Need Help? Chat icon | Call - 1 888 414 7111
Merchant Accounts.ca logo
Home > News and Blog

February 07, 2023
by David Goodale

Why is Credit Card Card Testing a Problem?

(Slightly edited from video transcript for greater readability)

Key Takeaways

1
What is card testing?
When fraudsters use stolen credit cards, or generate lists of potential credit cards, and run small transactions to see if the cards work.
2
Why is it a problem?
Every time a merchant processes a transaction they incur a per transaction fee. If thousands of cards are tested this can add up. Also, for transactions that are approved this can result in chargebacks.
3
Prevention measures
Implement measures such as limiting the number of transactions from a single IP address (velocity checking), or ReCAPTCHA to prevent multiple transaction requests from coming through from fraudsters.
Need help with this topic? Or a rate quote?
Whether its questions about this article, or you want to see how we can lower your costs. Don't hesitate to contact us.

Hello, David here at Merchant-Accounts.ca. Today I'm going to tackle the topic of card testing, and why it's a problem for merchants, processors, Visa and MasterCard. Stay tuned, we'll dig in in one second.

testing

Card Testing

Card testing is an increasing problem. I have had several merchants impacted over the years, and it seems to be generally increasing. What happens is fraudsters, malicious or nefarious users will submit credit card transactions to a legitimate merchant, not trying to steal anything, just trying to find out if a credit card works. What'll end up happening for the merchant is they'll go and check their orders and maybe where they normally get, maybe 50 transaction attempts in a day, they'll have 5,000. It's a really big problem because they're paying per-transaction fees for each of those transactions. If any of those transactions get approved, the merchant can get a chargeback. Why would a fraudster do this? Well, the reason why they do it is that there's something called the Luhn algorithm. Every credit card issued follows an algorithm called the Luhn algorithm.

Thousands of card numbers are generated

I'm not going to get into how it works, but you could Google it if you're curious. Fraudsters know the algorithm. They know if they generate, say, a hundred thousand cards and they guess expiry dates within, a certain reasonable range in the future, they're going to get a couple of positive hits, but they don't know if a card actually would work or not. The way that they know is they test it against unsuspecting merchants, for very small orders. Because what they want to know is if the card's going to work or not. Once they know that the card works, they can then use this credit card to do something more nefarious, like buy stolen goods with another merchant. It's a real problem. It's increasingly a problem. The main concern is, among other things, the per transaction fees. If an online merchant might say, pay 20 cents per transaction, well, not a big deal.

Spike in transactions

If you normally get 50 transactions in a day, it's a much greater concern if you suddenly get 5,000 transactions, just as an example. I think what I want to talk about first is if this has impacted you or happened to you, what should you do? The first thing you should do is notify your payment processor. You want to let them know what's going on in that, you're on it. If necessary, take your store offline temporarily while you find out how the person is doing the testing, meaning the malicious user is doing the testing. The second thing, is you ask the payment processor to refund your per-transaction fees. Now, in fairness to the payment processor, they will incur an actual fixed cost, most likely from the card networks. You probably won't get that fee back because it's not the payment processor's fault either that this happened, but the payment processor should not earn a profit from you.

What to do after a card testing incident

When this happens to my clients, we always refund everything we can, less our fixed costs so that we don't take a big loss in the situation. That's the first thing that you should look at doing. Hopefully, your payment processor should be reasonable in this situation. Why would they not? They should not be profiting from something where they didn't do anything wrong. The second thing you need to do, or maybe it's not even the second thing, is probably more important. You can talk, and deal with the fees later. What you need to do is find ways to prevent it.

Implement a captcha

recaptcha

The most common way nowadays seems to be adding a Google reCAPTCHA on the page. There have been multiple versions of reCAPTCHA over the years. It used to be like these squiggly letters, you could never possibly make out what they were. Then it would be like clicking the squares where you see a school bus. The most modern version of reCAPTCHA is frictionless. There's no interaction with the user at all. In my personal experience, although it's not perfect, it tends to work pretty well. That will prevent, should prevent the malicious user from firing off unlimited attempts at your server. Now what you also want to do is monitor it. Like it could be as simple as logging into your control panel, and just keeping an eye on it, especially for a while after this has occurred. You don't want to let the malicious user come back and start hitting you again. If you implement reCAPTCHA, make sure that it's working, and make sure that it's stopping those malicious users. Now, something else that you can do is, if you're into like a, if you want to program a more elegant solution, you could set something up called a velocity check.

Velocity Check

A velocity check is where your server could monitor the number of declines that are coming in. Let's say that again, you probably normally process 50 transactions in a day for example. Let's say that you set your velocity filter at 50. If you see more than 50 transactions being declined within 10 minutes, what you should do is probably disable your order form for maybe 20 minutes or so, or send an email alert out so you can do something about it. Basically, you're trying to make it, the server intelligently watch to see the number of requests coming in and then do something to cut that fraud straw at the knees. You just want to shut them down. It's very frustrating. Now you do have to be careful, it's about finding the right balance between frustrating fraudsters and not overly frustrating legitimate customers. That can be a little bit of a fine line sometimes.

Conclusion

This was just a very quick hit video. Card testing is a problem, but by being aware of it, monitoring it, putting controls in place, recaptchaing or velocity check, or other methods like forcing your customers to sign up for user accounts before they check out. The problem is, like with anything I, always say, you can put security bars on your store, but if somebody shows up with a tank, they're going to get in. For most, the vast majority of online merchants, they're not going to get hit with really significant card testing. Fraudsters are lazy. If you make it difficult for them, they will leave and go somewhere else. Now, if you have been a victim of card testing, do ask your payment processor to refund any fees that were not a fixed hard cost. They should not earn a penny from that situation. If you have any questions, you can reach out to us at Merchant-Accounts.ca. We would try to help if you've run into the situation before. Thanks for watching and have a nice stay there. Bye now.

Related Topics
April 19, 2022
A chargeback is a dispute between a customer and the business. In this video we explore what a chargeback is, and some of the reasons that chargebacks occur.
April 07, 2022
If you get too many chargebacks your merchant account can be shut down. In this video we explore what you should do to keep your account in good standing if you've been targeted by fraudsters and suddenly start receiving a lot of chargebacks.
January 20, 2022
Hello, David here at Merchant-Accounts.ca. Today I'm going to tackle a very frustrating topic. Sometimes it's infuriating. What do you do when you get a chargeback and you lose it and it's completely unfair? What's left? Stay tuned, I'm going to do my best to help in one second.
May 14, 2021
In the past the best way to manually screen suspicious orders was to call the customer on the phone and ask them questions. Now, with modern web based video technologies it's possible to validate customers in a way that was never previously possible.
March 16, 2018
Visa is addressing some of the most common chargeback related complaints from merchants. Going forward, chargebacks are a thing of the past and will now be known as disputes.
March 22, 2023
A positive AVS result is an indicator of a legitimate transaction. In this short explainer video David explains what AVS is, how it works, and things to be aware of when relying on an AVS security result for any particular order.
March 25, 2023
It can be difficult to win a chargeback dispute. David explores different ways to shift the odds into your favour.
March 29, 2023
David explains what two factor authentication is, how it works, and how it shifts chargeback risk for fraud onto the card issuer and away from the merchant.
July 21, 2023
How does Visa and MasterCard chargeback arbitration work? When a merchant has fought a chargeback and lost there is still one more chance to turn it around by taking it to the card brands for arbitration.
July 28, 2023
Merchants with businesses that are prone to disputes need to be careful to stay below the Visa and MasterCard thresholds.
January 10, 2024
There is a strong argument that 3DSecure (version 2) is the single best anti-fraud tool available to any online merchant. In this video David explains what 3DSecure is, how it works, how you set it up on your website, and different ways that it can be configured.
March 28, 2024
Pre-authorizations are one of the best tools available to prevent fraud. A pre-auth will enable you to return security results for the order, such as AVS and CVV security checks. More importantly, it gives you a chance to evaluate the order and determine if you want to accept the sale. You are fully protected because you can't get a chargeback until you capture the funds from the pre-authorization.

Need professional guidance?
Contact us for a free one hour consultation.


Can I Help Lower Your Processing Fees?


If you found this content helpful, will you give me the opportunity to quote on your business?

View Rates
David Goodale About the Author

My name is David Goodale, CEO at Merchant Accounts.ca. I launched our business in 2001 and have over 20 years of expertise in the field of online payments. If you have a payments related question or project, and especially if it relates to multi-currency or international e-commerce don't hesitate to contact me. I'm always happy to help with an honest opinion, and enjoy chatting with folks from interesting businesses.

Toll free: 888-414-7111 ext. 5
Direct: (905) 901-2254
david.goodale@merchant-accounts.ca