As the volume of online sales has gone up globally, so have the challenges of online fraud, card testing, brute force and BIN attacks.
We would like to remind you of best practice to help prevent these attacks, and also remind you of the Mastercard Excessive Authorization Attempts Transaction Processing Excellence (TPE) program.
The Excessive Authorization Attempts TPE program was launched to help identify bad actors and unfavorable transaction processing behaviour trends. The aim of the program is to drive positive processing behaviour change, resulting in a seamless network experience for all parties involved.
Mastercard may assess a TPE fee to the acquirer for submitting excessive authorizations into the network above the regionally established threshold. Checkout.com will then pass this fee on to you as the merchant.
You can read more about the fee in our Interchange and Scheme fee bulletin.
Assessment of this fee may be caused by card testing attacks, where your payment page is used to carry out repeated fraudulent test transactions on the same card.
- Monitor and review the language and time zone of cardholder’s IP addresses and devices. This near-real-time authorization monitoring can help you detect anomalies or inconsistencies in the data and flag these transactions as higher risk.
- Add any IP addresses that have regularly failed payment attempts to your fraud block list for review.
- Use EMV 3DS (3DS2) checks.
- Lock a user’s account when multiple incorrect password/username attempts have been made.
- Monitor the IP address of a single account login. If the account is being used across multiple IP addresses, review and analyze if this is legitimate.
- Block the use of common or suspicious passwords and review any logins that use these currently.
- Review customer sessions for excessive bandwidth consumption. You can also monitor tracking elements for multiple transactions using the same email address and device ID but with multiple different cards.
- Use random pauses (throttling) on account checking and increase these checks on BINs that see higher fraud attempts.
- Implement CAPTCHA and RECAPTCHA controls along with botnet detection and fingerprint authentication.
- Think about implementing velocity checks on lower transaction values as well as large value items.
- Use Address Verification Service (AVS) and Card Verification Code (CVC) checks.
Our Fraud Detection solution lets you control the type of payments you accept and reduce the risk of fraud. This includes pre-configured setup and block list, pre-set fraud rules and Machine Learning (ML) with fixed thresholds to decline, approve, or send transactions for 3D Secure authentication.
The tool lets you make minor edits to some pre-set rules and add further rules from a pre-set list. You can test these changes before implementation using our shadow-mode testing feature and access a full suite of analytics and reports within the tool.
Speak to your Customer Success Manager if you’re interested in learning more about our Pro solution – designed for fraud teams that want more control over their risk setup. Pro unlocks additional functionality to give you more advanced risk tools and the ability to fully customize your strategy:
If you would like any further information about either of these products or have any other questions, please contact your Checkout.com Customer Success Manager.