What is Card Testing And How Does It Work?
Card testing is a type of fraud where a fraudster uses stolen card info to make a small purchase on an e-commerce site to check if the card is active and if the purchase can evade the merchant’s fraud detection system. If successful, the fraudster makes larger purchases with the card before they are detected.
In a typical card testing attack, fraudsters acquire stolen full or partial card data and try to determine if the stolen or generated card information they have is valid or not. They do this by using authorizations or payments.
- Authorizations are the preferred method to test cards, as authorizations don’t show up on cardholder statements. Hence, these are less likely to be noticed and reported for fraud by the cardholder. Fraudsters procure stolen card data and use digital tools like bots and scripts to rapidly submit thousands of card-not-present (CNP) transaction authorization requests on an e-commerce site. If left undetected, this can result in thousands of dollars of fees for declined transactions for the merchant.
- Fraudsters make low-value purchases with smaller payments, which can go unnoticed by the cardholder. Donation websites and merchants that deal in small-value purchases are ideal targets for card testers.
Fraudsters have to be careful to avoid too many declines on large, noticeable purchases, or else the card will get blocked before they can carry out the fraud. In some cases, fraudsters have incomplete payment info that they can use only with merchants who don’t have strong fraud prevention tools. Hence, they often target small and medium businesses that are weak on payment security.
Why is Card Testing Bad For Merchants?
Card testing can hurt e-commerce merchants in several ways, getting worse over time if it continues. Some of these are:
- Disputes: In some cases, fraudsters make many small test payments to avoid detection. These fraudulent payments, no matter no insignificant, will show up on cardholder statements, leading to disputes that will cost you a lot of time and money to settle.
- Higher decline rates: Card testing usually causes a large number of payment declines, leading your business to be classified as high risk. This could lead to increased fees, fines, and a loss of reputation. Automated card testing bots can also overload your network traffic, causing legitimate transactions to fail and leading to higher decline rates, even after testing stops.
- Higher Costs: Card testing can lead to higher costs, such as dispute fees and authorization fees for custom pricing plans.
- Infrastructure strain: Card testing puts a lot of strain on your network because of numerous network requests and operations, overburdening your infrastructure and disrupting legitimate activity.
How Do You Identify Card Testing?
Some of the key indicators of card testing include:
- Unusually high volumes of card authorizations on small payment amounts in rapid succession
- High volumes of identical authorization requests
- Sharp increase in declines
- Sharp increase in issuing bank/payment method provider authorization mismatches
How Do You Prevent Card Testing?
To mitigate card testing attacks that are already in progress, merchants should first identify ongoing card testing activity. Once they have identified such activity, they can fight the attack by changing the defined rule logic in their fraud solution. If a majority of declines are from the same card number, the fraudster probably has the correct details. In such cases, merchants should immediately block the card.
In cases where the card testing attack shares the same phone, email, IP address, and device ID, merchants should block the IP address or device tag but without raising any false positives.
Here are a few strategies to follow to prevent card testing attacks:
- Monitor transaction activity: Multiple small-value orders within a short time frame with the same customer attributes are the surest indicator of card testing. These purchases may be on the same card or multiple different ones. You might also notice an increase in failed authorization notifications. You should have a system in place to flag and review these transactions carefully.
- Increase the number of required matching security elements: Enabling AVS, CVV, expiration date, and CAVV matching will make card testing attempts more difficult for fraudsters. Ensure you use a PCI DSS compliant payment gateway.
- Use Velocity Checking: Enabling velocity checking in your fraud solution can help you stop card testers. Update your velocity checking rules to include counting of customer attributes (e.g., email, phone, address, IP, device, payment) to foil attacks.
- Implement Device Fingerprinting: You can use device fingerprinting to establish a unique identifier for every device that accesses your website. You can track devices that are associated with fraudulent patterns and block them from further access if you suspect card testing.
- Integrate Google captcha into your payments: If you notice a specific fraud pattern (e.g., specific VPNs, ISPs, BINs, and names), you can use captchas based on these parameters to prevent fraudsters from bypassing the system.
- Deploy 3D Secure: 3D Secure uses multi-factor authentication to verify transactions. It brings an additional layer of security to your payments and reduces the possibility of card-not-present fraud and any chargebacks that could result from this.
- Blacklist bad actors: Blacklist and block bad actors that you suspect of card testing from making future purchases. Research has shown that fraudsters almost always re-target merchants they’ve successfully targeted in the past.
How Can Novalnet Help?
Novalnet offers AI-powered risk management that helps you to prevent fraud before it happens. Our tailor-made fraud prevention solutions use AI and machine learning to protect your business from any fraudster activity, including card testing.
Novalnet’s fraud prevention modules are easy to configure and integrate with your business systems. You can also enable and disable our fraud prevention modules as per your business needs. This ensures you face zero hassles while integrating fraud prevention tools into your business process. Our services are fully compliant with PCI DSS security standards and local laws, which ensures you can process payments with complete peace of mind.
Gowri Shankar is the IT Application Security Manager at Novalnet with versatile knowledge in Programming and System/Security architecture. Having 11+ years of experience in the financial services industry, Cybersecurity, Payment Card Industry Data Security Standard (PCI DSS). Certified in Advanced Payment Card Industry Security Implementer (CPISI 2.0), Secure Software Lifecycle Professional (CSSLP) from (ISC)².