Hello everyone,
I'm planning of implementing IAP in our game by using Unity IAP, but at the same time, I'm trying to find a way to detect refund frauds. The game will be published on Play Store, and users will be able to register for the game via their email addresses.
I haven't implemented IAP in a game before, and I assume, the process is something like this. When a player buy IAP, Play Store will generate a transaction ID. Then I need to validate that transaction ID by sending it to PlayFab. Once it's validated, the related item/bundle will be granted to the player automatically by PlayFab. On PlayFab, this transaction ID will be saved as "order ID" and it can be seen on the Purchases menu in the related player's profile on Game Manager. (Please correct me if anything is wrong in this process).
What if the player refunds the item or bundle (virtual currency) they have purchased? As far as I know, there's no direct connection between PlayFab and Play Store in terms of refunds. In this case, I need to find the refunded transaction and the player who made the purchase so that I can revoke the item or take the currency back manually. I don't know what kind of information I get on receipts, but I should be able to see the transaction IDs of refunded transactions.
Here's the questions I want to ask about this whole process:
- How can I find a player by an order ID?
Users will register for the game by their email addresses. Only thing that I can use to identify a user is either their email address or their display name (I blocked the API related to updating display names). I'm not sure if I can find any of these information on the receipt. (The email addresses they use in the game may be different than the email address they use on Play Store). If none of them can be found on the receipt, the only thing that is left is the order ID.
- What should I do if a player refunds a bundle (virtual currency) after spending it?
A player might buy a virtual currency with real money and refund it after spending it. In this case, I'm thinking of blocking that player buying more bundles (virtual currency). I can set read only data on the player's profile on PlayFab to tag them and disable the purchase button in the game. If the player bypasses the code disabling the button (which is very unlikely after they see the reason why they can't buy anymore), I can setup a rule that occurs when a transaction is confirmed and after the validation, I simply revoke the bundle before consuming it.
The last revoking part never happens normally unless the player hacks the game to bypass the code. I'm also not sure if this solution looks good. What could be the proper way to handle this situation?
