Preventing Card Testing Fraud in 2020
When it comes to optimizing ways to spend other people’s money, fraudsters can be pretty sensible. One of the first things a fraudster will do when they acquire a new stolen credit card number is make a very low dollar amount purchase with a merchant. If this test purchase goes through, they know they can make another, larger purchase with that merchant. If it’s declined, they might learn more information about the card from the decline message. Either way, it’s bad news for the merchant. What can merchants do to prevent fraudsters from using them for card testing?
Card testing, also known as card cracking, is one of the most common—and fastest-growing—forms of ecommerce fraud. Card testing rates have doubled in recent years, and while these transactions may involve small amounts of money, they can do serious damage to a merchant’s revenue and reputation.
Fraudsters have to be careful with newly acquired payment credentials—too many declines on big, noticeable purchases and the card will get shut off before they can buy anything with it. Often, they’ll have incomplete credentials that might get past some merchants, but not all of them.
What Makes Card Testing Dangerous for Merchants?
Card testing is a trial run that’s insignificant enough, the fraudster hopes, that it won’t raise any major flags if it gets declined—once, twice, or multiple times. If the transaction is authorized, the fraudster now has a successful payment history with that card and that merchant, so the next purchase they make will probably be accepted as well, even if it’s for a much larger amount.
Even declines can be useful to the fraudster, because some merchants have their payment processor settings configured to provide cardholders with specific information about why their transaction was declined. If the message comes back that the card was declined because the address didn’t match, the fraudster knows what piece of the payment credentials puzzle they’re missing.
Card testing harms merchants in several different ways. First, even those “insignificant” test purchases usually turn into chargebacks when the card’s real owner reads their monthly statement. Declines are harmful, too: too many of them, and your payment processor may classify you as “high risk,” which can lead to increased fees and other negative consequences. On top of that, automated card testing bots can overload your network traffic and cause transactions from legitimate customers to time out and fail.
How can merchants protect themselves from card testing? As with much of ecommerce fraud, it takes a combination of effective in-house strategies and the right external tools.
What Can I Do In-House to Stop Card Testing?
A few adjustments to your internal procedures can go a long way toward screening out card testing attempts. Here’s the first and most important thing you can do:
- Turn on AVS and CVV matching requirements in your online payment gateway.
Addresses and CVV numbers are typically harder for fraudsters to get their hands on than card numbers and expiration dates. Simply turning on the option to require this information at checkout will stop many card testers cold.
While you’re adjusting the settings in your payment gateway, you should also make sure your authorization decline message aren’t conveying any information that could be useful to the fraudster. If they know why declines are happening, they might have an easier time figuring out how to get the cards to work for them.
Beyond that, there are several other strategies you can use:
- Monitor small order activity. Multiple small orders within a short time frame is the number one clue that card testing is happening. These purchases may be on the same card, or on dozens of different ones. If you see a cluster of orders that fits this pattern, you should take a very close look at them for other signs of fraud.
- Monitor IP addresses. The majority of card testing attempts originate from outside the United States, so this is another possible indicator of fraud, especially if you see it in conjunction with other signs. Merchants may also want to adjust their payment gateway settings to block multiple orders from the same IP address within a short time frame.
- Blacklist bad actors. If you suspect a customer of card testing, put them on a blacklist and block them from making any future purchases. Study after study shows that fraudsters almost always retarget merchants they’ve successfully victimized.
When you suspect fraud but you aren’t sure, you can always try giving the customer a phone call or sending an email to verify the purchase.
What External Tools Should Merchants Use?
A PCI-compliant payment gateway can be the first and strongest line of defense against card testing and other types of ecommerce fraud. This should include AVS and CVV matching plus up-to-date fraud screening features.
Other automated tools can help by applying rules to flag suspicious orders or IP addresses, or integrating with your CRM to facilitate blacklisting so you can block potentially fraudulent orders from known or suspected fraudsters.
Anti-fraud protocols like 3-D Secure can also prevent card testing. You do, however, have to remember that some tools can be obtrusive to the customer experience. Every merchant has to figure out which tools and solutions are right for them—and measure how effectively they’re working.
One way to find out if you’re succeeding at preventing card testing is to analyze your chargebacks. If you’re stopping card testing at the gateway level or earlier, you won’t be seeing as many true fraud chargebacks for low dollar amounts.
Card testing can be especially insidious in terms of chargebacks because you can get so many transactions in a short span of time. This can quickly drive up your chargeback rate, endangering the stability of your merchant accounts.
If your in-house solutions aren’t working, chargeback management companies can be helpful at getting card testing problems under control. The right chargeback experts can provide you with the chargeback analytics you need to identify card testing patterns, and will be able to recommend the right anti-fraud tools and gateway settings for your specific situation.