What is Card Testing?
Fraudulent operators are increasingly using card testing to confirm the validity of a stolen credit card before making large purchases with it. They start with small online purchases. If the small purchase goes through, they confirm that a card is valid, and then use it to make larger purchases themselves or sell the card information on the dark web.
Automated bots run thousands of card tests with small charges through a merchant’s unsuspicious and unguarded website. With small amounts, many merchants without secure fraud detection tools won’t pick up on these fraudulent transactions until it’s too late to protect themselves.
An unsuspecting business owner had more than 500,000 transactions processed on his account, resulting in an extremely large invoice from their financial institution.
Clearly, card testing fraud, if not detected or thwarted, can be financially disastrous for any small business. The costs alone are astronomical as well as your reputation as a secure, trustworthy merchant. If your patrons notice your business name associated with suspicious charges on their statements, they will inevitably shy away from working with you.
Protecting your business from card testing fraud
Unfortunately, small businesses and non-profits are usually targeted by card testing swindlers because most lack the required security tools to detect this type of fraud. In addition, non-profits frequently have donation pages collecting few donor details and don’t set minimum limits for donations. These factors make the card testing scheme even easier.
However, you can protect your website and business from card testing fraud with these steps. Mike Krause at Sales Sense Payments can help you implement these quickly and easily.
1. Match CVV (Card Verification Value) Codes
The 3- or 4-digit Card Verification Value (CVV) codes stamped on the back of a credit or debit card are designed to prevent all types of fraud during card-not-present transactions. Merchants cannot store these codes locally or on their servers, making them more difficult to steal. Most criminals have only have the credit card numbers on hand so requesting the CVV as verification thwarts their activity.
Although you don’t technically have to ask for the CVV for online purchases, it’s highly recommended that you do. Having your customers enter their card’s CVV code is another step proving that they have the actual card in their possession, assuring you that the transaction is valid.
2. Implement AVS controls
The Address Verification Service (AVS) is a verification feature of merchant process comparing the customer’s typed-in address with the cardholder’s issuing bank. AVS is useful in confirming the card’s validity and helps reduce chargebacks because by endorsing the customer’s identity.
Use AVS as another barrier to your business’s defense against online fraud attempts.
3. Use velocity checks
Implement velocity check tools (often called velocity controls) to screen the rate at which a customer submits transactions. If you’re receiving a large number of transactions during an unnaturally short time period, the velocity controls can alert or limit those transactions automatically.
Your business’s velocity check settings will greatly depend on your usual volume of transactions. Review your transaction data with Mike Krause of Sales Sense Payments, then set the appropriate velocity settings fitting your business needs.
4. Avoid too-specific decline messages
Make it difficult for a card testing swindler to get details on why a card is declined. When their credit card is declined, keep the explanation generic and skip the details.
For example, if the fraudster tries to enter a credit card but enters the wrong AVS or CVV code, don’t explain what was wrong. Provide a general decline response and make them decide it isn’t worth the time or trouble to determine what information was wrong.
5. Monitor incoming IP addresses
Typically, credit card testing activities start from outside the U.S., so check transactions originating from a non-U.S. IP address. Be extremely cautious if a non-U.S. customer’s IP address is enacting additional signs of fraud, such as sending numerous transactions in a short timeframe.
Ask Mike Krause if your payment gateway settings allow you to curtail or limit orders from questionable IP addresses.
6. Blacklist swindlers
Fraudsters generally target businesses that they have been successful at stealing from in the past. If you suspect a customer of card testing (really, any type of fraud against you), add them to a blacklist and prevent them from all purchases from you.
Protect Your Business from Card Testing Fraud
There are steps you can take in your business to secure your business against card testing. Adding these suggestions will help limit fraud attacks on your website.
We understand that adding complexity to online purchases is off-putting to businesses and customers because these add more steps and time to the transaction.
For example, requesting the CVV adds another step and key entry to the checkout process. And, in some instances, fraud prevention tactics may mean higher expenses. Enacting AVS, as an example, has an added fees.
Card testing and other types of fraud are real and increasing daily, making your business vulnerable if you don’t take steps to protect your transactions. Card testing is just one of the many types of fraud merchants like you are battling. If the increase of ecommerce is any indication, fraud practices will continue to evolve and increase. It would be better to protect yourself and your business now instead of falling prey in the future.
If you are concerned about merchant processing costs, contact Mike Krause at Sales Sense Payments. He will perform a free analysis of your current merchant processing expenses and help you find ways to protect yourself while keeping your costs as low as possible.
Contact Mike Krause at Sales Sense Payments today! He will analyze your merchant processing statement free of charge and help you find ways to save. Call Mike at (305) 732-1234, or visit SalesSensePayments.com.