How To Protect Your Website From Credit Card Testing Fraud

A recent study by Nilson Report found that in 2019, card-based payment systems worldwide generated fraud losses of $28.65 billion, amounting to just under 7 cents for every $100 of total volume.

By 2027, this number is expected to increase by nearly 35% to $38.50 billion.

While credit card fraud has been steadily increasing since 2013, the coronavirus pandemic has fueled explosive growth in fraudulent activity, and projections show no sign of these trends slowing down. According to Julie Fergerson, CEO of Merchant Risk Council, digital attacks become more successful in every economic downturn, and we should fully expect credit card fraud numbers to increase significantly over the coming years.

Fraud prevention is a never-ending game, and business-owners—particularly those managing an ecommerce storefront—need to remain vigilant. With credit card fraud increasingly affecting card-not-present and ecommerce environments, and fraudsters constantly evolving their mechanisms for testing the validity of credit card information, it’s imperative you protect your website from credit card testing.

In this blog, we’ll discuss how credit card testing fraud impacts your business, how fraud prevention tools help you remain vigilant and proactive, and tactics you can implement to mitigate and protect your business from unauthorized attacks.

What is credit card testing fraud?

But first, what is credit card testing fraud?

Credit card testing fraud is a malicious attack on a merchant’s website or shopping cart. It’s triggered by a bot or automated script and tests lists of illegally obtained credit card information to identify valid cards. Essentially, fraudsters are repeatedly testing stolen credit card information to make illegal purchases. You may hear the terms account or authorization testing, carding, and card checking used interchangeably with credit card testing.

Unfortunately, this kind of fraudulent activity is an unavoidable and common occurrence with ecommerce. That said, there's a lot businesses can do to protect themselves.

Why does credit card testing happen?

In many cases, card testers will have stolen or obtained credit card information illegally. Since they’re unaware if the information they’ve received or generated is valid, they’ll need an engine—some type of trigger—to determine if it is.

Enter, your website.

Credit card information is often stolen over a period of weeks or months, and authorization testing is used to discover which cards in the fraudster’s database can be excluded and which can be used for fraudulent activities. Authorizations are the preferred method of card testers, as they rarely appear on cardholder statements—meaning the cardholder is unlikely to notice, let alone report fraudulent activity.

Another tactic fraudsters use to test the validity of credit card information is to make small purchases, which are also less likely to be noticed and reported. Online businesses that accept donations or facilitate transactions of small value make ideal targets for this manner of testing.

It’s worth noting that stolen credit card information isn’t used exclusively for making online purchases. The details fraudsters obtain are frequently sold in marketplaces on the dark web—networks on the internet that require software or authorization to access.

How does credit card testing fraud impact merchants’ business?

Credit card testing can have many adverse effects on your business.

For instance, there are the fees you incur from authorization testing. Whether card checking tests are successful or not is entirely irrelevant—you'll still incur fees for every attempt made. Making matters worse is the fact that these fees are typically non-refundable. You can imagine the significant financial impact this can have for businesses if credit card testing attempts increase over time.

Larger businesses are better positioned to withstand credit card testing attacks—even if there are substantial losses. Smaller businesses, however, can easily crumble in the event of a large attack. A loss of $5,000-$10,000 might not be significant for many, but for others, it’s the difference between making payroll and bankruptcy.

It’s important to be cognizant that these types of attacks are fast and furious. Fraudsters can execute them at various intervals, potentially attempting hundreds or thousands of tests per hour depending on which mechanisms they have in place. Identifying and then mitigating or preventing fraudulent activity as soon as possible should be high on all online merchants’ priority lists.

Another adverse impact of credit card testing is the strain it creates in your organization. These attacks will likely result in your team spending an influx of time identifying which approved transactions are actually valid and require shipment of products and goods, and which are fraudulent and need immediate intervention.

Beyond these two outcomes, credit card testing fraud can wreak havoc in many other ways, especially when you consider the time and money it costs cardholders to dispute fraudulent payments, the damage inflicted on your business’ reputation from increased card decline rate, and the burden on your infrastructure due to surges in traffic.

How do fraud prevention tools help merchants?

Depending on which payment processing solution you have in place, fraud prevention tools such as address verification, card security codes, and velocity checks can likely be enabled. These tools are instrumental in reducing the risk of potential fraudulent chargebacks. But preventing fraudulently obtained cards from placing orders and making purchases is only half the battle.

In many instances where fraud detection is used, a fraudulent transaction attempt will still be sent to card issuers—the financial institutions that provide cards and credit limits to consumers. Despite your having already prevented an order from being placed, these issuers will still attempt to validate the information the fraudster provided. When that happens, you know you haven’t truly prevented your business from authorization testing or from incurring fees associated with authorization attempts.

How can merchants protect themselves from credit card testing attacks?

The first step in preventing credit card testing is to engage your web developer or evaluate your website’s ecommerce shopping cart for ways to monitor, prevent, and block incoming fraudulent activity on your website. Below is a list of five practices we strongly encourage implementing.

1. Add a reCAPTCHA feature

A CAPTCHA is a system that enables web hosts to distinguish between a human and a robot accessing a website. In other words, it protects websites from spam and abuse. Many card testers use automated scripts to run high volumes of tests, which can be blocked using a CAPTCHA.

Google’s reCAPTCHA—a type of CAPTCHA that asks users to decipher text or match images—is very effective at blocking credit card testing attacks. The latest versions of reCAPTCHA run automatically when users load pages and never interrupt users. To ensure your reCAPTCHA is performing as effectively as possible, you’ll want to double-check it’s being used to authenticate all requests that enable card validations or payments.

Your reCAPTCHA can be either visible or invisible. Feel free to test both solutions—or an entirely different CAPTCHA solution—to see which works best.

2. Ensure your website is validating on both the frontend and backend

Your website frontend is where your customer enters their credit card information. The backend is the programming that processes credit card transactions. It handles the direct communication to the payment gateway where transactions are processed, typically via API token.

An effective way to deter credit card testing is to require a login or session validation when your customers perform specific tasks—such as making a payment or creating an account. Fraudsters typically bypass your website’s frontend and target the backend directly, so having these measures in place will help to prevent that from happening.

3. Create a velocity logic ruleset

Velocity checks monitor specific data elements occurring in specified intervals within a brief period and are critical in enforcing fraud prevention for merchants. To reduce incoming fraudulent activity, we recommend creating a velocity logic ruleset that filters card authorization test attempts by IP address, dollar amount, and repetition, then blacklist any IP addresses that meet your criteria. Here are a few things to consider:

• Small transactions – Create a logic ruleset that sends alerts for repeated small transactions from same credit card numbers or IP addresses.

• Large number of purchases over a short period of time – Fraudsters design bots to transact as frequently as possible, as quickly as possible. Ensure a logic ruleset is in place that notifies you of when an abnormally large number of purchases occurs during a brief window.

• Designate teams to action notifications – Appoint a contact or team within your business to be notified when any of your controls have been exceeded—this includes frequent small and abnormally large transactions, and any other filters you deem necessary. This will allow you to quickly take action and stop any incoming fraudulent activity as soon as it’s identified.

4. Identify illegitimate traffic and behavior

Once your velocity logic ruleset is in place, you’ll be able to confidently identify credit card testing behavior by comparing it with traffic you’d typically consider to be legitimate.

Another tactic to assist in identifying fraudulent activity is to view backend server logs, where you’ll most likely see a significant increase in declines when attempted fraud happens. Credit card testing declines are usually identified as failed request logs or 402 errors. This error code indicates that payment cannot be processed for a particular reason—either the transaction was declined by the processor, the payment gateway, or even the issuing bank. A high volume of failed requests is indicative of credit card testing.

5. Partner with a secure payments provider

The ramifications for failing to detect credit card testing attacks can be devastating. Without proper detection and security measures in place, fraudsters can inflict massive, costly damage to merchants. The above five practices should be implemented regardless, but this fifth is perhaps more important than all the rest. By integrating your business with a payments solution that has a strong risk management engine and a track record of preventing fraud, you can have peace of mind as you collect payments and remain focused on growing your business.

Make it hard for those who want to defraud you

Merchants must be increasingly vigilant against fraud attempts, more so in this digital economy than ever before. The consequences of falling victim to credit card testing fraud are too great to simply ignore this threat.

Fraud is an ever-evolving activity with an inevitable presence. Colin Sims, COO of Forter, a fraud prevention company, recently expressed pessimism about card fraud ending and elaborated that as long as money is being transferred digitally, card fraud is going to be a problem.

It's up to you to take steps to prevent the damages of fraud and protect your credit card and your business from unwanted, unauthorized attacks. Learn how you can fight fraud and maximize customer experience.

In addition to fraud prevention, learn what else you can do with an online payment solution here.