Card Testing

December 28, 2021 | 8 min read

Doesn’t it seem like there’s a new type of fraud every time you turn around? Well, you’re not wrong.

As the digital landscape expands and online shopping becomes the new norm, the opportunities for fraud expand with them. Card testing is just one of many clever ways to defraud cardholders and merchants, though it might be the least obvious.

What is Card Testing?

Card Testing

[noun]/* kärd • test • iNG/

Card testing, also known as ‘card cracking’, is a type of credit card fraud in which a criminal utilizes stolen card credentials to make small purchases. If the transactions go unnoticed, that means the card may be used to make larger fraudulent purchases.

Card testing is often an incremental process. Because the transactions are small, it can be easy to write off a minor concern. However, it adds up quickly.

Card testing has been gaining a lot of popularity with fraudsters in recent years. This is because it’s extremely subtle to the point of being undetectable, and it can provide an opportunity for long-term theft. All things considered, it’s no wonder that card testing has surpassed phishing and identity theft to become the most common fraud attack tactic globally in 2021.

So, now that we’ve established what card testing is, let’s talk about its effects on you, as a merchant, as well as on the eCommerce market as a whole.

Fraud tactics evolve quickly. You have to stay a step ahead, or else you'll fall behind.

REQUEST A DEMO

How Does Card Testing Impact Merchants?

Noticed unusual activity in your accounts lately? Sometimes your bank’s anti-fraud protections will alert you to irregularities, such as purchases being made from another city or internationally. Not always, though.

The appeal of card testing for criminals is how difficult it can be to detect, and how long they may have to rob their victims blind. Once cardholders are aware of the fraudulent activity, however, they typically act fast to protect themselves. But what about the merchants that accepted those bad purchases?

For merchants like you, card testing can affect much more than your bottom line. Continually unanswered attacks can lead to:

Card Testing

Increased Declines

The Problem

Your account is being used to make fraudulent purchases. These bad transactions can lead to declines, overdrafts, or even the flagging of your account as fraudulent, which would hamper legitimate business practices.

The Stakes

High decline rates damage your business’s reputation with banks and card providers, making even legitimate transactions appear risky.


Card Testing

Increased Fees

The Problem

As card testing continues to drain your accounts and gum up your transaction history, you’ll be incurring fees for every dispute, overdraft, and chargeback resulting from this fraudulent activity.

The Stakes

The fees you may incur can be much higher than the card testing transactions themselves, which essentially means you’re paying for it twice.


Card Testing

Increased Damages

The Problem

Card testing can overload your payment infrastructure, such as card terminals and operating systems. If it’s a busy shopping season or you process hundreds of transactions everyday, this can seriously affect your processing times and even damage your integration.

The Stakes

Aside from draining accounts, accruing fees, and gumming up the payment works, card testing is ultimately corrosive to eCommerce as an industry. Fraudulent activity can only thrive in environments in which it is difficult to detect, so it's important for merchants and banks to work together to observe and combat it.

Why Card Testing Is So Hard To Detect

The first thing to note here is to recognize how card testers access data.

There are a plethora of ways in which criminals can gain credentials. Some scammers will use targeted attacks on your firewalls to gain access to cards they can use within your own integration. Some might use phishing attacks to crack your system, then mine your data for cards they can use or sell. In fact, thousands of stolen credit cards are bought and sold on the dark web every day.

However it happens, card testing is a big problem that demands our immediate attention.

The most crucial point is to be aware when something is off and have systems in place to respond accordingly. Card testing only works if it’s subtle, and fraudsters count on your having no idea of what they’re doing. So, how do you beat these bad actors before they drain your accounts dry?

How to Fight Card Testing

First thing’s first: our best advice is to monitor absolutely everything. Most businesses use some type of CRM (Customer Relationship Manager) at this stage in the game. If your business isn’t currently using a CRM, now may be time to make the investment.

A CRM can help you reveal payment discrepancies, better communicate with customers, and manage and monitor social media accounts. And, for our purposes, it can help you keep track of metrics and analytics that can identify card testers posing as customers. CRM data should pair seamlessly with your payment gateway, and also integrate with anti-fraud measures.

What can you do beyond just gathering data, though? Here are five steps you can take to fight card testing fraud today:

Implement the Right Fraud Tools

Implement the Right Fraud Tools

Setup may be a time consuming process, but ultimately worth it. Card testers will struggle to overcome safety measures like AVS, CVV matching, velocity checking, and IP Monitoring if they’re all in place as part of a coordinated, multilayer strategy.

Pro Tip:
Integrate all or as many of these systems with your CRM as possible, and never authorize transactions that do not meet pre-required criteria.

Use a VPN (Virtual Private Network)

Use a VPN (Virtual Private Network)

Ensure that your payment gateway and CRM data are accessed only through a VPN. As we’ve alluded, basic firewall protection cannot stop every hacker, and the security of your—and your client’s—accounts could be compromised.

Pro Tip:
If you offer WiFi for your customers, DO NOT take payments or access sensitive CRM data on the same network!

Enable SSO (Single Sign-On)

Enable SSO (Single Sign-On)

This is good advice for everyone, from merchants to consumers. If you are a merchant, it is particularly important to safeguard computers and terminals. SSO can centralize password data under a secured framework, which will make it that much more difficult to breach.

Pro Tip:
Google’s CAPTCHA (Completely Automated Public Turing Test) is a great addition to your SSO arsenal. Card testers often run automated scripts that CAPTCHA can block.

Designate Officers

Designate Officers

Choose managers to gatekeep certain access points that could lead to data breaches. Also, make sure all employees must login to the system securely to operate within it, and are compliant with PCI standards.

Pro Tip:
Not everyone in your organization needs access to every portal. Make sure your crucial details are only accessible by accredited individuals.

Set Rate Limits

Set Rate Limits

Rate limits can be quite effective at stopping card testing. If you’re experiencing a specific card testing amount, set your limits to exclude them.

Pro Tip:
Limit the number of IP addresses that can be used to create new accounts in a single day.

Help With Card Testing Fraud

We certainly understand that this is a lot for anyone to take in. This is especially true if you’re a busy merchant with employees and clients to protect.

Fraud of any stripe can be a costly challenge for your business, and card testing is perhaps one of the most insidious. It can wreak tons of havoc within your integration and cause you many problems that can leave lasting and painful scars. Chargebacks, for instance, are just one factor in the equation…but they are a doozy.

Now that you are familiar with the problem and the various ways in which you might combat card testing fraud, are you ready to fight back? Continue below and get learn how today.

We’ll run the numbers; You’ll see the savings.
Please share a few details and we'll connect with you!
Over 18,000 companies recovered revenue with products from Chargebacks911
Close Form