Every business has “shrinkage”. Stock levels mysteriously reduce. Inventories decline overnight. Products grow legs.
You'd think that the software business is different. “There's nothing physical to lift!” you say. Not true. If you're thinking of selling software via the web, take note: you're going to get dodgy orders. It's just a fact of life.
So how exactly does it work? Well you get an order in, same as usual. Now what I do for each order is check the IP address against the credit card address. You can use a site such as maxmind to do this. Unfortunately this is can only happen after the order is processed. And then you get one. An order where the IP address is from a very different country than the credit card address. A stolen card. In these cases, the email is also usually from a free email service, and is usually one of those numbered emails, as the account has been created just for the purposes of fraud. You do get the occasional sad individual who will use a traceable email address. It will show up on gaming and script-kiddie websites.
When you get one of these orders you're stuck. The perpetrator already has your product downloaded. And you have to put through a refund asap, otherwise you'll get hit with callback charges. And you should put through the refund as soon as you can so that you don't offend the poor eejit whose credit card number was stolen.
As a software company, it's not too bad — at least you don't loose money shipping out physical goods. On the other hand it makes you more vulnerable to this sort of thing, as the fraudster doesn't need a physical address for pick-up, just an email address.
Now there are a few things you can do to prevent or reduce this type of fraud. You can block certain countries from purchasing. This works, but it's not something I want to do. First, some of the dodgy orders may come from people who genuinely can't afford the products (hey – just ask me for a free copy guys! I'm reasonable). I grew up in a developing nation (South Africa), so I can understand that. Second, other folks from those countries want to do legitimate business, and they should have the chance to do so. I just don't like the idea of blanket bans.
Another thing you can do is have more stringent automated checks, based on IP and email address. Given the relatively low level of this problem, I'm not sure it's worth it. It's not like the bad guys would suddenly decide to play by the rules as a result. They'd probably just try to hack the trial download instead (Hint to bad guys: please hack the download instead of using fraudulent credit cards). So I'll put the time into coding features for my products instead.
Finally you might want to sign up with a fraud detection service. Never used one so don't know how well they work. Maybe I'll do this if the problem ever becomes really bad.
If you sell stuff on the web, you will get credit card fraud. It's a cost of doing business with the entire planet. And hey, doing business with the entire planet is a much bigger win than losing a few sales. So I guess my final advice would have to come from Tony: “Suck it up!”
One other thing to note, if you are developing a software product for download via the web: really strong copy protection is useless and a waste of time. It seems to be really easy for certain groups of people to get hold of stolen credit cards, so they'll just buy a copy. A nice, easy way to get around your oh-so-clever copy protection. And then you loose anyway. You could opt for “phone home” protection, but that has it's own issues, like customer privacy. (And don't even think about using a dongle! How sad.)
This interwebnet thing is no bed of roses. The rules are different and you'd better leave your outrage at home.