What is card testing fraud and how to protect your business

Online payment fraud will exceed $206 billion by 2025. As online payments become more widespread, the reality is: so does card fraud. Nowadays, one of the most common types of card fraud is known as card testing, which, among fraudsters, is now particularly popular due to the use of bots and programmatic testing and lower risk of detection.

But what is card testing? And how can your business protect itself from such attacks? This page will explain everything you need to know about why these attacks happen, and how you can prevent them.

What is card testing?

Card testing, also known as “card cracking”, is when a fraudster tests whether a stolen credit or debit card is active – and possesses available funds – before going on to use it.

When testing the card, fraudsters initiate a small value payment, such as $1, which is unlikely to be noticed. Once the smaller amount has been authorized successfully, larger transactions are subsequently made.

They may also decide to sell verified card numbers on illicit online platforms, commanding a higher price compared to untested card numbers. Fraudsters exercise caution when using recently obtained payment credentials because, if they get lots of declines when attempting conspicuous and sizable purchases, the card will be swiftly deactivated, preventing any further transactions. 

How card testing works

Card testing involves various techniques, including experimentation with physically stolen bank cards, replicated cards produced through scraping techniques, fabricated card information, as well as the use of stolen comprehensive card credentials.

To carry out these fraudulent activities, criminals employ two main techniques: small payments and authorizations.

Small payments method

With the small payments method, it’s easier for fraudsters to find places for transactions, but there’s a higher likelihood of detection. For example, if the payment is accepted, it indicates that the card is active but it may also alert the legitimate cardholder when they look at their statement. 

However, even rejected payments can provide valuable insights into the reasons for the rejection, enabling fraudsters to deceive the system in later attempts. 

This is due to certain merchants configuring their payment processing settings to disclose particular reasons for transaction denials to cardholders. For instance, if the response indicates that the decline was due to an address mismatch, the fraudster can pinpoint the specific element of the payment credentials that they need to complete the fraudulent activity.

Authorizations method

Unlike carrying out small payments, authorizations happen when the fraudster initiates a transaction through an online payment gateway, seeking confirmation of the customer's available funds to cover a transaction. Since authorizations take longer to appear on card statements, fraudsters have more time to exploit active cards.

In terms of card testing fraud, here's how card authorization queries work:

1. The fraudster attempts to make an online transaction using a stolen payment card, necessitating card authorization.

2. The merchant’s online payment system sends a transaction authorization request to their payment processor or acquirer, seeking validation for the transaction.

3. The acquirer transmits the request to the issuer, facilitated by the card network, and seeks approval for the transaction.

4. The issuing bank assesses the stolen card’s account to see whether there are enough funds or credit to cover the purchase amount.

5. The issuing bank either approves with an authorization code or declines with an error code. The whole five-step process only takes a few seconds.

This method is more subtle than the small payments method, but your business can still detect these activities if you have advanced anti-fraud measures in place. 

What happens next?

At this stage, the legitimate card owner may notice and contact the card issuer, which poses problems for both the criminal and the merchant. You, the merchant, risk facing chargeback requests that demand time and resources to resolve, impacting your chargeback rate, which can have severe consequences. ‍

Estimates suggest that each fraud case costs merchants up to 3.60 times the amount lost in the fraudulent transaction.

Who is targeted by card testing fraud?

Like all types of online payment fraud, card testing fraud can impact anyone that accepts credit cards as payment. However, fraudsters often target SMBs, gaming merchants and non-profit websites because they sometimes lack the same level of security measures employed by larger retailers, making them more vulnerable to card testing. 

Fraudsters are also more attracted to these websites because they intentionally facilitate easy and legitimate donation processes. Here’s why card testing affects these industries:

Gaming merchants

Card testers often target gaming merchants as these sites tend to have a lower average ticket size for purchases, making it easier for fraudsters to make multiple small purchases without detection.

Smaller gaming merchants may have limited resources to invest in comprehensive fraud detection systems, making them more vulnerable to card testing attacks. Also, the popularity and widespread use of gaming platforms provide fraudsters with a large potential customer base to exploit.

Non-profit organizations

Fraudsters may make small donations or transactions to test the cards' validity and determine if they can be used for larger purchases, or cashed out. Since non-profit organizations rely on public donations, they may not have the same level of robust fraud prevention measures in place as larger websites or financial companies, making non-profits more susceptible to card testing attacks.

SMBs

Like gaming merchants, SMBs are targeted because they may not have fraud prevention tools and systems in place. Also, the nature of SMBs' operations, i.e. operating online stores and accepting online payments, makes them attractive targets for fraudsters looking for easier entry points.

Card testing fraud can significantly impact SMBs as they often face financial losses from chargebacks and unexpected fees associated with fraudulent transactions. These losses can be particularly damaging to the financial stability and reputation of SMBs, making it crucial for you to implement appropriate fraud prevention measures, such as using secure payment gateways, implementing fraud detection systems, and staying updated on the latest security practices.

Fraudsters often possess incomplete credentials that are only functional with merchants lacking robust fraud prevention measures. For example, some fraudsters might be missing details about the card holder’s address, or the CVC, which may result in the merchant blocking the transaction. This is why fraudsters often target SMEs for card testing schemes.

What are the impacts of card testing fraud for merchants?

Without the right fraud protection tools in place, card testing can have these serious effects on your business:

Financial implications

While individual transactions in card testing may seem insignificant, the cumulative impact can be substantial, especially when fraudsters employ automated bots. Even if the transactions are declined, you still incur processing fees. 

Meanwhile, if the fraudulent transaction is successful and the cardholder identifies the unauthorized activity, you may face costly chargebacks. This is why we recommend that your business takes preventive measures against card testing, so you can safeguard your revenue and preserve profits.

High-Risk classification

A surge in declined transactions or a high volume of chargebacks can lead to your business being classified as high risk, which imposes higher fees and increases the likelihood of future transaction rejections. It also raises the risk of being enrolled in fraud or chargeback monitoring programs, subjecting your business to further scrutiny and potential limitations.

Vulnerability to other fraud schemes

Successful card testing exposes vulnerabilities in your security systems, alerting fraudsters to potential weaknesses they can exploit. By identifying your business as an easy target, they may launch additional attacks, such as account takeover fraud. These fraudulent activities not only harm your business but also jeopardize the trust and loyalty of your customers.

How to prevent card testing fraud

The best way to prevent card testing is to know the warning signs, which include:

• High decline rates
• High chargeback rates
• Low transaction amounts
• Multiple declines in a short period of time
• Multiple purchases from the same IP address

Below, we’ll explain the most effective ways to combat card testing fraud:

AVS checks

Use Address Verification System (AVS) checks during transactions to verify that the billing address provided by the customer matches the address associated with the card. AVS mismatches may indicate potential fraudulent activity and can trigger further investigation, or decline the transaction.

Fraud detection software

Leverage advanced fraud detection software, such as Checkout.com’s Fraud Detection Tool, that employs sophisticated algorithms and machine learning techniques to analyze transaction patterns, detect anomalies, and identify potential instances of card testing. This type of software can help identify suspicious behavior and flag transactions for manual review or automatic rejection.

Velocity rules

We recommend establishing velocity rules that monitor the frequency and volume of transactions, as well as transaction amounts. For example, you could create a rule that blocks a card if multiple transactions with a value less than $1 are attempted within a specific time frame, say 10 minutes or one hour. By setting limits on the number of transactions from a single card within a specified time period, you can detect and prevent card testing attempts, as fraudsters often make multiple rapid transactions.

Monitor real-time transactions

Implement real-time transaction monitoring to track and analyze incoming transactions as they occur, allowing you to quickly identify suspicious patterns, irregularities, or any signs of card testing activity. Timely intervention can prevent fraudulent transactions from being processed.

Look at card testing trends

Monitor card testing trends over time to identify patterns, tactics, and emerging techniques used by fraudsters. By staying informed about evolving card testing methods, you can proactively update your fraud prevention strategies and adapt your security measures.

SCA protocols

Introduce Strong Customer Authentication (SCA) protocols as required by regulatory requirements such as PSD2 (Payment Services Directive 2) in the European Union. SCA adds an additional layer of security by requiring customers to provide multiple forms of authentication.

Two-factor authentication

Enable two-factor authentication (2FA) for customer transactions, particularly for high-value or sensitive actions. This adds an extra layer of security by requiring customers to provide additional verification, such as a unique code sent to their mobile device, in addition to their card details.

Machine learning

Machine learning algorithms can help your business continuously analyze transaction data, detect patterns, and identify fraudulent behavior. You can train the machine learning models on historical data, enabling them to adapt and evolve to detect new card testing techniques and anomalies that may indicate fraud.

Learn more: The regions with the highest credit card fraud

How Checkout.com helps with card testing fraud

With Checkout.com, your business can say ahead of fraudsters thanks to our advanced machine learning and customizable Fraud Detection Tool. To suit your specific needs, you can choose from a variety of preset configurations, or pick our Fraud Detection Pro which offers a fully customizable solution, enabling you to tailor your risk setup to match your unique business requirements.

We’re committed to helping you fight against card testers, so talk to our sales team to learn more about how Checkout.com can protect your business from financial losses, and maintain the trust of your customers.