Credit card fraud prevention using PHP and MYSQL database

Credit card fraud prevention using PHP and MYSQL database

Credit card fraud has become widespread on the Internet. According to MasterCard International, account takeover fraud has increased 369% since 1995. It has become one of the fastest growing types of fraud and one of the most difficult to combat. More than $700 million in online sales were lost to fraud in 2001, representing 1.14 percent of total annual online sales of $61.8 billion, according to GartnerG2. Even if the credit card company has given authorization as to the validity of the card, there are several ways fraudulent cards can be used on your site. The card may have been lost or stolen, but the card owner has not yet reported it lost. Or the card number (and not the card itself) may have been stolen without the owner’s knowledge. There is also a scam called identity theft, in which the card is issued under false pretenses using another person’s identity and details.

As an online merchant, you must have a system to verify the authenticity of orders placed to protect your business. While the effort may require additional time and money, it can save you the cost and stress caused by fraudulent order chargebacks. You lost your physical products; you lose the sale price; you lose another business opportunity; and you will be assessed an additional $15-$50 return charge fee. If you have a high percentage of chargebacks, your card service company may even blacklist you and terminate your merchant account. You will also spend time looking up the order and providing the requested information to your card servicing company. All these annoyances are things you can surely do without.

How can you protect your business from credit card fraud? Here are some steps that can be taken to ensure that the true cardholder requests the transaction.

Suspicious shipping address.

According to ClearCommerce Corporation, a provider of payment processing and fraud protection software for e-commerce, orders from Ukraine, Indonesia, Yugoslavia, Lithuania, Egypt, Romania, Bulgaria, Turkey, Russia, and Pakistan have a very high incidence of fraud and often have unverifiable addresses.

Untraceable email address.

In many fraudulent orders, the customer’s email address is usually at one of the free email services, such as and, which are relatively untraceable.

Expensive items.

Be careful with expensive orders, especially expensive brand name items.

Various items.

It can be a bad sign, for example, if someone orders three X-Boxes or three DVD players at once, especially when the items have a high resale value.

Express delivery.

Most fraudulent orders specify overnight or 1-day shipping without hesitation.

The shipping address differs from the billing address.

The receiving point and billing address are different for fraudulent orders. If you are selling valuable items, it may be a good policy to only ship to the cardholder’s billing address.

Suspicious billing address.

The address seems too simple or invalid. If the billing address is 123 Main St, New York, the order is likely fraudulent. You can use an online location tool to see if the address can be verified.

Leave at the door or post office box.

If the courier cannot guarantee delivery of the goods, the risk of fraud is very high.

The advancement of geographic segmentation on the Internet allows us to identify the geographic region of an order. The information can be used to reduce fraud by verifying it against the billing address and delivery address. This method can identify the scenario where someone from country X has stolen country Y’s credit card details. The IP address lookup service will reveal the actual country instead of relying on the country that was filled in in the form. from order.

IP2Location(TM) provides technology to translate the IP address to the country of origin. The lookup table is available in various formats such as database and COM. It is the perfect solution to automate fraud detection using client-side programming languages ​​like C++ and Visual Basic; or service-side programming languages ​​like ASP, PHP, JSP, and CFML.

For example, XYZ Company received a credit card order from IP address The order details are as follows:

Name: Juan Ma

Address: Main Street 123

City: New York

ZIP Code: 11111

Country: United States

Phone: (503) 111-1111

Credit card number: 1234 5678 9012 3456

Expiration Date: December 2010

The merchant credit card processor will authorize this order if the billing address matches the order details. Unfortunately, the credit card details were previously stolen by Mr. ABC from another country over the Internet. Subsequently, he made a purchase of digital products from XYZ company using the information. His order was approved by the merchant because all the details matched John’s record in the bank’s database. IP2Location(TM) technology can filter the difference between the country of the order and the country of registration in advance to protect the business from it. You can classify this type of order for manual inspection before the goods are delivered. You will be surprised how much this method will help to identify fraudulent orders.

In this tutorial, we use the IP2Location(TM) IP-Country database to look up the country of origin from the visitor’s IP address. Instead of loading the entire database with 50,000+ records, we could simplify this tutorial by assuming only two different IP address ranges in the world. The IP addresses – originate from the United States. Meanwhile, the IP addresses – originate from Japan. Here we are creating an “IP2Location” database with the “IPCountry” table consisting of two IP address range records.

Step 1: Create and connect to the ‘IP2Location’ database

mysql> CREATE DATABASE IP2Location

mysql> CONNECT IP2Location

Step 2: Create the ‘IPCountry’ table

mysql> CREATE TABLE IPCountry

–> (




–> countryLONG VARCHAR(100) NOT NULL,


–> );

Step 3. Import the ‘ipcountry.csv’ database into the ‘IPCountry’ table

mysql> INSERT INTO IPCountry VALUES(0, 2130706431, ‘US’, ‘UNITED STATES’);

mysql>INSERT INTO VALUES OF IPCountry(2130706432, 4294967295,’JP’,’JAPAN’);

The full version of the IP-Country database is available by subscription at $49/year from If you have the full version of the IP2Location(TM) IP-Country database, the import process is much easier using the LOAD DATA function available in MYSQL.


We create a script to compare the search country and the data provided in the order authorization flow. It serves as a filter to reduce fraud. All rejected orders will be manually verified by merchants.


</p> <p> <?php // país en la dirección de facturación, en este ejemplo, asignamos "US" para Estados Unidos. <br />$billingcountrySHORT = &#8220;USA&#8221;; <br />// Replace this MYSQL server variables with the actual configuration <br />$mysql_server = &#8220;;; <br />$mysql_user_name = &#8220;Username&#8221;; <br />$mysql_user_pass = &#8220;Password&#8221;; <br />// Retrieve the visitor&#8217;s IP address from the REMOTE_ADDR server variable <br />$ipaddress = getenv(REMOTE_ADDR); <br />// Convert IP address to IP number to query the database <br />$ipno = Dot2LongIP($ipaddress); <br />// Connect to the database server <br />$link = mysql_connect($mysql_server, $mysql_user_name, $mysql_user_pass) <br />or die(&#8220;Could not connect to MySQL database&#8221;); <br />// Connect to the IP2Location database <br />mysql_select_db(&#8220;IP2Location&#8221;) or die(&#8220;Could not select database&#8221;); <br />// SQL query string to match the set of records that <br />// the IP number is within the valid range <br />$query = &#8220;SELECT * FROM IPCountry WHERE $ipno <= ipTO AND $ipno>=ipFROM&#8221; ; <br />// Execute SQL query <br />$result = mysql_query($query) or die(&#8220;IP2Location query failed&#8221;); <br />// Retrieve the recordset (only one) <br />$row = mysql_fetch_object($result); <br />// Keep country information in two different variables <br />$countrySHORT = $row->countrySHORT; <br />$countryLONG = $row->countryLONG; <br />// Release recordset and close the connection to the database <br />mysql_free_result($result); <br />mysql_close($link); <br />if ($countrySHORT == $billingCountrySHORT) { <br />// IP address same as country in billing address <br />// Low risk of fraud <br />} else { <br />// IP address different from the country in the billing address <br />// High risk of fraud <br />} <br />// Function to convert IP address ( to IP number (0 to 256^4-1) <br />Dot2LongIP function ($IPaddr) <br />{ <br />if ($IPaddr == &#8220;&#8221;) { <br />return 0; <br />} else { <br />$ips = split(&#8220;.&#8221;, &#8220;$IPaddr&#8221;); <br />return ($ips)[3] + $ips[2] * 256 + $ips[1] * 256 * 256 + $ips[0] *256*256*256); <br />} <br />} <br />?> <br />

Leave a Reply

Your email address will not be published. Required fields are marked *