Card Testing Fraud Prevention

A growing type of ecommerce fraud that doesn’t get a lot of attention is silently taking over the payments space – it’s called card testing. This article will provide more information on card testing and how it could impact your business and how to help prevent it.

 What is Card Testing?

Card Testing occurs when a fraudster uses a merchant’s website to “test” stolen credit card information to determine if the card is valid. Fraudsters can purchase lists of credit card numbers online on the “Dark Web” at a low cost but often do not know if the cards they are purchasing are active. To test these cards, fraudsters often use automated bots and scripts to run many of these numbers through a merchant’s checkout page. If a transaction is approved, the fraudster knows that the card is valid and can make fraudulent high value purchases elsewhere.

How to Identify Card Testing

While it is sometimes difficult to identify card testing, there are a few common red flags to look out for: 

  • Small value transactions – Card testers typically use small value transactions to minimize the amount of credit card balance used.
  • Multiple credit card purchases in a short amount of time – Fraudsters often use automated programs to run many cards through a website in a short time frame.
  • Multiple credit card types – Credit card brands switching rapidly could be a signal of card testing fraud.
  • Failed authorization notices – Multiple transaction failures may point to attempts to enter stolen card data.
  • Address Verification Service (AVS) mismatch – Identifying that the address provided by the customer matches the billing address can provide an extra layer of protection. A mismatch can indicate a fraudulent transaction in which the customer is not the actual cardholder.
  • Card Verification Value (CVV) mismatch – Validating the Card Verification Value (a security code typically printed on the back of the card) can verify that the customer is the cardholder and is in possession of the physical card. CVV mismatches should be monitored carefully.

Any combination of the above activities can signal that a merchant is being targeted by card testing fraud.

Why Card Testing Fraud is Costly

Card testing fraud can be extremely costly due to financial charges and loss of goods. As chargeback disputes typically take 6 weeks to materialize, ecommerce merchants end up paying a high price for fraud. The following costs may apply if your business has been hit by card testing:               

  • Chargeback fees – As the number of chargebacks increase, financial institutions can increase the amount they charge. In some cases, the chargeback fees can be more costly than the goods are worth in the first place. As a business becomes riskier for the card brands, they may also be placed on probation and exposed to additional fees. If not fixed, the card brands may deny the business the ability to accept payments from that card brand.
    • The 6 week chargeback window leaves a merchant website open to being hit multiple times before they aware a problem exists, resulting in a large number of chargeback disputes and fees.
  • Loss of merchandise – By the time merchants find out they have been affected by fraud, it is often too late to stop the shipment of goods. Shipping and handling costs can add up when a large number of orders are deemed fraudulent.
  • Loss of sale – When a chargeback occurs, the funds collected for the sale are taken from the merchant and given back to the customer.
  • Processing fees – Any fees that apply to process the transaction are lost when affected by a chargeback.

How to Detect and Reduce Card Testing Fraud

Implementing CVV checks and AVS are effective ways of minimizing the risk of card testing. A mismatch of either of these fraud tools may indicate a fraudulent transaction. Ensuring that CVV and AVS are activated can go a long way in preventing card testing on a website.

Google reCAPTCHA offers an additional layer of protection by offering automated software which can differentiate the human user from a bot.  The solution is low friction and requires the user to click a checkbox to continue.

Two factor authentication adds an extra layer of security on top of the use of a username and password. Card testers often target checkout pages that have the least amount of friction. It is recommended that the payment page use more than one method of identifying the user.

Fraudsters will typically move on to a new website if they encounter any friction on the checkout page. When it comes to protecting your business against fraud, a layered approach is most effective in catching the highest amount of fraud.

What Moneris Merchants can do to avoid Card Testing

Any merchant interested in fraud protection features at Moneris should contact the Moneris Sales Department at 1-844-204-8626 to request the Fraud Tools package. Once added to the merchant’s profile several fraud protection features become available for integration into the payment website:

  • AVS and CVV
  • 3D Secure
  • Transaction Risk Management Tool (Risk Scoring)

Details regarding using these fraud solutions can be found on the Moneris Developer Portal at https://developer.moneris.com.  It is highly recommended that you implement AVS and CVV validation checks into your website to combat card testing fraud as a baseline protection.  Please note that when a financial transaction is processed that includes AVS or CVV data, the response will not affect the authorization of the transaction.  The best validation solutions require decision logic that should manage the transaction based on the returned result.  For example, should a “NO MATCH” response be received, this means the data the customer provided did not match the data on the card.  Therefore the merchant may choose to deny the transaction and request another form of payment.  Ultimately these decisions are up to the merchant, their business processes, and their risk appetite.

For more information on AVS and CVV response codes please visit our Developer Portal at the attached links below:

AVS Response Codes

CVV Response Codes

For assistance implementing any of our Fraud Tool solutions please feel free to reach out to our Technical Support team at 1-866-319-7450.   We are here to help 7 days a week 24 hours a day!

Patrick Brophy, CPP
Product Manager, Online Payments
Moneris Solutions

As the Product Manager for Online Payments at Moneris, Patrick is responsible for ecommerce and omni-channel solutions, most notably the Moneris Gateway.  With 13 years of experience in the payments industry and a focus in integrated and emerging customer solutions, Patrick carries a broad expertise on many subjects important to the online merchant experience.