Recent reports by acquiring banks have identified a surge in card testing attacks detected on merchant sites during this pandemic year. As ecommerce volumes increase and new businesses move online, it is crucial to be aware of card testing fraud, and learn how to identify and prevent it.

What is Card Testing?

Payment Card Testing is an advanced operation, employed by fraudsters to determine whether stolen or computer-generated card numbers are valid. Card testers exploit targeted organisations or sites, particularly those that accept donations or deal with small value transactions. Still, small and medium sized businesses are often vulnerable to card testing attacks because they tend to lack the resources and tools to detect or prevent these attacks.

Since these cards may have been stolen some time ago, fraudsters developed card testing as a method to verify whether cards have expired or have been reported and blocked by banks, – or as they hope, are still effective to use. The initial “testing” of cards is intended to confirm the validity of the card, and not for the purpose of purchasing the product or service – before larger transactions or purchases are made. If card numbers are valid, automated payment responses will be approved, giving the greenlight for card testers to rake in the big purchase or resell these verified numbers on the dark web; and if declined, these card numbers are filtered out.

Card Testing Techniques

Firstly, Card Testing numbers are obtained generally through one or two ways: by illegal purchasing of stolen card numbers via the dark web, or computer-generated random card numbers. Nevertheless, both methods require ‘testing’ of the card numbers to determine its validity before making larger purchases or online transactions. Transactions of low amount are then tested (e.g., making a small donation), with the intention to avoid alerting the cardholder who may in turn, immediately block the card or report card fraud when aware. Fraudsters inventively exploit payment authorization to verify card numbers and is a preferred method as it provides real time authentication and will not be visible in card statements until weeks later.

Because manual card testing is tedious, and can be extremely time consuming when testing large batches of card numbers, fraudsters utilise bots or a system of computers to automate card testing on a large scale. These bots attempt small transactions on websites, automated at high volumes.

Impact of Card testing

Card testing can be detrimental to ecommerce, especially small to medium sized businesses. Due to the large scale of transactions processed as a result of card testing, unfortunate businesses targeted by card testing attacks suffer:

1. Disputes (or Chargebacks) – cardholders become notified upon successful payments, leading to high disputes and an increase in chargeback ratio
2. High Decline Rates – large number of declines may raise alerts to banks; high decline rate when associated with the BIN can also damage the reputation of issuer banks
3. Extra Costs – surge of testing transactions will accumulate a large sum of interchange fees charged by the authorisation process. Not only will merchant pay for extra costs of interchange fees, but also the cost of disputes and dispute fees that will emerge.
4. System and Network Performance – consumes system capacity and network bandwidth

How to Identify Card Testing

Card Testing attacks on websites can be identified by a number of signs:

1. Low-value transactions – a series of low-value transactions of similar or repeated value, from the same IP address
2. Velocity and Frequency – a surge of transactions over a specified timeframe (e.g., high transaction amount of similar value over 5 minutes) could indicate use of programmed bots
3. High Decline Rate – significant increase in declines, as well as decline reasons including (but not limited to): invalid card number, suspected fraud, stolen card, no card record, etc.
4. CVV Errors – repeated number of incorrect CVV code errors, as stolen or generated card numbers often do not have CVV information

Preventing Card Testing

Preventing card testing attacks is crucial to every online business or website. By eliminating unrestricted access and adding security measures, this can significantly reduce the risk of card testing attacks on websites.

Here are a several strategies that can help to prevent card testing attacks:

1. Set Card Limits – add maximum number of new cards allowed daily from a single IP address
2. Secure Checkout Cart and Payment Page – employ tools to prevent bots or automated scripts from submitting transactions e.g., CAPTCHA
3. Velocity Control and Lock Out Mechanism – limit the number of transactions submitted over a specified period and lock out customer or IP address if detected
4. Decline Restrictions – block IP address or customer if ‘transaction declined’ for a specified number of times

To avoid further financial and reputational repercussions, merchants should make effort to refund fraudulent transactions when possible, to maintain customer satisfaction and reduce opportunities for disputes. Merchants should also proactively re-evaluate and develop their detection parameters or payment security procedures to minimise website vulnerability and protect their businesses from card testing fraud.

The Next Steps

Payment Card Testing on websites is becoming more prevalent today, as fraudsters are moving online and continuously developing their schemes. To protect your online business or your merchants from card testing attacks, it is crucial to employ fraud tools and utilise comprehensive payment service providers that cover detection and prevention of card testing attacks. Using advanced online payment and fraud solutions help protect you and your business not only from card testing attacks, but also the many types of fraud that exist today.