Card Testing Fraud Explained — Plus 6 Ways to Prevent It
There are plenty of great reasons to be an online merchant. We all know that ecommerce is on the rise, and consumers are increasingly choosing to shop online. Industry data shows that in Q3 of 2020, shoppers spend nearly $199.44 billion online — a 37.1% increase from the same time last year.
Convenience is easily one of the big drivers of ecommerce. The ability to transact remotely and accept credit cards without having to interface with customers is highly convenient for merchants and shoppers alike.
That said, accepting credit cards online has its downsides, chief of which is the fact that you’re more susceptible to fraud.
And one type of fraud that’s been making waves lately is card testing fraud, which increased by 200% in 2017, according to a study by Radial.
What is card testing fraud?
Card testing is a tactic used by fraudsters to “test” stolen credit card information. Fraudsters do this by making small purchases on a website to determine the validity of a credit card. If a purchase goes through, they’ll know that a card is valid, and they can use it to make larger purchases or sell the card information on the dark web.
These days, the card testing process is implemented by bots that run thousands or hundreds of thousands of small dollar charges through a merchant’s unsuspecting website. Because the amounts are small, merchants that lack tight fraud detection tools often don’t catch these fraudulent charges before it’s too late.
One business owner, for example, had 600,000 authorizations come through on his account, resulting in a $50,000 bill from First Data.
Needless to say, falling victim to card testing fraud can be disastrous for small businesses, not just in terms of costs, but also when it comes to your reputation. When customers see your merchant name on their statement alongside suspicious charges, they’ll likely associate your brand with fraudulent activity.
Ways to Prevent Card Testing Fraud
Small businesses and non-profits are the usual victims of card testing fraud because most of them lack sophisticated tools to detect the practice. And in the case of non-profits, these organizations often have donation pages that collect minimal details and don’t have minimum limits for donations. As such, they pave an easy way for fraudsters to test cards.
Here’s the good news: there are ways to prevent card testing fraud. Consider the following.
1. Enable CVV matching
Card Verification Value or CVV codes — the 3- or 4-digit code on the back of a credit or debit card — are made specifically to prevent fraud during card-not-present transactions. Merchants aren’t allowed to store these codes, which makes them more difficult to steal. In many instances, criminals may only have the credit card numbers on hand.
While you’re not technically required to ask for the CVV, it’s highly recommended that you do you so. Having customers enter the CVV code on their card helps ensure that they have the card in their possession, which tells you that the transaction is valid.
2. Have AVS controls in place
Address Verification Service or AVS is a feature that compares the customer’s address with the cardholder’s issuing bank. AVS can be handy in confirming a card’s validity and the service can also minimize chargebacks because it helps confirm a customer’s identity.
While not foolproof, it’s a good idea to add AVS to your line of defense against fraud.
3. Implement velocity checks or velocity controls
Use velocity check tools (aka velocity controls) to monitor the rate at which a buyer submits transactions. If a buyer is initiating a large number of transactions in an unnaturally short period of time, your velocity controls can flag or limit those transactions before it’s too late.
Every merchant is different, so the right velocity check settings depend on your typical transaction volume. Analyze your store data then go with the velocity settings that fit your business needs.
4. Don’t use decline messages that are too specific
Don’t make it easier for fraudsters to get the information they need. When a credit card is declined, avoid using responses that provide decline details.
For example, if a buyer attempts to use a credit card but enters the wrong CVV code or zip, you shouldn’t spell that out to them. Simply provide a general decline response and let them figure out what information isn’t valid.
5. Keep an eye on IP addresses
Most credit card testing attempts originate from outside the United States so pay close attention to transactions that are initiated from a non-U.S. IP address. Be especially wary if a non-U.S. “buyer” is showing additional fraud signs (like trying to initiate multiple charges in a short period of time.)
Your payment gateway settings may allow you to limit orders from suspicious IP addresses.
6. Put suspects on a blacklist
Fraudsters commonly target merchants that they’ve successfully victimized in the past, so once you suspect a buyer of committing card testing (or any type of fraud for that matter), put them on a blacklist and don’t let them purchase from you again.
The fraud prevention dilemma
As you can see, there are several steps you can take to combat tactics like card testing, and implementing the above tips will most likely limit fraud attacks on your website.
That said, merchants may resist implementing some of these practices because they add a layer of complexity to the customer experience.
Asking for the CVV, for example, adds another step to the checkout process, which may reduce conversions. In some cases, fraud prevention means higher expenses. AVS, for example, comes with added fees.
While these are all valid concerns, you shouldn’t lose sight of the fact that fraud is real, serious, and increasing. Card testing is just one form of fraud that’s plaguing merchants, and if the growth of ecommerce is any indication, fraud practices will continue to increase. It’s best to protect yourself now rather than risk falling prey in the future.
If you’re concerned about the additional costs, weigh your options. Study the rates of fraud in your vertical including how often it occurs and the typical amount that merchants end up paying, then use that info to calculate how much to spend on fraud detection.
It’s also worth finding ways to save in other areas, so you can invest more in detecting and preventing fraud. For example, you could consider renegotiating your credit card processing fees or switching to another payment processor to lower your rates.
At Payment Depot, for example, we save merchants an average of $400 a month in credit card processing. With our membership pricing structure, we don’t take a cut out of your sales; we simply charge a fixed monthly fee, so you get to keep more of your profits and have the funds to invest in your business.
FAQs about Card Testing Fraud
Q: What is card testing fraud?
Card testing is a type of fraud where fraudsters “test” stolen credit card information by making small purchases on a website to confirm whether the card is valid. If a purchase goes through successfully, they know the card is valid and use it for larger purchases or sell the card information on the dark web.
Q: What are the consequences of card testing fraud for an online merchant?
Falling victim to card testing fraud can lead to financial loss for businesses due to fraudulent charges. It can also damage the business’s reputation, as customers may associate the brand with fraudulent activity when they see suspicious charges on their statements linked to your merchant account.
Q: Why are small businesses and non-profits often victims of card testing fraud?
Small businesses and non-profits often lack the sophisticated tools required to detect card testing. In the case of non-profits, donation pages that collect minimal details without minimum limits for donations present an easy opportunity for fraudsters to test cards.
Q: What is CVV, and how does it help prevent card testing fraud?
The Card Verification Value (CVV) is a 3- or 4-digit code on the back of a credit or debit card. Merchants cannot store these codes, making them difficult for fraudsters to steal. Asking customers to enter this code helps merchants ensure the customer has the card in their possession, indicating a valid transaction.
Q: What is Address Verification Service (AVS), and how does it prevent card testing fraud?
AVS is a feature that compares the customer’s address with the cardholder’s issuing bank. By confirming the card’s validity and the customer’s identity, AVS can minimize the risk of card testing fraud and chargebacks.
Q: How can velocity check tools prevent card testing fraud?
Velocity check tools monitor the rate at which a buyer submits transactions. If a buyer initiates a high number of transactions in a short period, the tool can detect this unusual activity and flag or limit these transactions to prevent possible card testing fraud.
Q: Why should merchants limit detailed responses when a credit card is declined?
Providing detailed decline responses could inadvertently help fraudsters by indicating what specific information is incorrect or missing. A general decline response is recommended to make it harder for fraudsters to figure out what information is invalid.
Q: How can limiting orders from suspicious, non-U.S. IP addresses help in preventing card testing fraud?
Many card testing attempts originate from outside the U.S. By paying close attention to transactions initiated from non-U.S. IP addresses and limiting orders from suspicious IP addresses, a merchant can reduce the risk of falling victim to card testing fraud.
Q: What is the benefit of blacklisting fraud suspects?
Fraudsters commonly target merchants they’ve successfully victimized in the past. By blacklisting suspected fraudsters, you can prevent them from making future purchases and reduce the risk of further fraud.
Q: Why might some merchants resist implementing fraud prevention measures like CVV requests and AVS checks?
Although these measures can significantly reduce fraud rates, they add an additional step to the checkout process for customers, potentially reducing conversions. Additionally, some services like AVS come with additional fees. Despite these concerns, these measures are crucial in mitigating the risk of card testing fraud, which can have serious financial and reputation consequences.
Q: How can a merchant offset the additional costs of fraud prevention measures?
Merchants can consider renegotiating credit card processing fees or switching to another payment processor to lower their rates. Investing the savings into detecting and preventing fraud can prove to be beneficial in the long run by reducing the financial impact and damage to reputation due to fraudulent activities.