How Do You Implement KYC in Your Hosting Services?

Hello everyone,

I'm interested in learning more about how different hosting providers implement KYC (Know Your Customer) procedures. What methods and practices do you use to verify the identities of your customers? Any insights or experiences you could share would be greatly appreciated! Thank you!
 
Are you referring to as taking on a new customer (fraud management) OR authentication upon login? Not familiar with the KYC lingo. :-)
 
We mainly utilise Maxmind with their 'Factors' offering, and orders that have been approved are manually checked - although Maxmind has been pretty solid and we haven't had a order slip through the net. There are a few other checks you can perform too such as checking what website is currently on the domain if they have signed up to web/reseller hosting to see if it's a legitimate website, check the internet archive to see what has been hosted on the website previously, and does WHOIS information match if it's not hidden.

If a order has been rejected due to a high risk score on Maxmind then we generally leave it, unless the customer reaches out to us regarding their rejected order then we will run through a quick confirmation process with them such as sending government approved ID, etc. We generally find those who have been automatically rejected and then reached out to us are legitimate customers.
 
I saw that it has a plugin to use in WHMCS, how does it work?
It defaults to the following fields name, email, phonenumber, address and ip. You can optionally add the following fields: Domain Name or Hostname, Paypal Email, Secondary Email Address and Other (information).

I actually have a system on it's on script that I put together years ago that I run separately. The plugin for WHMCS doesn't automatically process anything, at least the version that I am running. The results you need to take with a grain of salt.

Essentially, each field is hashed on both ends. Therefore, the exact value has to match FraudRecord. They aren't storing anything other than hashes that you're comparing.

While another host could enter in data to keep you from taking on a client, it's still incredibly valuable. It'll show which host submitted matching data that reported it as fraud and they can provide feedback regarding the submission. IP and Email are the easy ones to check on.
 
It defaults to the following fields name, email, phonenumber, address and ip. You can optionally add the following fields: Domain Name or Hostname, Paypal Email, Secondary Email Address and Other (information).

I actually have a system on it's on script that I put together years ago that I run separately. The plugin for WHMCS doesn't automatically process anything, at least the version that I am running. The results you need to take with a grain of salt.

Essentially, each field is hashed on both ends. Therefore, the exact value has to match FraudRecord. They aren't storing anything other than hashes that you're comparing.

While another host could enter in data to keep you from taking on a client, it's still incredibly valuable. It'll show which host submitted matching data that reported it as fraud and they can provide feedback regarding the submission. IP and Email are the easy ones to check on.

Interesting, I was thinking just the other week it would be useful if a service exists where hosts could share data like this to help combat fraud and back actors on our networks, and here it is :)

I will definitely take a look.
 
It defaults to the following fields name, email, phonenumber, address and ip. You can optionally add the following fields: Domain Name or Hostname, Paypal Email, Secondary Email Address and Other (information).

I actually have a system on it's on script that I put together years ago that I run separately. The plugin for WHMCS doesn't automatically process anything, at least the version that I am running. The results you need to take with a grain of salt.

Essentially, each field is hashed on both ends. Therefore, the exact value has to match FraudRecord. They aren't storing anything other than hashes that you're comparing.

While another host could enter in data to keep you from taking on a client, it's still incredibly valuable. It'll show which host submitted matching data that reported it as fraud and they can provide feedback regarding the submission. IP and Email are the easy ones to check on.
Thank you, I'm not sure if it works according to GDPR rules in Europe because it uses user data.
 
I would think it should be OK, the company seems to be based in a EU country and no actual readable data is sent, just hashes?
If it's just hashes, I don't think there's a problem, but since I'm not sure about its functionality, I have to read the privacy policy and its rules carefully so that there's no problem using it.
 
If it's just hashes, I don't think there's a problem, but since I'm not sure about its functionality, I have to read the privacy policy and its rules carefully so that there's no problem using it.
Yeah, from what I read the other day it seems as though the data is one-way encrypted and stored on their servers with no way of Fraud Record either knowing what the data is or decrypting it. The hashes are compared when a user looks up a email address.

Seems like an interesting service overall.
 
Yeah, from what I read the other day it seems as though the data is one-way encrypted and stored on their servers with no way of Fraud Record either knowing what the data is or decrypting it. The hashes are compared when a user looks up a email address.

Seems like an interesting service overall.
That is correct, it's all hash based only.

I'm not familiar with Europe's GDPR. I'm tired of being tracked with cookies, but the last few years of "Cookie Preferences" popping up on web sites aren't helpful either.
 
KYC is an essential part of maintaining a secure and trustworthy hosting environment. Many providers implement KYC through ID verification, address proof, and sometimes even video verification for high-risk customers.

I'm curious, do you find certain verification methods more effective than others in preventing fraud?
Also, how do you balance user privacy while ensuring compliance with regulations?
 
KYC has different meanings with different companies. Most of the companies will only do fraud checks by MaxMind, FraudLabsPro, Sensfrx etc. But some large companies may directly ask for Government issued ID, Bank/Card Statements, Masked Credit Card Photo. Each companies has their own set of risk assessments. Also, in some countries like India, asking customers Government issued ID, Address Proof is mandatory by hosting companies selling unmanaged servers.

I personally prefer to outsource the KYC process to another agency who has a large number of team, who can verify the documents of your clients for a little fee.
 
KYC has different meanings with different companies. Most of the companies will only do fraud checks by MaxMind, FraudLabsPro, Sensfrx etc. But some large companies may directly ask for Government issued ID, Bank/Card Statements, Masked Credit Card Photo. Each companies has their own set of risk assessments. Also, in some countries like India, asking customers Government issued ID, Address Proof is mandatory by hosting companies selling unmanaged servers.

I personally prefer to outsource the KYC process to another agency who has a large number of team, who can verify the documents of your clients for a little fee.
Interestingly, KYC is mandatory in India! In Europe, however, it is not permissible to delegate such actions to third parties due to the GDPR, which prohibits sharing user information with third parties.
 
Back
Top