Today we got a dispute from our credit card processor about a fraudulent payment; after doing some investigation, I couldn't find any *real* evidence of wrongdoing, because the IP address recorded in the {commerce_order} table matches with the IP used in previous (valid) orders.
However, I noticed that somehow, two payment transactions had been entered for a single order (using Commerce Stripe). I'm not quite sure how at the moment, but this brought me to another realization: the IP address of the person creating the transaction is not saved anywhere in the transaction data. It's included as part of the Order process, but there's the rub: it only records the IP address in the commerce_order_revision table during a save() event. Unfortunately, though, this data is only accessible from the db, and is nowhere to be found in an order's Payment tab.
It would be better from a customer support/administration side if we included the originating IP address that submitted the transaction. This would better protect store admins from fraud and would just make a better UX for non-technical administrators.
I'd suggest including a new field in the commerce_payment_transaction table schema, and then adding a write function to the controller to record the IP in that field whenever a transaction is created.
Thanks!
Comments