Card Testing Fraud: 3 Things Merchants Must Know

3 Things Every Merchant Must Know About Card Testing Fraud

It’s called card testing fraud, and it’s one of the ugly realities of online retail. Countless merchants have gotten excited went they noticed thousands of transactions in their online stores. However, upon checking analytics, they realize that something is off.

All the purchases made are ridiculously small, and the card decline rate has increased significantly.

If this is happening to you, you need to know that this is a potential card-testing scam targeting your store.

And what usually follows are chargebacks accompanied by messages and angry calls from legitimate card owners who think you’ve deliberately charged their cards without their consent.

Card testing fraud has been around for years, and its impact can be severe.

Having good knowledge of what card testing is and how it works will help you to:

  • Train your staff on the best practices to implement
  • Implement necessary fraud prevention tools
  • Monitor your store for suspicious transactions and take necessary mitigation actions
  • Provide secure payment options that protect your store and customers

At Total-Apps—a payment processing company—we help merchants understand how online fraud works to allow for proper preparation.

1. What Is Card Testing Fraud and How Does It Work?

Card testing fraud is when fraudsters test the validity of stolen card numbers, usually by making small purchases of less than $5.

What they test for is if the card is still active, if it has funds, and if purchases made will successfully avoid fraud detection measures.

If the card being tested passes all the requirements, fraudsters then proceed to make large purchases using the funds on it.

So How Does It Actually Work?

First, the fraudster has to get their hands on the card numbers. Here are four common ways they do so:

  • Card skimming: A fraudster installs a small device called a skimmer on or inside card readers, like ATMs, fuel pumps, or point of sale terminals. Card skimmers can be difficult to detect, and may appear as an unusual attachment or protrusion.

The device then records information about the cards used on the card reader. Some skimmers can transmit the information electronically via Bluetooth.

  • Hacking an online store: Online shops store card information from their customers in various ways, such as the use of cookies. A tech-savvy fraudster (and most of them are) exploits vulnerabilities like unpatched plugins or weak passwords to harvest customer card information.
  • Card trafficking: A fraudster buys card numbers and their information off the dark web from other criminals who are not keen on using the cards themselves.
  • Bank identification number (BIN) tumbling attacks: Fraudsters generate hundreds of credit card numbers using computer algorithms, then test each to determine which credit cards are valid.

Here Comes The Card Testing Phase

There are two main methods that fraudsters employ when testing cards:

Small payments: A fraudster will make small purchases to test the validity of the card and the security features of your site. Small purchases are less likely to be noticed by the legitimate card owner and reported as fraudulent. If the purchase isn’t successful, the fraudster exploits the feedback received on the next attempt.

Authorizations: This is a subtler method. Instead of buying directly, fraudsters first send queries to the card issuer through the payment processor requesting a statement of whether the customer has enough funds to conduct a certain purchase.

Meanwhile, your store system proceeds with the purchase and the card owner does not get an alert. Unfortunately, you’re still going to pay an authorization fee for each of these transactions.

You should know that fraudsters tend not to target stores randomly. If you are being targeted, then there is something you might be doing wrong.

Here are some reasons why your store may attract card testing fraudsters:

  • Lack of fraud detection tools: Your store has poor/limited fraud detection tools that can’t detect and decline fraudulent transactions, or alert the card owner.
  • Limited address and customer verification: Your store does not properly verify both the address of the user and the customer through systems like 2-step authentication.
  • Weak security: Your store has weak passwords and unpatched or outdated software (e.g., plugins) that can be easily exploited.

2. How Does Card Testing Fraud Impact Merchants?

person using credit card to purchase online orders

Image source:

The impacts of card testing fraud on merchants are considerable, and if not countered effectively, can easily collapse a business.

Notable impacts include loss of revenue, increased chargebacks, and a damaged reputation.

Increased Chargebacks

Chargebacks happen from time to time in any business. However, card testing fraud will blow up this rate of occurrence in a very short time; fraudsters test thousands of cards in mere minutes.

Legitimate cardholders usually get notified of the small purchases made when their cards are being tested and they immediately dispute the charges with their card issuer, resulting in chargebacks.

If you experience a sudden increase in chargebacks, it may be an indication of card testing fraud. Monitor the patterns of the transactions that are resulting in chargebacks, and take proper steps to mitigate the fraud.

It’s important to note that if processors deem your chargebacks and fraud levels over their risk threshold and they determine it is due to non-compliance with security protocols, they will close your account.

You may also get a fine from the processor and card network on top of that.

Loss of Revenue

Whenever there are transactional disputes, like chargebacks and refunds, the merchant will always end up suffering a loss in revenue. The merchant will lose the product (if they have already delivered it to the fraudster), the profits, and the original amount of sale.

They’ll also lose the transaction fee incurred while processing the card as it was being tested, a refund fee, and a chargeback fee imposed by the processor.

The average chargeback fee is between $35 and $50, while the refund and transaction fee take up $0.25 on each transaction.

According to Global Trade Magazine, each chargeback costs a business an estimated 2.6 to 3.2 times the price of the products lost.

The merchant also incurs fees and fines associated with chargeback processing. If the number of chargebacks is high, card networks can also penalize the merchant, resulting in even more fees and fines.

Your merchant account can be shut down in extreme cases, which will be disadvantageous as your business can no longer accept electronic transactions.

Lastly, chargebacks cause a decrease in sales, resulting in further loss of revenue. When customers experience fraud, they lose trust in that store and take their business elsewhere.

Damage to Reputation

Card testing fraud also damages the reputation of the merchant with both the card networks and the customers.

Not only will you get angry calls but you may get a sudden influx of poor online reviews. This will further harm your reputation and impact your ability to attract new customers.

Card networks may also place the merchant on the MATCH list (i.e., risky merchants to work with), terminating your processing account and making it difficult or impossible to secure a merchant account at all from any bank or processor again. If the business is not terminated, the merchant will also be penalized with higher fees and increased scrutiny and audits from the networks.

And, of course, customers won’t want to do business with a merchant associated with fraud.

In extreme cases, lawsuits can be initiated against you on top of losing processing privileges.

3. How Can Merchants Prevent Card Testing Fraud?

how to protect your store from fraud

Image source:

Prevention of card testing fraud is a necessary step for any merchant who wants to protect their business and keep their customers safe.

A few ways a merchant can help prevent fraud include:

Providing Secure Payment Options

At Total-Apps, our payment processing system is designed with the security of both the merchant and customers in mind.

Our payment process is equipped with advanced fraud scrubbing techniques that automatically accept cards and decline suspicious transactions. Our system ensures every detail is validated before authorizing any transaction.

One of the fraud-scrubbing tools we use to avoid card-testing fraud is volume check, also known as velocity check. This tool helps identify BIN-tumbling attacks by flagging an abnormally high number of transactions performed within a short time.

The tool can also detect when one card is “banged” over and over within a few seconds to see if it will finally go through.

Velocity checks scan each transaction and detect suspicious purchases made using similar information, such as:

  • Email addresses
  • Billing addresses
  • IP Addresses
  • Phone numbers

After a number of attempts, usually around 10, such transactions are automatically blocked. 10 attempts are more than enough for genuine customers working out how to complete a purchase.

To help prevent card testing fraud, we encourage you to use Total-Apps’ secure payment processor.

Implementing Fraud Prevention Tools

Technology has come a long way in the fight against fraud.

Below is a table showing some tools and some pros and cons of each.

Technique Pros Cons
Card Number Verification Can be quickly and easily implemented and the main focus is on the validity of the card number Easy to bypass with stolen card numbers
Address Verification Provides an additional layer of security by comparing the billing address to the address on file with the card issuer Can be easily bypassed by fraudsters using a different address or providing false information
3D Secure Authentication Strong authentication method using a one-time passcode generated by the bank/card issuer Can be inconvenient if the customer can’t receive the one-time pin.
IP Geolocation Can detect suspicious activity by comparing the IP address of the transaction to the location of the cardholder Can be easily bypassed by fraudsters using VPNs or other methods to change their IP address
Device Fingerprinting Can detect suspicious activity by analyzing the device used for the transaction, such as browser type and version Can be easily bypassed by fraudsters using different devices or browsers
Biometric Authentication Strong authentication method using fingerprints, facial recognition or other biometrics to verify the cardholder’s identity Can be inconvenient for customers as they need to provide biometric data or have specific hardware for authentication

help merchant understand how online fraud works

Image source:

No Card Testing Fraud, Reduced Chargebacks, Increased Profits

Fraudsters are lurking in all corners of the internet, waiting for an opportunity to spend on your site using a stolen card and risking your business.

By using a secure payment processor and implementing fraud detection tools and other prevention methods, you can help reduce card testing fraud and chargebacks on your store.

Contact us today for a secure payment processor