'Card testing' is e-commerce's next big security challenge

Register now

Nobody opens an online store hoping to spend time and energy combating fraud.

However, fraud prevention is a key to e-commerce success, because fraudsters are targeting online shops in growing numbers.

Forbes recently reported e-commerce fraud was up 30% in the first 4 months of 2017 over the same period in 2016. One specific type of fraud, card testing, was up by 200%. Card testing is common, not always easy to spot, and dangerous for the small online sellers that fraudsters often target for this type of scam. Here's what small and medium e-retailers need to know about card testing.

We compare card testing to thieves “playing the slots” with stolen card numbers to see what they can get from them. Fraudsters test stolen credit card numbers with small, incremental online purchases to see if their stolen card numbers are valid, to match the numbers to their card verification values (which fraudsters often can't obtain along with the card number), and to try to get an idea of what the card's credit limit and purchasing power may be.
The description of card testing might lead you to imagine a small group of people making test purchases one by one on computers in a darkened room, but card-testing fraud is big business. Organized criminals, some with the help of bots, can test many cards at the same time on different retail sites, and test many different cards at each site, until they find cards that are valid and have lots of available credit.

Many small orders generated as a result of card testing use the shipping address associated with the card, because fraudsters don't want to unnecessarily raise a red flag for extra screening by entering a new shipping address. And the fraudster making the test purchase doesn’t care where the order is delivered. All he cares about is finding a working credit card number and billing address that he can later use with the same or another retailer to get a very expensive product shipped overnight for resale.

Retailers and consumers are affected by card testing fraud, but it hits retailers hardest. Retailers bear responsibility for detecting and preventing card testing in their online stores, on their own or with the help of an outside fraud-protection provider. Each card test fraud purchase that retailers miss appears on the real cardholder's statement; the cardholder then has to make time to contact their card issuer and file a chargeback request to avoid paying for a purchase they didn't make.

Then the retailer is on the hook again for the cost of the chargeback, the cost of lost merchandise, and a fee levied by the bank. After too many chargebacks for whatever reason, the retailer can face higher payment processing fees or even account closure. Making the situation even more unfair, fraudsters prefer to card test at small online shops that they assume will have substandard or nonexistent fraud prevention tools. These are the mom-and-pop and solopreneur sellers who can least afford to bear the cost of lost goods, chargebacks, and higher fees.

Some of the characteristics of card testing are: Small-value transactions, which minimize the use of the card's available balance and also avoid some fraud filters. This can indicate early-stage testing; multiple credit card purchases in a short amount of time, which can indicate the possible use of bots working with stolen data; multiple transaction attempts that fail, which can indicate attempts to enter incomplete stolen card data and guess at the rest; card-type switching during purchase attempts.

For example, a customer (especially a new customer) who switches from trying to pay with a Visa card to a Mastercard and then back to different Visa. Again, this can be a sign that a fraudster is using stolen cards and trying to figure out available balances.

When a retailer sees an order that raises one or more card-testing red flags, there are several steps to take. The first is to decline the transaction or cancel the order and stop the shipment of goods if possible. For verified card-testing attempts, the seller can disable the customer account associated with the order and ban the IP address associated with that account. They can also send a cancellation email to the accountholder, which can accomplish one of two things. If the card-test order came from a legitimate customer's account that was hijacked by fraudsters, the email can make them aware of the problem so they can take steps to secure their email and credit card information. If the account was created by the fraudsters, a cancellation notice sends a clear message that this store is not the place to test cards.

By taking these steps, online sellers not only protecting their own business, they also help safeguard their customers' account information and help the entire online retail industry by making it harder for criminals to launch future card attacks. That's good for every legitimate player in the e-commerce ecosystem, and with the right information and careful monitoring, every online seller can do their part.

For reprint and licensing requests for this article, click here.