What you need to know about card testing fraud

At first, these small unauthorized credit card changes aren’t a big deal, the charges are small after all. But then you start getting calls from customers about purchases they never made. When the calls have subsided, you start adding up all the chargebacks and authorization fees and realize that this month’s profits—and maybe even this year’s profits—are down the drain. Unfortunately, you are not alone. Businesses of all sizes continue to be the victims of debit and credit card testing.¹

What is card testing?

Fraudsters use card testing to validate credit card numbers for later use. Testing typically falls into two types: testing card numbers that have been illegally obtained, or intelligently guessing card numbers based on a known bank identification number (BIN). Fraudsters will send a high velocity of fraudulent purchases to an unsuspecting merchant’s site to see if each card is active and approved.²

This process reveals which cards have been canceled or deactivated—and which ones are still valid. Once the canceled or declined card numbers are weeded out, fraudsters move on to make larger purchases or resell the validated information.

How do botnets work?

The advancement of botnet technology in recent years has allowed card testing to grow exponentially.³ Unlike manual testing—which is time consuming and labor intensive—fraudsters can program networks of compromised computers (botnets) to run thousands of transactions at a time.

The velocity of these fraudulent transactions can rack up thousands of dollars in transaction fees in a matter of minutes, leaving the unsuspecting business holding the bill. Not to mention serious brand damage and a major tax on their time and resources.

Which businesses are at risk?

Card testing attacks often target small and medium businesses as well as organizations that accept donations or even tuition. Often these types of businesses and organizations lack the tools and technologies to protect themselves—making them easy prey.⁴

Businesses and organizations that don’t sell a physical good tend to be particularly vulnerable because they assume fraud isn’t a worry—the fraudsters know this and deliberately target them as a result. Take nonprofits for example. Since many nonprofit donation pages collect little information from donors, and fail to place minimum limits for giving, they provide an ideal environment for card testing and other types of fraud.⁵

How can businesses and nonprofits protect themselves from card testing fraud?

Fraudsters are relentless and many of them quite savvy. However, there are actions you can take to protect yourself:

1. Be proactive. Look at your website and see where you might be vulnerable. What customer verification tools do you have in place now? Don’t ignore suspicious activity.
2. Use a fraud mitigation tool. Authorize.net has a built-in fraud tool: Advanced Fraud Detection Suite comes with 13 easily configurable fraud filters to help set proper minimum transaction thresholds, payment velocity settings, country limitations, and more to help prevent processing fraudulent transactions.
3. Set up a simple firewall. Many firewalls come with basic tools for botnet detection, prevention, and removal.
4. Consider implementing some type of CAPTCHA into your checkout flow. This technology has improved in recent years and can produce much less friction to your customers than previous versions.
5. If you accept donations or other custom payment amounts, set a minimum. Fraudsters aim to validate if a card is good without the cardholder noticing and reporting it. The smaller the charge, the less likely it is to attract attention. Set a minimum value that is as high as possible while still being appropriate for most donors.