News

A gloved hand types on a laptop with two credit cards in the foreground

Know Your Fraud: Card Testing

By Chris Alarie on Aug 17, 2023

Fraud takes many forms. Moreover, different forms of fraud can be categorized based on where they figure into the process of fraud. For example, phishing is identified by the efforts made to steal ID and payment credentials. Card testing, on the other hand, is identified by the actions that the fraudster takes with the credentials that they have stolen or purchased.

What Is Card Testing Fraud?

Card testing fraud is a form of payment card fraud where criminals test the validity of stolen card data on websites or other digital platforms by making numerous small purchases. These criminals obtain stolen card information through a variety of means such as phishing, hacking, or data breaches. The goal of card testing is to identify which card numbers are valid and can be used for larger fraudulent purchases or sold on the dark web.

Varieties of Card Testing Fraud

Fraudsters engaging in card testing are not yet attempting to make major purchases but are merely trying to determine which stolen credentials are valid and still active. As a result, the basic technique for card testing fraud involves making small purchases. Usually card testing fraudsters will do this with multiple sets of credentials at one time, figuring out which ones can be used for larger fraudulent purchases and which ones can’t.

Card testing may be performed manually or accomplished through the use of bots that allow fraudsters to test even larger numbers of cards more quickly. In some circumstances, the fraudsters may not even need to make a purchase if the process of signing up for an account or adding a new card to an existing account allows them to verify that a card is still active and available for fraud.

Consequences of Card Testing

Successful card testing may not initially result in chargebacks because, by definition, these small, fraudulent purchases would go through undetected. But unsuccessful attempts may be noticed by the legitimate owner of the payment credentials and would likely result in chargebacks. And repeated card testing with the same merchant (perhaps one with a low-dollar-amount subscription plan) could eventually be detected and result in chargebacks. While the dollar amounts of the chargebacks would necessarily be small, they would still affect the merchant’s chargeback ratio.

The more important consequences for merchants that are used as part of card testing schemes are the broader, less tangible, but no less significant ones. These include potential brand damage and a loss of customer loyalty. Card testing also reduces trust in the payments system as a whole, leading to consequences for all merchants. And, of course, payment credentials that are successfully run through card testing will likely be used for larger fraud attacks.

Preventing Card Testing

As a form of true fraud, the only way to combat card testing is to prevent it. This involves knowing what makes businesses vulnerable to card testing, what sorts of evidence may indicate card testing is occurring, and what can be done to reduce a particular business’s susceptibility to it.

Business Vulnerabilities

Some businesses are especially vulnerable to card testing techniques merely because of the nature of the transactions that they normally process. Any business that commonly sees multiple small transactions from a single cardholder in a single day—such as a fast food restaurant—may be a target for card testing. Similarly, organizations that don’t require set amounts of money for transactions—such as anything that is donation-based like a charity or pay-what-you-want online music store. Businesses that allow consumers to set up an account, add a payment card, and validate that card without making any actual purchases are also at risk. This is a particularly common issue for businesses that allow payments to be processed through a mobile app.

Indicators

There are certain indicators that may signal to merchants that they are being used as a part of a card testing scheme. These include:

  • High card authorizations for low dollar amounts occurring within a short span of time
  • High volumes of authorization requests for identical amounts
  • Notable increases in decline rates under the same decline code
  • Mismatched credentials
  • Any other notable, unusual trends relating to high velocity and low dollar amount transactions
  • An increased volume of transactions with the same BIN number, possibly indicating that a cache of credentials from a particular bank were stolen

These indicators are particularly worrisome if they involve multiple transactions coming from the same IP address. And if these indicators are paired with geographic information from countries known for high rates of fraud, merchants should be particularly wary.

Prevention Tools and Techniques

There are a number of measures that merchants enact to prevent their susceptibility to card testing attacks. These include using CAPTCHAs to reduce the effectiveness of bot-based card testing; requiring CVV, CVC, CSC, and other card verification codes to reduce the likelihood of card testing attacks resulting from data breaches (which generally don’t include these codes); setting rate limits and limiting checkout attempts to reduce the ability of fraudsters to make the rapid, low-dollar transactions that characterize card testing; monitoring IP addresses and using AVS checks to look for address mismatches or other geographic indicators of fraud; setting minimum transaction amounts for donations or pay-what-you-want transactions; using identity verification tools such as 3-D Secure; and requiring customers to create verified accounts rather than allowing guest checkouts.

Some of these methods may not be viable for all merchants and others may cause more consumer hassles than they are worth. Merchants need to constantly monitor their fraud indicators, honestly evaluate their susceptibility to fraud, balance these concerns, and work proactively to prevent fraud when it seems likely.

Merchants can also work to prevent being on the data breach end of card testing fraud by using firewalls, VPNs, CAPTCHAs, and other data security measures to prevent phishing, hacking, and other breaches.

Conclusion

In the face of rising digital fraud such as card testing, businesses need a reliable ally. MidMetrics' chargeback analytics dashboards offer that steadfast support. MidMetrics equips businesses with comprehensive data and critical insights. It allows you to quickly identify unusual transaction patterns and potential vulnerabilities. Avoid the detrimental effects of fraud such as brand damage and loss of customer trust with MidMetrics. Invest in a solution that not only identifies fraud but provides actionable insights to mitigate it. Secure your business with MidMetrics today.