Card Testing: The Next Big Criminal Fraud Threat

How to Protect Your Business from Increasing Card Testing Fraud Losses

We know that most chargebacks are the result of friendly fraud. More than 80% of all chargebacks are traceable back to friendly fraud in one way or another. Friendly fraud isn’t the only factor to worry about, though. One criminal fraud tactic—card testing—is becoming a major source of revenue loss for online businesses.

What is Card Testing?

Instances of these card testing attacks tripled in the last year, and they are still on the rise. But what is card testing?

Card testing happens when fraudsters buy stolen cardholder information off the dark web. These criminals buy the information in bulk from a hacker or data skimmer, usually paying just a few cents per card account. The criminal may buy thousands of card numbers at a time, expecting that many of the accounts will either be invalid, maxed-out, or closed.

The fraudster needs to sort the valid numbers from the invalid ones. That’s where card testing comes in.

The fraudster will use an automated script to place small-value orders using each card number on different eCommerce sites. If the transaction is declined, the fraudsters write that card number off as junk. If the transaction is approved, they will immediately funnel that number away to make high-value transactions while they can.

How Does Card Testing Affect Merchants?

“What’s the big deal,” you ask? Why worry about these low-dollar transactions? One word: chargebacks.

Let’s assume that a card testing transaction goes through. The fraudster rushes to use-up as much of the card’s balance as possible, as quickly as possible. When the cardholder discovers the fraud, they will file for chargebacks to dispute all the fraudulent transactions, including the test.

Chargeback fees are static. The dollar value of the original transaction doesn’t matter; the merchant will still pay the same amount to cover the cost of chargeback administration for a $5 sale as for a $500 sale. Plus, each chargeback counts against the merchant’s chargeback-to-transaction ratio. Merchants who get too close to a monthly average of 1 chargeback for every 100 transactions risk losing their merchant account and their ability to process cards altogether.

Card testing grew dramatically last year, and that trend is showing no signs of slowing. Remember that card testing transactions are typically made by bots who attempt to force though as many as transactions as possible as quickly as possible, which means they can add up quickly. That means more chargebacks, increased costs, and a greater threat to your business’s sustainability.

What Can You Do About Card Testing?

Here are a few tips that can help protect your business against card testing attacks:

  • Use CAPTCHAs at Checkout: Not all transaction friction is bad. CAPTCHA puzzles are intended to block bots and other scripts from completing a transaction. While it adds an extra barrier at checkout, CAPTCHAs are an example of “good friction” that should only trip-up attackers.
  • Take Advantage of AVS: Address verification ensures that the address used in the order matches the billing address on-file for the cardholder. A mismatched address should register as suspicious and might require manual review.
  • Verify the Card’s CVV: Even if a fraudster steals a card number, they won’t have the CVV—the three-digit code on the back of the card. This can at least ensure that the cardholder has the card in their physical possession.
  • Flag Repeat Attempts: Multiple orders coming from the same IP address in quick succession should be immediately suspicious. This is a classic sign of fraud, so be sure to review these orders closely.
  • Review Overseas Orders: Make sure that the IP address associated with the order matches the country listed in the billing address. Any order that is going to another country, especially one with a reputation for fraud, should prompt an additional review.