The holidays have arrived and unfortunately we all know that along with the enjoyable holiday gatherings, delicious food, holiday cookies and endless shopping comes something no one looks forward to — fraud. There is a growing type of e-commerce fraud that doesn’t get a lot of attention but is silently taking over the payments space called card testing.
When someone purchases or obtains stolen credit card numbers they need to determine if the cards are still valid — by making small purchases online then checking the response to see if the card was approved and/or if the AVS (address verification service) and CVV (card verification value) responses match, they are able to "test" the card information to confirm. Typically they use bots or scripts that can run thousands of transactions at a time. The successful cards are then used to make large ticket fraudulent purchases at various online retailers.
Any merchant that accepts credit cards online is at risk for card testing. Card testers look for websites with the least amount of friction or user verification. Non-profits and charities are especially vulnerable since their websites are often designed to make it as easy as possible for someone to make a purchase or give a donation.
There are several potential costs to a merchant that experiences card testing through their website. Transaction fees are assessed whether the sale was approved or declined. Completed sales that are not voided or refunded are subject to chargebacks and chargeback fees. Not to mention lost time and effort dealing with the fraud and damage to the brand and reputation of the merchant that was attacked.
Card testing often consists of multiple small dollar transactions from different card numbers submitted within a short period of time. Many of these transactions will either decline and/or have mismatched AVS and CVV responses.
There are several things that can be implemented to reduce the likelihood of card testing fraud from occurring. There will always be a balancing act between tighter security measures and the ease of the customer checkout experience, but most online consumers are already familiar with, and expect, many of these security measures to be in place:
1) Add a Captcha to your website before the sale is submitted. This makes it more difficult for bots and scripts to be used when testing cards. Your web developer or shopping cart provider should be able to assist with getting this added to your website.
2) Set AVS and CVV restrictions to prevent sales from being accepted with a mismatched address, zip code or CVV response. Often the card testers will not have a valid address or CVV information when testing the cards. This will make their testing unsuccessful and often cause them to move onto other websites to perform their testing. Many payment gateways can be set up to perform this type of AVS and CVV filtering.
3) Set IP restrictions to decline sales coming from outside of the U.S., where most card testing originates. Set threshold limits on the number of sales that can be submitted from the same IP address. Most payment gateways and shopping carts will have these tools available.
4) Add an additional fraud monitoring product or software to your website with transaction thresholds and alerts to notify you when potential card testing is occurring.