Card Testing Fraud

Table of Contents

  1. What Is Card Testing Fraud?
  2. What Makes Card Testing Dangerous for Merchants?
  3. How Do You Stop Card Testing?
  4. What Tools Should Merchants Use to Prevent Card Testing?
  5. Analyzing and Preventing Fraud Chargebacks
  6. Do Credit Cards Protect Against Fraud?
  7. How Do I Protect Against CNP Fraud?
  8. What Is a Test Credit Card Number?

Card testing is one of the largest threats to modern e-commerce merchants, especially those in the United States. In fact, it was the most common form of fraud experienced by merchants in North America in 2021. It also cuts across the spectrum when it comes to business size, with small, mid-market, and enterprise businesses all reporting high rates of card testing.

While the purchase amounts in card testing attacks are usually small, they hurt merchants in other ways as well. Depending on the transaction amount, successful tests may result in chargebacks for the merchant, and since card testing usually takes place in large batches, a merchant could get hit with a whole lot of chargebacks all at once.

In addition, those chargebacks will increase the merchant's chargeback ratio, putting them at risk of financial consequences from chargeback monitoring programs like the Visa Dispute Monitoring Program. In order to combat this threat, merchants need to know what card testing is, how it works, and what they can do to prevent it.

What Is Card Testing Fraud?

Card testing, also known as card cracking, is when a fraudster with a stolen credit card number makes a small purchase to check if the card is active and if the purchase avoids the merchant's fraud detection measures.

If the small purchase is successful, the fraudster starts making larger purchases to get as much as they can out of the card before the fraud is detected. They may also sell validated card numbers on the dark web for a higher price than they could get for card numbers that haven't been tested.

Fraudsters have to be careful with newly acquired payment credentials—too many declines on big, noticeable purchases and the card will get shut off before they can buy anything with it. Often, they’ll have incomplete credentials that will only work with merchants who don't have effective fraud prevention tools, which is why small to medium size businesses can often become targets for card testing.

Fraudsters will often test large batches of payment credentials all at once using automated software designed for that purpose. Fraudsters can obtain a large quantity of credit card numbers to test by hacking into databases of customer information. Complete payment credentials are often obtained through phishing attacks, which can target millions of potential victims at once.

Some fraudsters also buy stolen payment credentials on the dark web rather than obtaining them on their own. For those who are especially effective at testing and profiting from stolen payment information, this can be a lucrative endeavor.

What Makes Card Testing Dangerous for Merchants?

For merchants, card testing can mean a large number of fraudulent transactions in quick succession. That can mean significant damage has already been done by the time the merchant identifies the problem.

Card testing is a trial run that’s insignificant enough, the fraudster hopes, that it won’t raise any major flags if it gets declined—even multiple times. If the transaction is authorized, the fraudster now has a successful payment history with that card and that merchant, so the next purchase they make will probably be accepted as well, even if it’s for a much larger amount.

Even declines can be useful to the fraudster, because some merchants have their payment processor settings configured to provide cardholders with specific information about why their transaction was declined. If the message comes back that the card was declined because the address didn’t match, the fraudster knows what piece of the payment credentials puzzle they’re missing.

Card testing harms merchants in several different ways. First, even those “insignificant” test purchases often turn into chargebacks when the card’s real owner reads their monthly statement.

Declines are harmful, too: process too many of them, and your payment processor may classify you as “high risk,” which can lead to increased fees and other negative consequences. On top of that, automated card testing bots can overload your network traffic and cause transactions from legitimate customers to time out and fail.

How can merchants protect themselves from card testing? As with much of e-commerce fraud, it takes a combination of effective in-house strategies and the right external tools.

How Do You Stop Card Testing?

A few adjustments to your internal procedures can go a long way toward screening out card testing attempts. Key methods for preventing card testing include using AVS and CVV matching, monitoring IP addresses, and employing velocity checking.

High-volume methods of stealing credit card numbers, such as hacking into less secure merchant databases or using skimmers, typically don't give the fraudster both the billing address and the CVV number along with the card number itself. That makes these simple checks an effective way to prevent a significant percentage of card testing and fraud.

While you’re adjusting the settings in your payment gateway, you should also make sure your authorization decline message isn’t conveying any information that could be useful to the fraudster.

If they know why declines are happening, they might have an easier time figuring out how to get the cards to work for them.

Of course, these checks alone won't stop all card testing. If the CVV number is missing, for example, the fraudster can use an automated program to test all the 1000 possible CVV numbers in a matter of minutes. Blocking any transaction attempt from a card after a certain number of declines can prevent this.

Furthermore, other methods of stealing card numbers can provide a fraudster with complete card information. Phishing attacks can get cardholders to enter their full payment information into a website that appears to offer something valuable in return, or is set up to mimic the real website of a bank or eCommerce platform.

Hackers can also go after merchants to insert an e-skimmer into their checkout page, copying any card information customers enter and sending it to the hacker. Educating employees about phishing attacks and having a robust and up-to-date firewall and antivirus program can prevent you from falling victim to these attacks, but you still need a way to stop credentials stolen elsewhere from being used on your website.

There are several strategies you can use to fight card testing:

  • Monitor transaction activity. Multiple small orders within a short time frame is the number one clue that card testing is happening. These purchases may be on the same card, or on dozens of different ones. You should have a system in place to flag such orders and review them more carefully.

  • Monitor IP addresses. The majority of card testing attempts originate from outside the United States, so this is another possible indicator of fraud, especially if you see it in conjunction with other signs. Merchants may also want to adjust their payment gateway settings to block multiple orders from the same IP address within a short time frame.

  • Blacklist bad actors. If you suspect a customer of card testing, put them on a blacklist and block them from making any future purchases. Study after study shows that fraudsters almost always re-target merchants they’ve successfully victimized.

When you suspect fraud but you aren’t sure, you can always try giving the customer a phone call or sending an email to verify the purchase.

What Tools Should Merchants Use to Prevent Card Testing?

A PCI-compliant payment gateway is the first and strongest line of defense against card testing and other types of e-commerce fraud. This should include AVS and CVV matching plus up-to-date fraud screening features.

Other fraud prevention tools can help by applying rules to flag suspicious orders or IP addresses, or integrating with your CRM to facilitate blacklisting so you can block potentially fraudulent orders from known or suspected fraudsters.

Anti-fraud protocols like 3-D Secure can also prevent card testing. Every merchant has to figure out which tools and solutions are right for them and measure how effectively they’re working.

Analyzing and Preventing Fraud Chargebacks

One way to find out if you’re succeeding at preventing card testing is to analyze your chargebacks. If you’re stopping card testing at the gateway level or earlier, you won’t be seeing as many true fraud chargebacks for low dollar amounts.

Card testing can be especially insidious in terms of chargebacks because you can get so many transactions in a short span of time. This can quickly drive up your chargeback rate, endangering the stability of your merchant account.

If your in-house solutions aren’t working, chargeback management companies can help get card testing problems under control. The right chargeback experts can provide you with the chargeback analytics you need to identify card testing patterns, and will be able to recommend the right anti-fraud tools and gateway settings for your specific situation.

FAQ

Do Credit Cards Protect Against Fraud?

Credit cards have security features like CVVs and AVS to prevent fraud. They don’t always work perfectly, however, as fraudsters are constantly coming up with new ways of bypassing even the best defenses.

How Do I Protect Against CNP Fraud?

Merchants can protect themselves against card-not-present fraud by using effective fraud tools that use multiple methods of fraud detection to weed out fraudulent transactions.

What Is a Test Credit Card Number?

PayPal uses test credit cards to validate authorization and transaction flows. Consumers should never have test card numbers.


Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to: win@chargebackgurus.com

Ready to Start Reducing Chargebacks?