you already have a paypal membership, this is no hardship. If you don't have a paypal membership, you can open one fairly quickly with your credit card.
Unfortunately, the linux programs Amarok and Rhythmbox no longer can buy Magnatune music directly. Those programs allowed you to purchase music by supplying your credit card, and that no longer works. We're working on a different purchasing pathway for those two programs, so that their next versions will allow purchasing again, but in a different way that doesn't involve putting your credit card number in their software.
The biggest implications for us are financial.
We're seeing about 1/3rd drop in membership revenue because of the change, which is unfortunate.
Also annoying is that the VISA processor put our account "on hold" for two months before finally firing us. During that two month period, they didn't pay us at all. After they cancelled our account, they didn't pay us either. So, we're due two full months of revenue from our VISA processor.
What they've told us is that they're going to hold all the funds for 6 months, at the end of which they'll decide how much they want to keep for possible future chargebacks, and pay us the rest. There doesn't seem to be any transparency on this process, and the processor is being quite vague about how it works.
I've just gone through a royalty payment cycle for my musicians. Despite not actually getting paid for 2 of the 6 months, I decided to pay the musicians now for the sales that occurred. Why? Because musicians are among those most affected by the slow economy, and I hope to eventually get the money from VISA. If after 6 months' waiting, VISA decides to not pay us for those 2 months of sales, I will fight it (after all, they're just keeping our money), but I'm hoping that won't happen.
The good news is that I got a call from Paypal shortly after being cancelled by VISA. They were notified about our being cancelled, and so they reviewed our account. They didn't see a security risk with how we run things, and we're able to continue using them. Paypal's fraud department were quite sympathetic to the merchant's problem of targeted fraud, which was a nice change.
So, if you're wondering why we had a lull in new releases for about 2 months, that's the reason... Now, we're back on track and the backlogged releases are coming out on expedited schedule.
Posted by John Buckman on June 24, 2009 at 04:13 PM | Permalink
It's possible that the purchases were being done as a way to test the card numbers to see if they worked or not before selling them on to other thieves. The fact that they were doing the same album over and over makes this seem likely (at least to me). There must be something about your web setup, or perhaps your merchant account provider, that made you an attractive target. Perhaps your provider was slower than most at figuring out things were bad? Or perhaps they are slower at pushing things upstream, thus giving the thieves more time with the cards? Or perhaps your web forms were more easily scripted than others?
Unfortunately, you were eventually going to have to go PCI or be dropped anyway, as your provider is almost certainly being hassled quite a bit by his up-stream providers. They really want to get to full PCI because it will look like they are doing something about the fraud problems. They dropped you because they see you as a major headache (not your fault of course) and they can kill 2 birds with one stone: on the one hand they get rid of an account that's being used heavily by the fraudsters, and on the other hand they get rid of an account that still needs to upgrade for PCI compliance. For them it's a win-win. For you it's a lose-lose.
Sadly, while everything that's being done for PCI compliance is necessary (for those who don't know: the focus is to make sure that no one stores card numbers or transmits them in the clear), it's far from enough to make a dent in current credit card fraud. We need something like you've said - PINs.
I hope you can pry your money out of your former processor more quickly than 6 months. That's an absurd amount of time to hold on to your money for the legitimate transactions. You might want to present them with sales data from before the high-rate fraud started and make the case that they should pay you at least 80% of that amount immediately, because it's likely that at least that much will be legitimate. I doubt they will go for it (after all, right now they get to collect interest on ALL of your money), but it's a reasonable thing for you to propose. And if they are acting in good faith, you might be able to get them to cough up at least 50% of that. Which would at least be something.
Posted by: Michael Kohne at Jun 24, 2009 5:55:47 PM
I'm sorry to hear this, because I've never had a good experience with paypal, even with their visa processing. To the point of blocking paypal.com in my hosts file so I never get sent there without warning (even if I don't complete the transaction, I don't want them collecting my data, ever).
Fortunately I already have a lifetime membership! But I'm certainly not the only person who avoids paypal at all costs. For them, is it possible to to pay the old fashioned way, via check?
By the way, once upon a time there used to be a useful discussion forum. Is that gone forever?
Posted by: sw at Jun 24, 2009 10:15:57 PM
I'm very sorry to hear Magnatune has been targeted in such a way. Is there anything you can do to sue the frauder(s)?
We also had some credit card fraud problems on some game server I was helping to run. Those are really hard to deal with. That together with the new bank rules for credit card payments... we also eventualy made the choice to run everything through Paypal. It sure doesn't please some users, but there were not much choice left!
Anyway, maybe it's a good idea to consider adding some other online payment service (there are many out there, such as moneybookers.com and so on). At least to please those people who have for some reason paypal-allergy.
I'm happy to see new releases. Good luck and keep up the good work!
Posted by: pachipachi at Jun 24, 2009 11:18:11 PM
I am also sorry to hear about this John, but glad that it's on the way to be sorted. Also from myself (and I guess a lot of other Magnatune artists) a big thankyou for keeping the royalty payments on schedule, I'm sure that's appreciated across the board. Let me know if I can do anything else to help.
Posted by: Christopher Harvey at Jun 25, 2009 4:55:19 AM
I hate PayPal with a passion.
Even I understand though in a case like this, when all you're trying to do is give musicians a fair break. I urge everyone in the community to help Magnatune bounce back stronger than ever by supporting John with our wallets as much as our kind words. Show the music industry that community and ethics count on the bottom line. I'll be eagerly awaiting your new lineup John.
Thankyou for supporting musicians, DRM free music and free software in general, even in the face of such adversity. You are a real hero.
Posted by: Bugsbane at Jun 25, 2009 3:04:12 PM
I've resisted membership (prefer paying per download) but I really don't want to use paypal for single downloads. I notice the suggested payment for a 1-year download membership is $240 while a lifetime membership is $295, making the lifetime membership a no-brainer. Would it be too much pain to accept snail mail (check/MO) payments for lifetime memberships? I guess I'd buy one. I realize the handling/processing costs would be nontrivial and you might not want to deal with it for monthly memberships, but for a $295 transaction, it might still be ok compared with the exorbitant paypal fees.
Posted by: paul at Jun 28, 2009 8:59:38 PM
John, I have to wonder why you didn't just say "PCI compliance? Sure, sounds good, I'll do it right away" and defer to Visa about whether it would help with the fraud or not.
Verified by Visa sucks and I refuse to enroll in it. It requires yet another obnoxious user agreement and there is no way to get out of it once you've signed up. I buy from newegg.com all the time, they pop a an enrollment screen for it, and I just close the window and newegg processes the order anyway. One time my CC company flagged this and had me check in with their fraud department by phone and I said yes, the purchases were real and that I just didn't want to enroll in Verified by Visa, and they said no problem and unflagged the card. So, I hope Magnatune doesn't start requiring it. It is completely for the merchant bank's benefit and it does nothing for the customer.
Posted by: paul at Jun 29, 2009 12:14:02 AM
I too have a PayPal phobia. W was considering buying, but if the only payment is PayPal, I won't be. How about a money order?
Posted by: Ken Bullock at Jun 30, 2009 6:08:13 PM
Good thing you didn't go down the whole VbV route, it's a royal PITA and ends up alienating payees in a major way. Years ago I signed up for the VbV and Master SecureCode, complete disaster once they bought in the whole password thing. Using the PCI/3-party system works well but in your case, you're absolutely correct, it'd do nothing to alleviate the situation.
I also resisted moving to using PayPal for many reasons, alas I have to admit that since letting people use PayPal my sales have gone up a significant amount *sigh*.
Good luck with the future situation.
Posted by: Paul.D. at Jul 4, 2009 3:16:53 AM
It's a real shame and seems completely circumstantial. Personally, I have about as much paranoia about Paypal as I do Google: absolutely none.
Still, it's a real shame that you can't purchase albums strait from Amarok any more... I actually filed a wish at bugs.kde.org for Paypal integration. Looks like now, it's quite necessary.
Oh! But what happened to the days when hacking was just a bit of fun and a joke? Occurrences like these are why I hate people's greed so much.
Posted by: Marcus Harrison at Jul 4, 2009 6:33:45 AM
"what happened to the days when hacking was just a bit of fun and a joke? Occurrences like these are why I hate people's greed so much."
some people want to draw a thick line between harmless fun and organized crime, but there is no easy to draw line with the good guys on one side and "baddies" on the other.
people that do silly things that cause little or no harm exist in great numbers, and criminals don't always need the highest tech stuff when basic-level hacking is enough for them to siphon money off the public. it's wise to remember though, the line still exists, neatly drawn or not. the days of harmless hacking are never gone, and the people stealing your money probably don't even think of themselves as "hackers." they're just taking money from decent people.
as for this unsightly mess, i'm very unhappy to see it happen to a great thing like magnatune, and it will shorten the time before i purchase another album. good luck guys, sorry to hear about it and keep up the great work.
Posted by: anonymous at Jul 7, 2009 12:42:51 PM
Oh man, this is a little off-topic for this Visa-based thread but it's related to my Magnatune listening while I can't buy albums except by using (ecch) Paypal.
It sounds to me like the between-track voiceovers ("that was track number 4 on the album blah blah...") have gotten a lot louder and more annoying than they used to be. I understand the idea that the voiceover interruptions (besides their ostensible purpose of identifying podcasts) prod the listener into buying the album in order to get away from the interruptions. But it used to be that you could listen to the album while putting up with the voiceover for a while. After two or three listens the annoyance level would build up, but if you've listened to the album two or three times already, it's time to buy a copy regardless.
Now, though, the louder voiceover makes the album unlistenable even for one listen. Result is lower likelihood to ever listen to an unknown album enough to decide to buy it.
It really does take an all-the-way-through listen, by the way. There was an album I downloaded recently, the first of which sounded great if taken by itself. Same for the second track, third, etc. Problem with the album was that all the tracks sounded the same, in fact each track got repetitive after a minute or so. I would have felt pretty disappointed if I'd bought that album.
I guess your data about conversion rates will give you better guidance to optimal voiceover strategy than some random user like me whining, but we do notice these things.
Posted by: paul at Jul 14, 2009 12:30:21 AM
I am sorry to hear of this challenge, John. Credit card fraud is such a huge problem, as this story illustrates.
Posted by: gurdonark at Jul 14, 2009 2:33:00 AM
The way it reads to me is that you choose a 2nd rate payment processor ("and some processors support it (ours didn't)") and are now paying the price for doing so while screwing potential clients in the process
following the horror stories you can easily find about Paypal, I absolutely refuse to use them, for any reason
I cannot claim to be a great client for you, only bought a few tracks (OTOH, never really used the "free" listening option either) but unless you find a way to get credit cards working again there will be no further purchases coming from me
Posted by: rk at Jul 15, 2009 9:14:28 AM
I'm sorry to hear of these problems.
I wonder, why do so many here dislike (or fear?) PayPal? I really would like to know whether I should start to myself.
Posted by: panzi at Jul 15, 2009 4:42:25 PM
maybe google checkout could be an alternative for those who don't like paypal?
Posted by: nicholas at Jul 17, 2009 7:50:09 PM
One thing I don't like about paypal is its tracking of specific purchases when you use their shopping cart. If I buy some CD's with my Visa card, my bank is notified that I spent X dollars at such-and-such a vendor, but they are not told what I bought. If I buy with Paypal, they find out the exact items. While my musical tastes (primarily classical piano music) aren't particularly embarassing or secret, I don't like the idea of anyone operating a giant database with the specific details of zillions of small purchases by millions of people. When I use paypal on ebay, I always pay the dollar amount as "goods-author" rather than "auction number such-and-such" for that reason. The dealers and Paypal customer service said it was ok to do that, but it sometimes leads to some confusion anyway.
Posted by: paul at Jul 18, 2009 9:17:19 PM
I should say, the above comment is from the point of view of someone who hasn't personally experienced any paypal horror stories (though those are common) but am still uncomfortable with it.
One thing I will never do is give them my checking account number, although they are always after it. They love to suck money out of your account in the event of some disagreement. When it's from a credit card, I can always contest it through the CC company and its Paypal's burden to prove that their sucking was valid. If it's from a checking account I'd basically have to go to court.
paypalsucks.com has quite a few horror stories. I don't totally refuse to use paypal (it is sometimes semi-indispensible, and I don't mind it as much for person-to-person transactions) but I generally prefer to avoid it. If I use it with Magnatune it will be for a one-shot life membership rather than individual cd purchases like I'd been doing with Visa. I'd rather have one big transaction than a lot of small ones, to minimize the total number of chances paypal gets to screw something up.
Mostly though, I guess it's a matter of perception. There are two kinds of vendors on the internet: serious ones that take credit cards, and less established ones (typically selling through ebay) who only take paypal. I'll avoid the word "schlocky" but if a vendor only takes paypal and not credit cards, it comes across like they're not really an established business.
Posted by: paul at Jul 18, 2009 9:31:19 PM
I feel very sad that you had to endure this. I admire that you kept your sense of proportion vis-a-vis the artists, John. Keep us informed down the line, won't you?
Posted by: Christopher McLean at Jul 20, 2009 5:24:00 AM
I don't like Paypal but I like Magnatune more :) Yay, I'm even a lifetime member since yesterday, trough Paypal of course.
So did you really think who was targeting you and why? Was it maybe the artist trying to get more money? Seems to obvious. Or music big industry trying to ruin your business model - there is no competition like no competition? A disgruntled employee that you underpayed fo a long time? Or an ex-wife that is upset that you have made your cash after you dumped her? :))
Seriously, you might want to report this to authorities as it looks like an attack on Magnatune and not random doing of a teenager. No one buys same album with stolen credit cards just to upset someone else, these criminals go for real goods so they can profit from it. I think this was aimed at Magnatune on purpose for some reason. I hope I'm wrong.
Posted by: Rad at Jul 23, 2009 5:51:37 AM
sorry to hear that the crooks have found your weak spot and are exploiting it ASAP.I don't what the costs are,but perhaps a superior-top-shelf-1stgrade provider is what is needed.At least until the European-visa is used in the "world-leading" USA Visa
cards.This also might be just an sorry excuse by Visa to skim extra profits from merchants like you(after all they would know exactly which charges are legit and those that were not by the complaints received)in the differences in the fraud/actually made charges and NOT prove to you which is which and NOT pay you the correct amounts.Visa should have long ago put into place enough safe guards to limit such MASSIVE thefts.This is NOT a just now happening freakish event. And don't let them say they can't find these people.ALL net traffic goes thru just a few massive server sites.Tracking the kiddies/pros is a matter of processor power/time study.Bet most of it is Eastern EU/Chinese with a few local script-kiddies.Frankly,I would band with other merchants and hire some high power Legal talent to go after Visa for being so neglectful in their obligations to the merchants who need them to conduct on-line business.....
Posted by: KH Zirk at Jul 30, 2009 3:23:43 PM
Please tell us who your old VISA processor was so we can avoid them! Only if you do this will the word get around and we can avoid using them for our own businesses and that will eventually put pressure on them to conduct themselves better. We all need to be accountable for what we do in business, why not them?
Posted by: Mark at Jul 31, 2009 3:24:13 PM
re: "Please tell us who your old VISA processor was so we can avoid them!"
I don't want to give their name yet because they still have several months of magnatune's money in their bank, and they say they will pay "some proportion of it" in 6 month's time, when they've decided how much of it should be reserved for charge backs. There doesn't seem to be any process by which I can appeal (or even discuss) this hold-back and how much is paid (most of those charges are completely legit) so I want to avoid antagonizing them for now.
Posted by: John from Magnatune at Aug 1, 2009 3:49:21 AM
While individual payment processors do have problems they cause, the real problem is that the whole VISA (and MasterCard) architecture is fundamentally insecure. BTI (before the internet), the security problems cost only a tiny amount and it was easily absorbed for the convenience. Now we have scammers that have the power of millions of zombie Windows computers (every person owning such infected computers should be jailed, IMHO) and millions of email addresses at various web mail services. They don't even need to steal private info anymore ... they can just make it up and run tests. If they get your card but not your CVV, they will run random tests on the thousands of merchants they have exploited this way ... and will figure it out.
Ultimately, VISA and MasterCard need to be replaced by something secure. It will be less convenient. We will have to bear that inconvenience. But we need it so that convenience vs. inconvenience does not create an unlevel playing field for merchants. If VISA and MasterCard were forced to cover all the costs of this fraud (that happens because of the way they designed it), you can be sure they'd now days fix it. But, instead, they impose legal terms on both ends (card holders and merchants) that push the costs onto them, without providing any means (because the design can't) to identify and avoid fraud.
We are victims of what amounts to the entire banking industry's incompetence.
Posted by: Phil at Aug 5, 2009 2:20:27 PM
Is there any chance you'll be able to accept direct electronic payment from a bank, similar to what is done for a recurring mortgage or utility payment?
Posted by: Jg at Aug 6, 2009 9:02:28 PM
Jg -- Paypal does this as well, you just have to sign up for a Paypal account first.
Posted by: Shawn K. Quinn at Sep 7, 2009 8:22:41 AM
Please offer a way to pay by check or electronic payment. This option can involve a delay, while the check clears and you enter the receipt into your software to trigger an email with the download codes or membership renewal confirmation. Those who want "instant" can use PayPal. A further benefit is that by waiting for the check to clear, there are no Visa, PayPal, or check guarantee service charges.
Another idea: sure, automatic charges are out without PayPal for now. But you still support one-time CC charges via PayPal. Why not allow manual membership renewal? I *could* create a new login each time, but that would get old quickly. Why not let me reuse my login and just make another "one-time" payment?
Posted by: Stuart Gathman at Sep 8, 2009 9:37:08 AM
Secure electronic payment is a Really Hard Problem for all the required aspects of security (fraud, anonymity, nonrepudiation, nonreplayable, etc..) which has kept computer science and computer security busy for a long time, and will continue to do so.
Mix this with the extremely high threshold of making your way into this market with gigantic, well established actors which do not want their business disrupted, and you can see that it'll go nowhere fast.
For all you Paypal haters out there, remember that we are fighting the evil record companies here, not the evil payment processing industry.
Posted by: Asgeir S. Nilsen at Sep 10, 2009 3:03:35 PM
"We are victims of what amounts to the entire banking industry's incompetence."
That seems to be the theme of the past year.
Posted by: Nate at Oct 6, 2009 12:46:38 PM
I was reading the latest announcement email, and noticed that you seem to think that people need Paypal accounts to buy music from Magnatune with Paypal. In fact, the interface to Paypal that Magnatune uses is perfectly fine with doing credit card transactions not tied to an account. This is a big difference, because the Paypal horror stories I've heard are about money stuck in Paypal accounts.
Posted by: Daniel Barkalow at Oct 24, 2009 10:50:06 AM
Hello, I've just tried to sign up for a lifetime membership only to fall foul,yet again, of Paypal. The 'error' message basically says 'We can't recognise your credit card please try a different card'. They are surely joking? Has anyone from Belgium(that's where I live)managed to buy a lifetime membership for Magnatune via Paypal?
Posted by: Jim McKenna at Oct 26, 2009 12:56:24 PM
So much for Paypal. Payment for a download using a Visa card-accepted. Payment for lifetime membership using the same Visa card-rejected! 'Please use a different card'!Why?
Sorry Mr Buckman,I've been a keen supporter over the years but Paypal is a joke!.
To pick up on a post by Jg: here in Europe it is normal to make bank to bank transfers. Can you give an IBAN and BIC to make this possible?
Posted by: Jim McKenna at Oct 26, 2009 4:10:02 PM
Fantastic! I never had a problem with Paypal in all the years they have been online and find them my preferred way of doing business. Great to hear of this, John. Looks to be a win-win for all.
The only problem I ever have is you folks answering my emails or send email back to me. : ) Good luck!
Posted by: Ashley at Oct 27, 2009 12:06:09 PM
John, if you're staying with Paypal, would you mind adding their shopping cart interface? I hate Paypal and want to use it as infrequently as possible. That means if I want to buy three albums, I'd rather do it in one transaction than three transactions. Thanks.
Posted by: paul at Nov 18, 2009 12:09:45 PM
was about to buy 3-4 albums for Christmas and then remembered you only accept Paypal now. You just lost sales.
Any progresses made towards accepting credit cards again?
Everybody else and his dog seems to be able to manage dealing with credit cards!. It is incredibly stupid when you reach the point where it would be easier to stream-rip the tracks (which I will _not_ do) than to pay for them ...
Posted by: rk at Dec 29, 2009 8:04:18 AM