PRODUCT BULLETIN

For merchants, fraudulent credit or debit card transactions can occur quickly, resulting in significant damage to the merchant before the problem is identified.

Card testing is a small transaction that fraudsters hope will be accepted so they can test whether the stolen or bogus card information works with more significant purchases. Once the transaction is authorized, fraudsters will know if the card is working. They can then use the stolen information to make more expensive purchases or sell it on the black market.

Even if fraudsters’ credit cards are declined, they can still learn valuable information from the transaction that will enable them to commit future crimes. That’s because some merchants have their credit card processing settings configured to provide the user with specific information about why a transaction was declined.

If the message comes back that one component of your payment credentials doesn’t match (e.g., address), fraudsters will know what piece of info they need from you.

Card testing can be extremely costly for merchants, resulting in thousands of dollars in unauthorized transactions and a shutdown of your processing account. Additional consequences include:

• Customer disputes: Sometimes card testing is successful, resulting in a fraudulent card transaction. Customers can dispute these charges, which can result in chargebacks that cost a business time and money to resolve.
• Increased decline rates: Card testing increases the ratio of declined credit card transactions, which increases risk for your customers, card issuers and card networks. Even after a business is able to stop card testing, decline rates can continue to affect legitimate transactions due to the surrounding suspicion of fraud and a lower trust in the merchant by the issuer.
• Costs and reputational risk: Costs surrounding card testing include dispute fees, interchange fees, resolution fees and hours of work spent to resolve fraudulent charges. Additionally, there can be a reputational risk. Fraudulent purchases caused by card testing can damage relationships between businesses, processors, brands and customers, increasing risk, doubt and loss of business for all involved.

There are simple steps that your business can take to prevent and mitigate card testing. These include:

• Enabling Google’s free reCAPTCHA service on your checkout
• Enabling Address Verification (AVS) on your checkout
• Requiring the card CVV and the customer’s zip code on your checkout
• Setting up transaction monitoring tools, including velocity controls
• Learning more about IP blocking and if it is right for you

Each of these tools can be set up through your PayConex account. If you do not use PayConex for your Ecommerce processing, please speak with your provider on their fraud management tools.

As good business practice, you should also put processes in place to:

• Monitor transaction activity. Monitoring purchases made with multiple credit cards within a short time frame is one way to identify card testing. These purchases may be for the same account or dozens of different ones, and your company should have a procedure in place that flags such orders so they can be reviewed more thoroughly.
• Monitor IP addresses. The majority of fraudulent card testing attempts originate from outside the United States, which is another possible indicator that a transaction is fraudulent – especially if a number of other signs are present at the same time. Merchants should also consider setting their payment gateway to block multiple orders from the same IP address within a short time frame.
• Blacklist bad actors. If you suspect that a customer is card testing, blacklist them and prevent future purchases. Fraudsters tend to target the same merchants they have successfully victimized in the past. Therefore, if a merchant allows one fraudulent transaction to go through and then blocks the customer’s card, they are likely to try again with a different card or using a different IP address. The safest course of action is to blacklist bad actors so that they cannot successfully test any other cards.

reCAPTCHA protects websites from spam by ensuring that human users are caught in the act of filling out forms, not bots or other automated processes.

Did you know that a CAPTCHA is an abbreviation for “Completely Automated Public Turing test to tell Computers and Humans Apart?”

It is easy for humans to solve, but difficult for malicious software to figure out. By adding reCAPTCHA to a site, you can block automated bots from gaining access while letting legitimate users easily log in.

The reCAPTCHA API allows you to integrate the reCAPTCHA service into your website or application. It is available for free and does not require any registration.

The Address Verification Service (AVS) is used to ensure that customers are not engaging in fraud when they pay by credit card over the phone or online.

AVS was initially designed for mail and catalog orders. However, it is now most commonly used by Ecommerce merchants to verify that the billing information provided by customers shopping on their websites is real.

An AVS check is a fraud prevention tool used by credit card processing companies to verify that the billing address provided by a customer is legitimate. It works by comparing the information on file for your credit card to the billing address provided by the customer. If there’s a discrepancy, AVS can trigger a decline and prevent fraud from taking place.

Because AVS can verify the card number’s validity, seeing a full match during order review provides basic assurance that a transaction is not fraudulent.

IP address blocking – also known as IP banning – is a network service configuration that blocks requests from certain hosts based on their IP addresses.

Mostly used to prevent spam bots, hackers and malicious threats from accessing your website, it can also be used to block specific users or IP addresses to and from a particular geographical area.

IP address blocking is a method by which specific or restricted IP addresses can be excluded from accessing a network. It is usually done to keep unwelcome or harmful sites and hosts from entering the server or node.

IP blocking is a common tool used by companies to prevent intrusion, grant remote access to company employees or restrict the kinds of websites that can be accessed by staff.

Schools and other academic institutions deploy IP address blocking to protect sensitive information from unauthorized access, as well as censor content.