PRODUCT BULLETIN
Credit Card Testing: What You Need to Know
Learn what it is, how it looks, and the PayConex® tools available for mitigation
Learn what it is, how it looks, and the PayConex® tools available for mitigation
Fraudsters use card testing to determine whether stolen credit card information is valid. This information may have been purchased on the Dark Web from a data breach or could have been stolen directly by the fraudster using phishing, ransomware or other hacking methods.
Once they have the stolen information, they will attempt several small purchases on an Ecommerce page to see if the card is still active. They do this because cards are often stolen weeks or months prior and may have been deactivated by the cardholder or bank.
If the transaction is successful, they can then move on to use that card for bigger purchases on other websites or they can resell that card information to someone else.
Several standard security elements can be enabled on your payment page. These include AVS (Address Verification Service), requiring the CVV of the card and requiring the zip code for purchase. Each will make it more difficult for fraudsters to perform card testing.
Enabling Google’s reCAPTCHA on your Hosted Payment Form (HPF) enhances online payment security by preventing a fraudster from submitting a payment form using automated bots or scripts. There are multiple types of reCAPTCHA tests available, from using a real-life image or a simple checkbox. This is a free service.
There are several transaction monitoring tools that you can set up, such as velocity limits and velocity controls. An example of a velocity control is blocking the same transaction amount or the same transaction type. This feature applies to Bluefin’s Ecommerce PayConex merchants that utilize the HPFs, Transparent Redirect or the PayConex API.
For merchants, fraudulent credit or debit card transactions can occur quickly, resulting in significant damage to the merchant before the problem is identified.
Card testing is a small transaction that fraudsters hope will be accepted so they can test whether the stolen or bogus card information works with more significant purchases. Once the transaction is authorized, fraudsters will know if the card is working. They can then use the stolen information to make more expensive purchases or sell it on the black market.
Even if fraudsters’ credit cards are declined, they can still learn valuable information from the transaction that will enable them to commit future crimes. That’s because some merchants have their credit card processing settings configured to provide the user with specific information about why a transaction was declined.
If the message comes back that one component of your payment credentials doesn’t match (e.g., address), fraudsters will know what piece of info they need from you.
Card testing can be extremely costly for merchants, resulting in thousands of dollars in unauthorized transactions and a shutdown of your processing account. Additional consequences include:
There are simple steps that your business can take to prevent and mitigate card testing. These include:
Each of these tools can be set up through your PayConex account. If you do not use PayConex for your Ecommerce processing, please speak with your provider on their fraud management tools.
As good business practice, you should also put processes in place to:
reCAPTCHA protects websites from spam by ensuring that human users are caught in the act of filling out forms, not bots or other automated processes.
Did you know that a CAPTCHA is an abbreviation for “Completely Automated Public Turing test to tell Computers and Humans Apart?”
It is easy for humans to solve, but difficult for malicious software to figure out. By adding reCAPTCHA to a site, you can block automated bots from gaining access while letting legitimate users easily log in.
The reCAPTCHA API allows you to integrate the reCAPTCHA service into your website or application. It is available for free and does not require any registration.
The Address Verification Service (AVS) is used to ensure that customers are not engaging in fraud when they pay by credit card over the phone or online.
AVS was initially designed for mail and catalog orders. However, it is now most commonly used by Ecommerce merchants to verify that the billing information provided by customers shopping on their websites is real.
An AVS check is a fraud prevention tool used by credit card processing companies to verify that the billing address provided by a customer is legitimate. It works by comparing the information on file for your credit card to the billing address provided by the customer. If there’s a discrepancy, AVS can trigger a decline and prevent fraud from taking place.
Because AVS can verify the card number’s validity, seeing a full match during order review provides basic assurance that a transaction is not fraudulent.
IP address blocking – also known as IP banning – is a network service configuration that blocks requests from certain hosts based on their IP addresses.
Mostly used to prevent spam bots, hackers and malicious threats from accessing your website, it can also be used to block specific users or IP addresses to and from a particular geographical area.
IP address blocking is a method by which specific or restricted IP addresses can be excluded from accessing a network. It is usually done to keep unwelcome or harmful sites and hosts from entering the server or node.
IP blocking is a common tool used by companies to prevent intrusion, grant remote access to company employees or restrict the kinds of websites that can be accessed by staff.
Schools and other academic institutions deploy IP address blocking to protect sensitive information from unauthorized access, as well as censor content.