1.5.7c with PHP 7.2 and 1.5.6c with PHP 7.2
Both with latest version of Square and OPC
Interesting activity found while looking into the token expiration situation.
Orders placed through Guest Checkout of OPC.
Using a valid CC number and CVV, the system accepts any other information and captures the transaction.
Deliberately setting the billing address and zip code to totally bogus settings does not fail and square does the capture.
This is scary in that any card that arrives in someone's possession by any means will have three things on the card minimum. The CC number, expiration date, and the CVV number. There are other items on the card depending on the type, but those seem to be the only things Square is evaluating in order to capture.
This is leading to chargebacks as Square eventually finds out the other information on the billing address is bogus.
On at least two occasions for one shop owner, Square accepted and captured a bogus order with code in the Address Line 2 block of the billing address.
Is anyone else experiencing this? When I get gas with a credit card, I am often prompted to enter a "Valid Zip Code" for the card. With the Square module setup on these two stores, Square does a capture no matter what Zip Code is used.
When the customer tries to talk to Square about their fraud check process, they get nothing but an attempted upsell to Square's platform.
Below is the billing address for one order. The name is bogus, of course. The address and zip are legit. The phone # is from LA. The e-mail seems to be valid and is pronounced OK by several checkers.
Attachment 19659


Reply With Quote
