What is a card testing?
Card testing, also referred to as Phishing, is a type of fraudulent activity where someone tries to determine whether stolen credit card information is valid so they can use it to make purchases. Card testing is one of the largest threats to modern e-commerce merchants (accepting payments through a website), especially those in the United States.
How does card testing work?
Card testers use both authorizations and payments to determine whether the stolen or generated card information they have is valid or not. Typically, card testers will attempt to verify hundreds or thousands of cards very quickly. Authorizations are the most common method to test cards because it is less likely the cardholder will notice or report the fraudulent activity. When payments are used for testing, they are usually for a small amount making them similarly less likely to be noticed or reported.
How does card testing impact my business?
Card testing can mean a large number of fraudulent transactions in quick succession resulting in additional fees and possible interruption in processing until recommended filters are implemented.
How do I protect my business?
Make sure you have completed the mandated annual PCI Compliance Questionnaire. Having a PCI-compliant processing account is the first and strongest line of defense against card testing and other types of e-commerce fraud.
Recommended filters to help deter card testing:
- Add CAPTCHA to your website, make sure it requires validation on all requests that enable card validations or payments
- Use a layered validation approach that employs Card Validation Codes (CVV2) and Address Verification Services (AVS)
- Require purchasers to login or require session validation
- Make sure logins have a password complexity requirement
- Lock out an account after a set number of incorrect attempts
- Inject random pauses (i.e. throttling) when checking an account to slow brute force attacks that are dependent on time
Your gateway may offer the following fraud protection tools:
- Use velocity checks for small and large transactions or authorization only transactions
- Look for excessive usage and bandwidth consumption from a single user
- Look for multiple tracking elements in a purchase linked to the same device. (Example, multiple transactions with different cards using the same e-mail address and same device ID)
- Look for logins for a single account coming from many IP addresses
- Lock out an account if a user guesses the username or password and any account authentication data incorrectly after a set number of login attempts
If you have questions, our knowledgeable staff is here to assist. Email email@example.com or call 800.563.5981, option 2.