What is card testing?

Card testing is a type of cybercrime. Criminals use stolen debit or credit card details to see if they’re valid on e-commerce websites. It’s also known as “carding”, “account testing”, and “card checking.”

Card testing is common across e-commerce and m-commerce (where customers use mobile or tablet devices) businesses. Card testing often starts with low dollar amounts. If valid card is found, fraudsters will use it to make larger purchases or sell the details to other criminals.

How does card testing work?

Fraudsters can test card numbers in a number of ways. Firstly, attackers target websites with basic validation processes, trying many card numbers in succession until they find one that works.

A common form of testing we see is enumeration testing, or brute force attacks. This is where fraudsters submit card authorisation attempts that concentrate on a single Bank Identification Number (BIN) or multiple BINs. They try various combinations of payment values (eg. account number, expiry date, CVV number, and postcode) until the right combination of values are approved.

Alternatively, they could just complete a payment. Either way, if a transaction is approved, the account is open and the card hasn’t been reported stolen.

Fraudulent transactions can be made manually. However, most of the time, card testing methods use automated programs — or bots. These bots submit multiple orders across many websites at once. Small, manual attacks may be a warning sign. It could mean that a bot is being programmed to attack your website in the future.

Bots are much faster than manual testing methods and can do more damage due to the volumes they can achieve. However, the good news is they can be easier to detect using fraud detection software programs.

How is card testing detected?

There are a number of trends that may indicate card testers are at work.

Here are some patterns to look out for:

  • A large number of low value transactions over a short time period (especially if this is different to your usual selling pattern).
  • A higher than usual amount of declined transactions (especially during a short time period).
  • A large amount of chargebacks due to the cardholder disputing the payment.
  • Multiple purchases from the same IP address.
  • Multiple purchases using the same bank identification number (BIN) (the first 6 digits of the card number).

Impacts of card testing

As card testing involves small dollar amounts, it may be tempting not to worry about its impact on your business. However, letting it continue may lead to serious consequences.

Firstly, once a fraudster has found a card that works, it can be used to make larger purchases. This costs money and weakens consumer confidence.

An increase in disputes and chargebacks will cost you time and money to sort out and may involve additional dispute fees.

The higher number of declined payments reduces customer confidence in your business. It can also increase your risk profile from a card issuer perspective. Having a higher risk profile can result in higher fees for your business. These can include card scheme fines and loss of merchant facilities, higher costs, and damage to your business reputation. This can impact genuine payments long after card testing has stopped.

Card testing places a heavier load on the payment network. This not only provides a negative experience for your customers, but also damages the payments system as a whole. Additionally, if your system easily allows card testing, it may encourage fraudsters to attempt more serious attacks on your business.

What can you do to protect yourself?

The best way to prevent automated card testing scripts is to install a CAPTCHA tool on your website as a requirement for each payment.

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) observes website behaviour to distinguish between humans and bots. If unsure, it poses a challenge for the customer to complete.

A popular captcha tool is Google’s reCAPTCHA.

Honeypot is an additional technique that may help prevent testing. It adds a field on your business’s payment form that’s invisible to humans.  If an automated script fills in that field, your website will not process the payment.

Other security precautions you can take include:

  • Set up a firewall with a botnet prevention feature to improve your network security and better monitor traffic on your site.
  • Request card security (CVV) codes that fraudsters are less likely to have access to.
  • Monitor IP addresses to check locations match billing/shipping addresses and to pick up multiple card attempts. You can also block any fraudulent IP address, directly stopping them from accessing your website.
  • Limit the number of transaction attempts to prevent fraudsters from guessing different account details.
  • Don’t allow guest checkout so you can better verify genuine cardholders and discourage fraudsters.
  • Encourage shoppers to call and discuss reasons for a transaction decline, rather than providing the reason up front.
  • Set minimum limits for credit card transactions.

How do we help?

Prevention is better than the cure. Our fraud monitoring tools alert us if card testing is attempted on Eway accounts. Typically, we find that unless preventative measures are implemented quickly, testing will reoccur. Therefore we notify you this is happening and provide advice on how to prevent it. If we detect further testing on the account we will suspend payments to protect you from additional testing until preventative measures are in place.

We can help you provide safe and secure checkout experiences with 3D Secure 2.0 which is included at no extra cost on all our Eway merchant accounts. 3DS 2.0 provides a live data exchange between the merchant, card issuer and card scheme. By checking a number of data points about the cardholder and their device during the transaction 3DS 2.0 calsulates a risk score to detect potential fraud. For high fraud risk transactions, the cardholder is prompted to complete an authentication step. 

3DS 2.0 works with our Fraud Protection Plans and security features to help detect and prevent any suspicious activity. These features include card tokenisation and device fingerprinting. This helps us detect and prevent suspicious activity across the entire transaction process.

Want to know more about how we can help reduce fraudulent transactions and streamline your checkout experience? Talk to our team of experts today.

Useful Resources

Useful Resources

All the resources you need in one place

Knowledge Base

Knowledge Base

Read our detailed implementation articles.

Contact us

Contact us

Our sales and support teams are here for you.