A few weeks ago (in June 2009), Magnatune stopped being able to accept VISA/Mastercard payments directly, and switched over to using Paypal as our exclusive payment processor.
Update: as of November 2009 we're able to accept all credit cards for album purchases, both through Google Checkout and also through Paypal
You can still buy albums from Magnatune with your VISA/Mastercard. The change is that now it will be Paypal that will charge your credit card.
For one-time purchases, this change is quite minor: you're redirected to Paypal when you make your purchase, and you can use your credit card number there if you like (or your paypal account, of course)
For recurring payments, the change is more significant. Because we can no longer directly charge people's credit cards, we have to ask them to use a paypal account for their membership fees. You have to have a paypal account to have a Magnatune membership, unless you buy a lifetime membership, in which case no paypal account is needed.
What happened? Getting slammed by VISA fraud
A few months ago, a bunch of people who trade in stolen credit cards decided to harass the hell out of Magnatune. I'm not sure why they chose to do this, but the cat-and-mouse game that ensued caused enough bad charges on our VISA merchant account, that our charge processor decided to cancel our merchant account.
At the worst of it, we were getting hundreds of fake credit card purchases per day. These people used a different credit card number and a different tcpip address for every purchase. They had the CVV number for each credit card, as well as the billing address. There really wasn't any way to differentiate them from normal charges, except for the huge volume increase in sales that occurred on days when we were targeted (which was most days, for a while).
Each morning, I would go through the previous day's charges and try to figure out which were fraudulent. For instance, the fraudsters liked to buy the same album over and over, using different accounts. Sometimes it would be an artist who normally sells very little, so that was a tip-off. Or, they'd use variations on the same name or password. Needless to say, I didn't catch all the fraud. Since we pay half to the musician, it's likely that Magnatune paid musicians royalties on charges that were eventually rolled back.
The problem got so bad that I made a big change at Magnatune: every new credit card used to buy something would need a 10 minute verification wait, and your purchase success information would delivered by email. That slowed the fraudsters down for about a week, and then the fraud picked up again, with disposable email addresses from hotmail, yahoo and google being used. The 10 minute wait did have an impact on sales, but I didn't really know what else to do to stop the daily fraud.
Because of the scale of the fraud, and the fact that they used a different tcpip address and email address for every purchase, I think these people are highly sophisticated, and probably are using bots to create many disposable email addresses, and possibly zombie machines to "proxy" to magnatune, thereby using a different tcpip address every time. There was no geographical pattern to the fraud.
Eventually, the fraudsters found our "gift card" sales page, which allowed them to put in whatever dollar amount they wanted. Not limited to $8 purchases, they started hitting us with huge numbers of $100 gift cards. That really started to upset VISA.
Meanwhile, VISA was telling us that they would drop us if we didn't become PCI Compliant. The main thing that PCI Compliance requires of you is to not permanently store the credit cards you receive, but instead to pass them onto your VISA processor and then get a "customer code" back from the processor, and use that in the future. That's fine, and a good idea, since it helps prevent the case where your computer is hacked and all your VISA card numbers are stolen.
However, PCI compliance would do absolutely nothing for us in stopping the daily deluge of fraudulent transactions. When someone has the visa number, CVV number and postal address, the charge is going to go through, and the fact that the card is stolen isn't anything VISA can deal with. What is needed is a personal PIN, like they have in Europe for in-person charges, so that a stolen card can't be used without the PIN number. The "Verified by Visa" program does that over the web, which is great, and some processors support it (ours didn't)
In the end, VISA wasn't happy with my answer that "PCI Compliance won't stop this fraud" and so they dropped us.
Implications
For one-time purchases of downloads and CDs, there isn't much of a difference. Your purchase gets routed to paypal for credit card processing, instead of our doing it.
For memberships, we can now only take paypal members. If you already have a paypal membership, this is no hardship. If you don't have a paypal membership, you can open one fairly quickly with your credit card.
Unfortunately, the linux programs Amarok and Rhythmbox no longer can buy Magnatune music directly. Those programs allowed you to purchase music by supplying your credit card, and that no longer works. We're working on a different purchasing pathway for those two programs, so that their next versions will allow purchasing again, but in a different way that doesn't involve putting your credit card number in their software.
The biggest implications for us are financial.
We're seeing about 1/3rd drop in membership revenue because of the change, which is unfortunate.
Also annoying is that the VISA processor put our account "on hold" for two months before finally firing us. During that two month period, they didn't pay us at all. After they cancelled our account, they didn't pay us either. So, we're due two full months of revenue from our VISA processor.
What they've told us is that they're going to hold all the funds for 6 months, at the end of which they'll decide how much they want to keep for possible future chargebacks, and pay us the rest. There doesn't seem to be any transparency on this process, and the processor is being quite vague about how it works.
I've just gone through a royalty payment cycle for my musicians. Despite not actually getting paid for 2 of the 6 months, I decided to pay the musicians now for the sales that occurred. Why? Because musicians are among those most affected by the slow economy, and I hope to eventually get the money from VISA. If after 6 months' waiting, VISA decides to not pay us for those 2 months of sales, I will fight it (after all, they're just keeping our money), but I'm hoping that won't happen.
The good news is that I got a call from Paypal shortly after being cancelled by VISA. They were notified about our being cancelled, and so they reviewed our account. They didn't see a security risk with how we run things, and we're able to continue using them. Paypal's fraud department were quite sympathetic to the merchant's problem of targeted fraud, which was a nice change.
So, if you're wondering why we had a lull in new releases for about 2 months, that's the reason... Now, we're back on track and the backlogged releases are coming out on expedited schedule.
-john