Online payment fraud will exceed $206 billion by 2025. As online payments become more widespread, the reality is: so does card fraud. Nowadays, one of the most common types of card fraud is known as card testing, which, among fraudsters, is now particularly popular due to the use of bots and programmatic testing and lower risk of detection.
But what is card testing? And how can your business protect itself from such attacks? This page will explain everything you need to know about why these attacks happen, and how you can prevent them.
Card testing, also known as “card cracking”, is when a fraudster tests whether a stolen credit or debit card is active – and possesses available funds – before going on to use it.
When testing the card, fraudsters initiate a small value payment, such as $1, which is unlikely to be noticed. Once the smaller amount has been authorized successfully, larger transactions are subsequently made.
They may also decide to sell verified card numbers on illicit online platforms, commanding a higher price compared to untested card numbers. Fraudsters exercise caution when using recently obtained payment credentials because, if they get lots of declines when attempting conspicuous and sizable purchases, the card will be swiftly deactivated, preventing any further transactions.
Card testing involves various techniques, including experimentation with physically stolen bank cards, replicated cards produced through scraping techniques, fabricated card information, as well as the use of stolen comprehensive card credentials.
To carry out these fraudulent activities, criminals employ two main techniques: small payments and authorizations.
With the small payments method, it’s easier for fraudsters to find places for transactions, but there’s a higher likelihood of detection. For example, if the payment is accepted, it indicates that the card is active but it may also alert the legitimate cardholder when they look at their statement.
However, even rejected payments can provide valuable insights into the reasons for the rejection, enabling fraudsters to deceive the system in later attempts.
This is due to certain merchants configuring their payment processing settings to disclose particular reasons for transaction denials to cardholders. For instance, if the response indicates that the decline was due to an address mismatch, the fraudster can pinpoint the specific element of the payment credentials that they need to complete the fraudulent activity.
Unlike carrying out small payments, authorizations happen when the fraudster initiates a transaction through an online payment gateway, seeking confirmation of the customer's available funds to cover a transaction. Since authorizations take longer to appear on card statements, fraudsters have more time to exploit active cards.
In terms of card testing fraud, here's how card authorization queries work:
This method is more subtle than the small payments method, but your business can still detect these activities if you have advanced anti-fraud measures in place.
At this stage, the legitimate card owner may notice and contact the card issuer, which poses problems for both the criminal and the merchant. You, the merchant, risk facing chargeback requests that demand time and resources to resolve, impacting your chargeback rate, which can have severe consequences.
Estimates suggest that each fraud case costs merchants up to 3.60 times the amount lost in the fraudulent transaction.
Like all types of online payment fraud, card testing fraud can impact anyone that accepts credit cards as payment. However, fraudsters often target SMBs, gaming merchants and non-profit websites because they sometimes lack the same level of security measures employed by larger retailers, making them more vulnerable to card testing.
Fraudsters are also more attracted to these websites because they intentionally facilitate easy and legitimate donation processes. Here’s why card testing affects these industries:
Card testers often target gaming merchants as these sites tend to have a lower average ticket size for purchases, making it easier for fraudsters to make multiple small purchases without detection.
Smaller gaming merchants may have limited resources to invest in comprehensive fraud detection systems, making them more vulnerable to card testing attacks. Also, the popularity and widespread use of gaming platforms provide fraudsters with a large potential customer base to exploit.
Fraudsters may make small donations or transactions to test the cards' validity and determine if they can be used for larger purchases, or cashed out. Since non-profit organizations rely on public donations, they may not have the same level of robust fraud prevention measures in place as larger websites or financial companies, making non-profits more susceptible to card testing attacks.
Like gaming merchants, SMBs are targeted because they may not have fraud prevention tools and systems in place. Also, the nature of SMBs' operations, i.e. operating online stores and accepting online payments, makes them attractive targets for fraudsters looking for easier entry points.
Card testing fraud can significantly impact SMBs as they often face financial losses from chargebacks and unexpected fees associated with fraudulent transactions. These losses can be particularly damaging to the financial stability and reputation of SMBs, making it crucial for you to implement appropriate fraud prevention measures, such as using secure payment gateways, implementing fraud detection systems, and staying updated on the latest security practices.
Fraudsters often possess incomplete credentials that are only functional with merchants lacking robust fraud prevention measures. For example, some fraudsters might be missing details about the card holder’s address, or the CVC, which may result in the merchant blocking the transaction. This is why fraudsters often target SMEs for card testing schemes.
Without the right fraud protection tools in place, card testing can have these serious effects on your business:
While individual transactions in card testing may seem insignificant, the cumulative impact can be substantial, especially when fraudsters employ automated bots. Even if the transactions are declined, you still incur processing fees.
Meanwhile, if the fraudulent transaction is successful and the cardholder identifies the unauthorized activity, you may face costly chargebacks. This is why we recommend that your business takes preventive measures against card testing, so you can safeguard your revenue and preserve profits.
A surge in declined transactions or a high volume of chargebacks can lead to your business being classified as high risk, which imposes higher fees and increases the likelihood of future transaction rejections. It also raises the risk of being enrolled in fraud or chargeback monitoring programs, subjecting your business to further scrutiny and potential limitations.
Successful card testing exposes vulnerabilities in your security systems, alerting fraudsters to potential weaknesses they can exploit. By identifying your business as an easy target, they may launch additional attacks, such as account takeover fraud. These fraudulent activities not only harm your business but also jeopardize the trust and loyalty of your customers.
The best way to prevent card testing is to know the warning signs, which include:
Below, we’ll explain the most effective ways to combat card testing fraud.
Use Address Verification System (AVS) checks during transactions to verify that the billing address provided by the customer matches the address associated with the card. AVS mismatches may indicate potential fraudulent activity and can trigger further investigation, or decline the transaction.
Leverage advanced fraud detection software, such as Checkout.com’s Fraud Detection Tool, that employs sophisticated algorithms and machine learning techniques to analyze transaction patterns, detect anomalies, and identify potential instances of card testing. This type of software can help identify suspicious behavior and flag transactions for manual review or automatic rejection.
We recommend establishing velocity rules that monitor the frequency and volume of transactions, as well as transaction amounts. For example, you could create a rule that blocks a card if multiple transactions with a value less than $1 are attempted within a specific time frame, say 10 minutes or one hour. By setting limits on the number of transactions from a single card within a specified time period, you can detect and prevent card testing attempts, as fraudsters often make multiple rapid transactions.
Implement real-time transaction monitoring to track and analyze incoming transactions as they occur, allowing you to quickly identify suspicious patterns, irregularities, or any signs of card testing activity. Robust fraud monitoring facilitates timely intervention. This is vital to prevent fraudulent transactions being processed.
Monitor card testing trends over time to identify patterns, tactics, and emerging techniques used by fraudsters. By staying informed about evolving card testing methods, you can proactively update your fraud prevention strategies and adapt your security measures.
Introduce Strong Customer Authentication (SCA) protocols as required by regulatory requirements such as PSD2 (Payment Services Directive 2) in the European Union. SCA adds an additional layer of security by requiring customers to provide multiple forms of authentication.
Enable two-factor authentication (2FA) for customer transactions, particularly for high-value or sensitive actions. This adds an extra layer of security by requiring customers to provide additional verification, such as a unique code sent to their mobile device, in addition to their card details.
Machine learning algorithms can help your business continuously analyze transaction data, detect patterns, and identify fraudulent behavior. You can train the machine learning models on historical data, enabling them to adapt and evolve to detect new card testing techniques and anomalies that may indicate fraud.
Learn more: The regions with the highest credit card fraud
With Checkout.com, your business can say ahead of fraudsters thanks to our advanced machine learning and customizable Fraud Detection Tool. To suit your specific needs, you can choose from a variety of preset configurations, or pick our Fraud Detection Pro which offers a fully customizable solution, enabling you to tailor your risk setup to match your unique business requirements.
We’re committed to helping you fight against card testers, so talk to our sales team to learn more about how Checkout.com can protect your business from financial losses, and maintain the trust of your customers.