Today we got a dispute from our credit card processor about a fraudulent payment; after doing some investigation, I couldn't find any *real* evidence of wrongdoing, because the IP address recorded in the {commerce_order} table matches with the IP used in previous (valid) orders.

However, I noticed that somehow, two payment transactions had been entered for a single order (using Commerce Stripe). I'm not quite sure how at the moment, but this brought me to another realization: the IP address of the person creating the transaction is not saved anywhere in the transaction data. It's included as part of the Order process, but there's the rub: it only records the IP address in the commerce_order_revision table during a save() event. Unfortunately, though, this data is only accessible from the db, and is nowhere to be found in an order's Payment tab.

It would be better from a customer support/administration side if we included the originating IP address that submitted the transaction. This would better protect store admins from fraud and would just make a better UX for non-technical administrators.

I'd suggest including a new field in the commerce_payment_transaction table schema, and then adding a write function to the controller to record the IP in that field whenever a transaction is created.

Thanks!

Comments

torgosPizza created an issue.