==NOT AVAILABLE FOR THE FORESEEABLE FUTURE== An AML, Compliance and Fraud prevention practitioner at heart, Pervees Faisal Islam is a frequent consultant for a variety of payment platforms and non-traditional money transfer systems. He is known as a critical thinker and a strategist, passionate about the payment product and is distinct in his passion for the product developer and kinship to the regulator in areas related to payments and money service businesses/money transmitters. He has held several executive positions at third-payment processors, money transmitters and online payment firms. As a frequent speaker at Emerging Payments and AML conferences, a contributor to payments publications, he also spearheads the open-access Country Risk aggregator , knowyourcountry.com.
To be honest, if your product targets the high value use case, people will pay whatever you charge. http://avc.com/2015/07/bootstrap-your-network-with-a-high-value-niche-use-case/
The other thing you could do is look at competitors and see what they charge, and how are they missing out.
Go with PayPal or Braintree, its your vanilla option. If you have expertise in integration, go with Stripe as well.
If your business is high risk, go with ccbill or instabill.
Also consider adding a Coinbase or BitPay account for bitcoin payments. It costs nothing to set up and is also immune to chargebacks.
Here's what you can do:
if web, then 1) figure out if your anti-fraud tools are operating properly. (it might be ghost accounts (multiple users from same ip/deviceid. if so, ban the ips and device ids. If are unable to identify whether its a common ip or device id, then figure out if they used the same password by checking the hash (provided you have a single salt for all the password hashes). Usually fraud chains will use a scripts that will use the same passwords. If you have visibility on their security questions, then check that. Check other factors like similar times of login or very close to each other. Find out how your anti-fraud tools were abused and fix it.
if app, make sure devices were not compromised. If you don't have multifactor authentication, get it.
What should you do?
if web or app, then lock out the offending account, fence the funds, and make sure that any account that signs up from then on and shares similar parameters to the offending account is flagged and comes under your review. (Ex: same ip/ same device ID/ same password hashes/same responses to security questions)
Who do you report it to?
If it is more than $25k, you can expect that reporting it to the police will get you somewhere. Regardless, report it, but don't expect any effort on their part if less than $25k. Probability of that is pretty low.
If you are using a credit card PSP, then alert them, and tell them what you have done to make sure it doesn't happen. Alert your bank too and let them know how you have made sure it wont occur.
If you are registered as a MSB with FINCEN , file a (suspicious activity report) SAR with FINCEN. Your compliance officer can do that. If you don't have a CO, your legal counsel can help.
Finally, how to automate your fraud detection for future instances? You could get some traditional products that come with your PSP , but I find them very bloated and typically not good. I am now becoming a big fan of "machine learning". You should look into companies that provide that service.
Hope it helps,