I admit, I had forgotten the request instructed the user to obfuscate the middle digits. However, submitting via insecure email is ridiculous again, if the email is stolen,intercepted,misdirected,copied etc it might for example result in the user receiving a phishing type email reply from an official looking address, "Thanks for your submission, This is the happy Dreamhost verification bot emailing to complete your transaction instantly. Please reply to this email, sending the middle digits of the card number on the first line of the email with no other information and the system will approval instantly, Thanks, The Happy Dreamhost Verifications bot" of course the email is not from anybody or anybot at dreamhost but the emails might appear to be from something like email@example.com Far Fetched? maybe, maybe not... we don't know what the hackers of the world specialize in, they certainly like to phish, maybe they know how to sniffout emails to verifications@ dreamhost.com
A better solution for submission of course would be a secure upload page. Perhaps within the dreamhost panel and only visible for a certain account status. This give dreamhost the chance to brag about security and transparency, and make the statement that the image will be uploaded and stored in secure form in a database with only logged access and available only to the abuse team and will be destroyed after _____ (or retained until_____).
Domain name registrations of course shouldn't be processed for ANY account until payment has cleared. If a new user can really register hundreds of domain names then stop that, after a threshold is reached make the account age before they can register more, [or more workflow options, I'll omit for now for brevity but I have extensions to this idea.]
As far as the DreamCompute scenario goes it might be solved with a New Customer Promotion:
Basic Account, Billed monthly for actual usage. Setup fee today $15.00.
New Customers can also choose:
Pay $10.00 today, Setup fee waived, receive a $25.00 account credit that will be applied to any DreamCompute usage balances. A $40.00 Value!
Pay 25.00 today, Setup fee waived, receive a $50.00 account credit that will be applied to any DreamCompute usage balances.
Note: Domain Registration balances must be paid separately at the time of registration, and are not included in this promotion.
Don't offer bigger options for new accounts. This leaves the opportunity to offer later, "Thank you for being a continued customer" Pre-paid Discount later. I.E. Give the customer a customized anniversary offer... after 6 months, "Hi over the past 6 months your dreamcompute charges averaged $XX, Pre-pay $YY Today (or within the next 10 days), and we will credit your account $ZZ in DreamCompute dollars.
And then on the annual anniversary entice the customer to pay a year in advance based on past usage with another pre-paid discount.
I confused my explanation by including a poor exception. The point I was trying to make: payment decline becomes a hard stop point in the workflow. Your Payment was Declined by your card issuer." No Automatic appeal process/manual approval queue.
"Normally we would advise you to contact your card issuer and ask them why they declined this transaction, if however you believe our assistance is needed please fill out this form below and tell us why. Our Security and Abuse team will get back to you during normal office hours. Monday Thru Friday xx:AM to yy:PM PST (GMT-8)"
Request whatever on the form and give them a nice big freeform box to explain the problem. Then give them a Case number and an estimation when the ticket will reach the top of the queue. "Thanks for your submission this will be forwarded to our Security and Abuse team, based on the number of tickets currently ahead of yours in the queue for that team we estimate your ticket should be reviewed no later than ____ on ___day."
Show the ticket and it's status in the panel.
If it's submitted via email, it's not encrypted in transit.
It should be included as a file upload box box a page in the panel visible to accounts in a particular status. (including a file upload option, or a pic selection tool from a mobile device.)
Pre-pay discounts. There is no ambiguity that there will be a charge collected today. No need for the $1.00 that might fail because the new customer doesn't think they owe anything today.
Also I've argued this point before on this topic: Give me photoshop, a scanner, and 10 minutes I can make a fake card for this scenario. If I'm a scammer, this isn't my first rodeo with dreamhost, so I might have a whole photoshop library of card images and digits ready to cut and paste.
A structure such as identified above should severally cut down on the number of appeals filed (that function is currently called "mnaual approval"). If a scammer knows it's a stolen card they aren't going to bother to submit the appeal, then dreamhost can track what they do next (or try to do next). etc