February 07, 2023
by David Goodale
Why is Credit Card Card Testing a Problem?
(Slightly edited from video transcript for greater readability)
Hello, David here at Merchant-Accounts.ca. Today I'm going to tackle the topic of card testing, and why it's a problem for merchants, processors, Visa and MasterCard. Stay tuned, we'll dig in in one second.
Card testing is an increasing problem. I have had several merchants impacted over the years, and it seems to be generally increasing. What happens is fraudsters, malicious or nefarious users will submit credit card transactions to a legitimate merchant, not trying to steal anything, just trying to find out if a credit card works. What'll end up happening for the merchant is they'll go and check their orders and maybe where they normally get, maybe 50 transaction attempts in a day, they'll have 5,000. It's a really big problem because they're paying per-transaction fees for each of those transactions. If any of those transactions get approved, the merchant can get a chargeback. Why would a fraudster do this? Well, the reason why they do it is that there's something called the Luhn algorithm. Every credit card issued follows an algorithm called the Luhn algorithm.
Thousands of card numbers are generated
I'm not going to get into how it works, but you could Google it if you're curious. Fraudsters know the algorithm. They know if they generate, say, a hundred thousand cards and they guess expiry dates within, a certain reasonable range in the future, they're going to get a couple of positive hits, but they don't know if a card actually would work or not. The way that they know is they test it against unsuspecting merchants, for very small orders. Because what they want to know is if the card's going to work or not. Once they know that the card works, they can then use this credit card to do something more nefarious, like buy stolen goods with another merchant. It's a real problem. It's increasingly a problem. The main concern is, among other things, the per transaction fees. If an online merchant might say, pay 20 cents per transaction, well, not a big deal.
Spike in transactions
If you normally get 50 transactions in a day, it's a much greater concern if you suddenly get 5,000 transactions, just as an example. I think what I want to talk about first is if this has impacted you or happened to you, what should you do? The first thing you should do is notify your payment processor. You want to let them know what's going on in that, you're on it. If necessary, take your store offline temporarily while you find out how the person is doing the testing, meaning the malicious user is doing the testing. The second thing, is you ask the payment processor to refund your per-transaction fees. Now, in fairness to the payment processor, they will incur an actual fixed cost, most likely from the card networks. You probably won't get that fee back because it's not the payment processor's fault either that this happened, but the payment processor should not earn a profit from you.
What to do after a card testing incident
When this happens to my clients, we always refund everything we can, less our fixed costs so that we don't take a big loss in the situation. That's the first thing that you should look at doing. Hopefully, your payment processor should be reasonable in this situation. Why would they not? They should not be profiting from something where they didn't do anything wrong. The second thing you need to do, or maybe it's not even the second thing, is probably more important. You can talk, and deal with the fees later. What you need to do is find ways to prevent it.
Implement a captcha
The most common way nowadays seems to be adding a Google reCAPTCHA on the page. There have been multiple versions of reCAPTCHA over the years. It used to be like these squiggly letters, you could never possibly make out what they were. Then it would be like clicking the squares where you see a school bus. The most modern version of reCAPTCHA is frictionless. There's no interaction with the user at all. In my personal experience, although it's not perfect, it tends to work pretty well. That will prevent, should prevent the malicious user from firing off unlimited attempts at your server. Now what you also want to do is monitor it. Like it could be as simple as logging into your control panel, and just keeping an eye on it, especially for a while after this has occurred. You don't want to let the malicious user come back and start hitting you again. If you implement reCAPTCHA, make sure that it's working, and make sure that it's stopping those malicious users. Now, something else that you can do is, if you're into like a, if you want to program a more elegant solution, you could set something up called a velocity check.
A velocity check is where your server could monitor the number of declines that are coming in. Let's say that again, you probably normally process 50 transactions in a day for example. Let's say that you set your velocity filter at 50. If you see more than 50 transactions being declined within 10 minutes, what you should do is probably disable your order form for maybe 20 minutes or so, or send an email alert out so you can do something about it. Basically, you're trying to make it, the server intelligently watch to see the number of requests coming in and then do something to cut that fraud straw at the knees. You just want to shut them down. It's very frustrating. Now you do have to be careful, it's about finding the right balance between frustrating fraudsters and not overly frustrating legitimate customers. That can be a little bit of a fine line sometimes.
This was just a very quick hit video. Card testing is a problem, but by being aware of it, monitoring it, putting controls in place, recaptchaing or velocity check, or other methods like forcing your customers to sign up for user accounts before they check out. The problem is, like with anything I, always say, you can put security bars on your store, but if somebody shows up with a tank, they're going to get in. For most, the vast majority of online merchants, they're not going to get hit with really significant card testing. Fraudsters are lazy. If you make it difficult for them, they will leave and go somewhere else. Now, if you have been a victim of card testing, do ask your payment processor to refund any fees that were not a fixed hard cost. They should not earn a penny from that situation. If you have any questions, you can reach out to us at Merchant-Accounts.ca. We would try to help if you've run into the situation before. Thanks for watching and have a nice stay there. Bye now.
Need professional guidance?
Contact us for a free one hour consultation.
Can I Help Lower Your Processing Fees?
If you found this content helpful, will you give me the opportunity to quote on your business?