Card Testing Fraud Explained — Plus 6 Ways to Prevent It

Card Testing Fraud Explained — Plus 6 Ways to Prevent It

There are plenty of great reasons to be an online merchant. We all know that ecommerce is on the rise, and consumers are increasingly choosing to shop online. Industry data shows that in Q3 of 2020, shoppers spend nearly $199.44 billion online — a 37.1% increase from the same time last year. 

Convenience is easily one of the big drivers of ecommerce. The ability to transact remotely and accept credit cards without having to interface with customers is highly convenient for merchants and shoppers alike. 

That said, accepting credit cards online has its downsides, chief of which is the fact that you’re more susceptible to fraud. 

And one type of fraud that’s been making waves lately is card testing fraud, which increased by 200% in 2017, according to a study by Radial.

What is card testing fraud?

Card testing is a tactic used by fraudsters to “test” stolen credit card information. Fraudsters do this by making small purchases on a website to determine the validity of a credit card. If a purchase goes through, they’ll know that a card is valid, and they can use it to make larger purchases or sell the card information on the dark web.

These days, the card testing process is implemented by bots that run thousands or hundreds of thousands of small dollar charges through a merchant’s unsuspecting website. Because the amounts are small, merchants that lack tight fraud detection tools often don’t catch these fraudulent charges before it’s too late. 

One business owner, for example, had 600,000 authorizations come through on his account, resulting in a $50,000 bill from First Data. 

Needless to say, falling victim to card testing fraud can be disastrous for small businesses, not just in terms of costs, but also when it comes to your reputation. When customers see your merchant name on their statement alongside suspicious charges, they’ll likely associate your brand with fraudulent activity

Ways to Prevent Card Testing Fraud

Small businesses and non-profits are the usual victims of card testing fraud because most of them lack sophisticated tools to detect the practice. And in the case of non-profits, these organizations often have donation pages that collect minimal details and don’t have minimum limits for donations. As such, they pave an easy way for fraudsters to test cards. 

Here’s the good news: there are ways to prevent card testing fraud. Consider the following.

1. Enable CVV matching

Card Verification Value or CVV codes — the 3- or 4-digit code on the back of a credit or debit card — are made specifically to prevent fraud during card-not-present transactions. Merchants aren’t allowed to store these codes, which makes them more difficult to steal. In many instances, criminals may only have the credit card numbers on hand.  

While you’re not technically required to ask for the CVV, it’s highly recommended that you do you so. Having customers enter the CVV code on their card helps ensure that they have the card in their possession, which tells you that the transaction is valid. 

2. Have AVS controls in place

Address Verification Service or AVS is a feature that compares the customer’s address with the cardholder’s issuing bank. AVS can be handy in confirming a card’s validity and the service can also minimize chargebacks because it helps confirm a customer’s identity. 

While not foolproof, it’s a good idea to add AVS to your line of defense against fraud. 

3. Implement velocity checks or velocity controls

Use velocity check tools (aka velocity controls) to monitor the rate at which a buyer submits transactions. If a buyer is initiating a large number of transactions in an unnaturally short period of time, your velocity controls can flag or limit those transactions before it’s too late. 

Every merchant is different, so the right velocity check settings depend on your typical transaction volume. Analyze your store data then go with the velocity settings that fit your business needs. 

4. Don’t use decline messages that are too specific 

Don’t make it easier for fraudsters to get the information they need. When a credit card is declined, avoid using responses that provide decline details.

For example, if a buyer attempts to use a credit card but enters the wrong CVV code or zip, you shouldn’t spell that out to them. Simply provide a general decline response and let them figure out what information isn’t valid. 

5. Keep an eye on IP addresses

Most credit card testing attempts originate from outside the United States so pay close attention to transactions that are initiated from a non-U.S. IP address. Be especially wary if a non-U.S. “buyer” is showing additional fraud signs (like trying to initiate multiple charges in a short period of time.)

Your payment gateway settings may allow you to limit orders from suspicious IP addresses.

6. Put suspects on a blacklist 

Fraudsters commonly target merchants that they’ve successfully victimized in the past, so once you suspect a buyer of committing card testing (or any type of fraud for that matter), put them on a blacklist and don’t let them purchase from you again. 

The fraud prevention dilemma

As you can see, there are several steps you can take to combat tactics like card testing, and implementing the above tips will most likely limit fraud attacks on your website. 

That said, merchants may resist implementing some of these practices because they add a layer of complexity to the customer experience. 

Asking for the CVV, for example, adds another step to the checkout process, which may reduce conversions. In some cases, fraud prevention means higher expenses. AVS, for example, comes with added fees. 

While these are all valid concerns, you shouldn’t lose sight of the fact that fraud is real, serious, and increasing. Card testing is just one form of fraud that’s plaguing merchants, and if the growth of ecommerce is any indication, fraud practices will continue to increase. It’s best to protect yourself now rather than risk falling prey in the future. 

If you’re concerned about the additional costs, weigh your options. Study the rates of fraud in your vertical including how often it occurs and the typical amount that merchants end up paying, then use that info to calculate how much to spend on fraud detection. 

It’s also worth finding ways to save in other areas, so you can invest more in detecting and preventing fraud. For example, you could consider renegotiating your credit card processing fees or switching to another payment processor to lower your rates. 

At Payment Depot, for example, we save merchants an average of $400 a month in credit card processing. With our membership pricing structure, we don’t take a cut out of your sales; we simply charge a fixed monthly fee, so you get to keep more of your profits and have the funds to invest in your business. 

Get in touch with Payment Depot today. We’ll analyze your merchant statement and help you find ways to save.  

Want to save 40% on payment processing? Let's Talk!

"*" indicates required fields