Protecting Against Card Testing

Card Testing is a major source on fraud. Learn how to protect yourself.

What is Card Testing?

When we say Card Testing, we mean just that – someone is using your website to test out a series of card numbers to see which ones are good, and can be used to make other purchases. These card numbers are likely stolen, or purchased on the black market, with the explicit goal of finding the usable ones, and going off and making other fraudulent purchases. You might also hear this described as card checking, account testing, or carding.

Unfortunately, card testing and other fraudulent activities are a part of having an online presence you just can’t get away from. But stopping card testing is critical, as it has a direct, monetary effect on you. And it is in the best interest of everyone in the payment space – the merchant, Dharma, the card networks, the card brands – to stop this if we can.

Card testing is so prevalent right now for three reasons:

  • It’s one of the most impactful types of fraud;
  • Fraudsters target small and medium enterprises that are unlikely to have an internal fraud team;
  • It’s often too late once it is detected.

Let’s talk more about what it is, and how you can keep this from happening to you.

How does card testing work?

The goal for the fraudster is to stay under the radar, and perform as many test transactions as possible before getting caught and having to move on to the next site. To accomplish that, they’ll usually do one of two things:

  • An authorization only: when you only authorize a card but don’t capture the funds, the transaction doesn’t show up on the customers credit card statement, so it is less likely to be noticed. It will still show up as a pending charge in their online portal though, so a customer calling about an unexpected authorization may be your first warning something is going on;
  • A small value transaction: card testers love small payments that can fly under the radar. They are less likely to be noticed by your customer or reported as fraudulent. So pages that routinely take small value transactions like donation pages or businesses with a small average ticket are ideal targets. Suddenly getting an influx of small value donations or orders? Most likely trouble.

The consequences of card testing

Let’s start with the most obvious one…card testing costs you money, as each authorizing, whether successful or not, will incur an authorization fee. In Dharma’s case, that’s $0.11 per authorization, so as an example, 1,000 card testing transactions will equate to $110 in transaction fees, plus the Interchange costs associated with each successful transaction.

Then there are disputes / chargebacks. If your customer sees a fraudulent charge, they are more likely to call their bank and report it than they are to call you and request a refund. This costs you time and money.

Higher decline rates are also a problem: there are many metrics associated with each merchant account, decline rates being one of them. A higher decline rate can give you a black mark with the rest of the industry, specifically the banks that issue cards, and the underlying processing networks. This makes all your transactions appear to be higher risk, which can mean even legitimate transactions can be declined in the future.

The stress on your website: not all sites are designed to have thousands of transactions within seconds, and this can overload your web server, your e-commerce platform, and other infrastructure, leading to loss of legitimate transactions, and eventual downtime.

Some ways to prevent Card Testing

There are a set of fraud filters built into most gateways that can be used to prevent card testing completely, or at least slow it down so you can catch it early and stop it:

Velocity Filter: with this filter, you can automatically control how many sales may be submitted through your website per day or per hour. This keeps the fraudsters from testing thousands of cards in just a few seconds when your daily average transaction is more like 100;

Set a minimum transaction size: if your least expensive item is more than a few dollars, set your minimum transaction size appropriately. Remember, fraudsters typically test with just a small amount, looking for the cards that work, without sacrificing any of their purchasing power;

AVS/CVV checking: You can automatically decline, or “hold for review” any transactions that don’t have a correctly matching billing address. By always asking your customers to provide an address, you reduce the fraudsters chances of testing with your website unless they have more that just the card number;

IP Blocking: most websites have the ability to control where their sessions originate. If you only deal with domestic customers, limit your e-commerce platform to just IP address recognized as originating within the U.S.

Your web team or e-commerce vendor may have some other ideas, so don’t be afraid to ask their thoughts!

To wrap it up

Do everything you can to not be a victim of card testing:

  • Set your gateway fraud filters to block as much unwanted traffic as possible
  • Look in your merchant portal every single day for suspicious orders or declined transactions
  • Set notifications on your website for anything out of the ordinary and respond quickly when you get them!

Remember, while you can’t stop fraudsters from trying to use your website, you can do everything in your power to keep them from being successful.