What is card testing fraud and how to protect your business

Online payment fraud will exceed $206 billion by 2025. As online payments become more widespread, the reality is: so does card fraud. Nowadays, one of the most common types of card fraud is known as card testing, which, among fraudsters, is now particularly popular due to the use of bots and programmatic testing and lower risk of detection.

But what is card testing? And how can your business protect itself from such attacks? This page will explain everything you need to know about why these attacks happen, and how you can prevent them.

What is card testing fraud?

Card testing, also known as “card cracking”, is when a fraudster tests whether a stolen credit or debit card is active – and possesses available funds – before going on to use it.

When testing the card, fraudsters initiate a small value payment, such as $1, which is unlikely to be noticed. Once the smaller amount has been authorized successfully, larger transactions are subsequently made.

They may also decide to sell verified card numbers on illicit online platforms, commanding a higher price compared to untested card numbers. Fraudsters exercise caution when using recently obtained payment credentials because, if they get lots of declines when attempting conspicuous and sizable purchases, the card will be swiftly deactivated, preventing any further transactions. 

How card testing works

Card testing involves various techniques, including experimentation with physically stolen bank cards, replicated cards produced through scraping techniques, fabricated card information, as well as the use of stolen comprehensive card credentials.

To carry out these fraudulent activities, criminals employ two main techniques: small payments and authorizations.

Small payment method

With the small payments method, it’s easier for fraudsters to find places for transactions, but there’s a higher likelihood of detection. For example, if the payment is accepted, it indicates that the card is active but it may also alert the legitimate cardholder when they look at their statement. 

However, even rejected payments can provide valuable insights into the reasons for the rejection, enabling fraudsters to deceive the system in later attempts. 

This is due to certain merchants configuring their payment processing settings to disclose particular reasons for transaction denials to cardholders. For instance, if the response indicates that the decline was due to an address mismatch, the fraudster can pinpoint the specific element of the payment credentials that they need to complete the fraudulent activity.

Authorization method

Unlike carrying out small payments, authorizations happen when the fraudster initiates a transaction through an online payment gateway, seeking confirmation of the customer's available funds to cover a transaction. Since authorizations take longer to appear on card statements, fraudsters have more time to exploit active cards.

In terms of card testing fraud, here's how card authorization queries work:

1. The fraudster attempts to make an online transaction using a stolen payment card, necessitating card authorization.

2. The merchant’s online payment system sends a transaction authorization request to their payment processor or acquirer, seeking validation for the transaction.

3. The acquirer transmits the request to the issuer, facilitated by the card network, and seeks approval for the transaction.

4. The issuing bank assesses the stolen card’s account to see whether there are enough funds or credit to cover the purchase amount.

5. The issuing bank either approves with an authorization code or declines with an error code. The whole five-step process only takes a few seconds.

This method is more subtle than the small payments method, but your business can still detect these activities if you have advanced anti-fraud measures in place. 

Who is targeted by card testing fraud?

Like all types of online payment fraud, card testing fraud can impact anyone that accepts credit cards as payment. However, fraudsters often target SMBs, gaming merchants and non-profit websites because they sometimes lack the same level of security measures employed by larger retailers, making them more vulnerable to card testing. 

Fraudsters are also more attracted to these websites because they intentionally facilitate easy and legitimate donation processes. Here’s why card testing affects these industries:

Gaming merchants

Card testers often target gaming merchants as these sites tend to have a lower average ticket size for purchases, making it easier for fraudsters to make multiple small purchases without detection.

Smaller gaming merchants may have limited resources to invest in comprehensive fraud detection systems, making them more vulnerable to card testing attacks. Also, the popularity and widespread use of gaming platforms provide fraudsters with a large potential customer base to exploit.

Non-profit organizations

Fraudsters may make small donations or transactions to test the cards' validity and determine if they can be used for larger purchases, or cashed out. Since non-profit organizations rely on public donations, they may not have the same level of robust fraud prevention measures in place as larger websites or financial companies, making non-profits more susceptible to card testing attacks.

SMBS

Like gaming merchants, SMBs are targeted because they may not have fraud prevention tools and systems in place. Also, the nature of SMBs' operations, i.e. operating online stores and accepting online payments, makes them attractive targets for fraudsters looking for easier entry points.

Card testing fraud can significantly impact SMBs as they often face financial losses from chargebacks and unexpected fees associated with fraudulent transactions. These losses can be particularly damaging to the financial stability and reputation of SMBs, making it crucial for you to implement appropriate fraud prevention measures, such as using secure payment gateways, implementing fraud detection systems, and staying updated on the latest security practices.

Fraudsters often possess incomplete credentials that are only functional with merchants lacking robust fraud prevention measures. For example, some fraudsters might be missing details about the card holder’s address, or the CVC, which may result in the merchant blocking the transaction. This is why fraudsters often target SMEs for card testing schemes.

What are the impacts of card testing fraud for merchants?

Without the right fraud protection tools in place, card testing can have these serious effects on your business:

Disputes

If a card testing attempt results in a successful payment, the cardholder is likely to notice the fraud and initiate a dispute, which you’ll then have to expend time and resources settling. Not only will this be costly, but the cardholder could hold you responsible for failing to prevent the fraud, resulting in reputational damage. 

High decline rates

Declines are part and parcel of card testing fraud, and criminals expect them. The problem for you is that every failed attempt adds to your decline rate, which can make your business appear risky to card networks and card issuers. This means that they could become overzealous and start to decline even legitimate transactions. 

Additional fees

On top of the fees you’ll have to pay to settle disputes, you may also end up being charged higher transaction fees to your payment processor to account for the higher level of risk they’re taking in continuing to work with you. 

Higher chargeback rates

For every successful fraudulent transaction, there is a chargeback request waiting in the wings. As your chargeback rate increases, you’ll come under scrutiny from the card network, and could be placed on a monitoring program if you pass a certain threshold. If you fail to bring your chargeback rate down, you’ll be fined and could eventually be banned from the card network altogether. 

Vulnerability to other fraud schemes

Successful card testing exposes vulnerabilities in your security systems, alerting fraudsters to potential weaknesses they can exploit. By identifying your business as an easy target, they may launch additional attacks, such as account takeover fraud. These fraudulent activities not only harm your business but also jeopardize the trust and loyalty of your customers.

How to prevent card testing fraud 

The best way to prevent card testing is to know the warning signs, which include:

• High decline rates
• High chargeback rates
• Low transaction amounts
• Multiple declines in a short period of time
• Multiple purchases from the same IP address

Below, we’ll explain the most effective ways to combat card testing fraud.

AVS checks

Use Address Verification System (AVS) checks during transactions to verify that the billing address provided by the customer matches the address associated with the card. AVS mismatches may indicate potential fraudulent activity and can trigger further investigation, or decline the transaction.

Fraud detection software

Leverage advanced fraud detection software, such as Checkout.com’s Fraud Detection Tool, that employs sophisticated algorithms and machine learning techniques to analyze transaction patterns, detect anomalies, and identify potential instances of card testing. This type of software can help identify suspicious behavior and flag transactions for manual review or automatic rejection.

Velocity checks

We recommend establishing velocity rules that monitor the frequency and volume of transactions, as well as transaction amounts. For example, you could create a rule that blocks a card if multiple transactions with a value less than $1 are attempted within a specific time frame, say 10 minutes or one hour. By setting limits on the number of transactions from a single card within a specified time period, you can detect and prevent card testing attempts, as fraudsters often make multiple rapid transactions.

Monitor real-time transactions

Implement real-time transaction monitoring to track and analyze incoming transactions as they occur, allowing you to quickly identify suspicious patterns, irregularities, or any signs of card testing activity. Robust fraud monitoring facilitates timely intervention. This is vital to prevent fraudulent transactions being processed.

Look at card testing trends

Monitor card testing trends over time to identify patterns, tactics, and emerging techniques used by fraudsters. By staying informed about evolving card testing methods, you can proactively update your fraud prevention strategies and adapt your security measures.

SCA protocols

Introduce Strong Customer Authentication (SCA) protocols as required by regulatory requirements such as PSD2 (Payment Services Directive 2) in the European Union. SCA adds an additional layer of security by requiring customers to provide multiple forms of authentication.

Two-factor authentication

Enable two-factor authentication (2FA) for customer transactions, particularly for high-value or sensitive actions. This adds an extra layer of security by requiring customers to provide additional verification, such as a unique code sent to their mobile device, in addition to their card details.

Machine learning

Machine learning algorithms can help your business continuously analyze transaction data, detect patterns, and identify fraudulent behavior. You can train the machine learning models on historical data, enabling them to adapt and evolve to detect new card testing techniques and anomalies that may indicate fraud.

Learn more: The regions with the highest credit card fraud

Card testing fraud checklist

• Detect card testing activities - the first step in any successful prevention strategy is to identify card testing activity, which will be signalled by a sudden increase in your decline or chargeback rate, lots of very small transactions, and a high number of transactions from the same IP address
• Process refunds for fraudulent payments to prevent disputes - the quicker you can issue refunds to cardholders that have been defrauded, the more chance you have of preventing a dispute and limiting reputational damage 
• Implement one or more preventative measures in your system to halt card testing - choose from and implement the measures outlined above, including AVS checks, velocity rules, and two-factor authentication. Alone, these are effective ways to combat card testing fraud, but they’re much more powerful when used in combination with each other
• Continuously monitor your system to verify the effectiveness of the implemented mitigations -  you should also make sure to assess the success of any preventative measures you take. If they’re not successful in stopping card testing fraud, you may have rethink your strategy and test different measures

How Checkout.com helps with card testing fraud 

With Checkout.com, your business can stay ahead of fraudsters with our advanced machine learning, customizable Fraud Detection Tool, and robust velocity features designed to combat card attacks. Our platform supports detailed arithmetic and property checks, including the use of Issuer response codes, to help you respond to potential card attacks swiftly and effectively and our own rules running in the background that watch for and prevent card attacks. Choose from a variety of preset configurations or upgrade to our Fraud Detection Pro for a fully customizable solution that lets you tailor your risk setup to meet your unique business requirements. We're dedicated to assisting you in combating card testers. Contact our sales team today to discover how Checkout.com can safeguard your business from financial losses and preserve your customers' trust.