Should I ask for ID with credit card verification for high-risk orders?

Hi,

In the case below, should I still ask for a photo of credit card and ID? Or will a photo of credit card suffice(no ID)?

A customer placed an order and was marked as high-risk because they didn’t put the correct billing address (not sure why the payment was accepted if that’s the case). We canceled the order and asked the customer to retry with the correct billing. They responded and tried again. The order is marked as medium risk this time. The main reason on the fraud analysis is that customer’s billing and shipping are two different countries(they moved) and similar to fraudulent activities in the past. Shopify also still could not verify that billing matched the one registered to their credit card.

To me it doesn’t seem like a fraudulent order. The customer retry ordering when requested, both times, there was only 1 attempt for payment. The order was re-placed on friday, customer followed up again over the weekend to see if the 2nd attempt worked. The communication seems real.

Since the shipping address is all the way in Europe, I want to be extra sure before shipping, but don’t want to scare off the customer. Let me know what do you think I should do? Thank you!

AT the end of the day there is no right answer to this one.

Gut feeling is a large part of these things and also the size of the order.

Trust your own judgement and never send just because you want to make the money.

Asking for a photo of a customer’s credit card is directly breaking PCI compliance.

https://squareup.com/us/en/townsquare/pci-compliance

This puts you at risk for a very expensive lawsuit. Shopify helps you keep PCI compliant by not storing or revealing the credit card numbers from your customers’ orders.

By asking for a credit card you’re directly breaking that layer of protection.

@noovo I’m tempted to just process the order, but the value is high so trying to be more cautious.

@dylanpierce we are asking for a photo with numbers covered except the last 4 digits. Not the full card. Just so we know they have the physical card. I don’t think that’s breaking PCI?