Card testing fraud (AKA “carding,” “account testing,” or “card checking”) is a method by which fraudsters check for or “test” the validity of stolen credit or debit cards before conducting card-not-present fraud. To help explain this common but complex fraud vector, let’s explore this phenomenon from both the fraudster's and merchant’s perspectives.

If you are already familiar with how card testing works as well as its negative impact on merchants, scroll down to the solution section where you’ll find actionable steps you can take today to prevent card testing from harming your business.

Card Testing from the Fraudster’s Perspective

The best way to understand the ins and outs of card testing is to put yourself in the fraudster’s shoes.

Imagine for a moment that you’re a fraudster scrolling through the dark web, browsing for stolen credit card data to purchase. You find a batch of credit card numbers that have been stolen during a recent data breach of a popular online retailer. After haggling with the seller, you decide to purchase 10,000 stolen credit card data.

Because banks deactivate credit and debit cards frequently, however, you know that a good number of these purchased credit card credentials won’t actually work. The challenge now is to determine which stolen credit cards are useless and which ones are still active. This is where card testing comes into play.

How Card Testing Fraud Works: 

To quickly weed out the deactivated cards, the fraudster finds an unsuspecting online merchant and, using bots to accelerate the process, makes small purchases on every card. Fraudsters intentionally make small purchases from inconspicuous merchants so as not to raise suspicions from cardholders. If the purchase does not go through, they remove the card info from their file. If the purchase does go through, they either sell the card’s data on the dark web for more money or make larger fraudulent purchases on the card down the road.

Card Testing from the Merchant’s Perspective: 

There’s a common misconception that fraud and other financial crimes are victimless. This could not be further from the truth. The consequences for merchants that fall victim to card checking are enormous. In fact, a number of small and medium-sized businesses have even had to shut down their operations as a direct result of card testing fraud.

Let’s take a look at the situation from the merchant’s perspective to understand the negative impact of this crime. Remember, in this context, a merchant is “any type of business that accepts card payments in exchange for goods or services.”

Imagine your baking skills have earned you a wonderful reputation and you’ve decided to open the first gluten-free cupcake shop in your community. So far, things are going great and your business is processing about 200 online transactions a day.

This morning, however, you noticed a disturbing anomaly. Your Point of Sales system is processing thousands and thousands of transactions an hour. Even on your busiest day, you aren’t making those kinds of numbers. Even stranger, these transactions are taking place rapid fire, one after the other.

For a moment, you wonder if all of your marketing efforts have finally paid off. Soon, reality sets in, and you realize that something must be wrong. To make matters worse, angry cardholders from around the country are calling you and asking why your small business is appearing on their credit card statements without their consent. 

After contacting your POS (point of sales) provider, you learn that you are a victim of card testing. While the credit card company will reimburse the cardholders who dispute these fraudulent charges, you’re still on the hook for all of the transaction fees and chargebacks for every fraudulent transaction. Because there were so many card checks, this one incident has wiped away months of hard work and completely emptied your savings.

To complicate matters further, the actual operations of your business are now under strain. How can you serve your legitimate customers when you can’t figure out which transactions are real and which are fraudulent?  As a direct result of card checking, you have no choice but to close your business.

Negative Consequences of Card Checking on Merchants 

Sadly, the nightmare scenario described above is a reality for far too many business owners. For victims, it can be difficult to identify both the short-term and long-term consequences of card checking. For a more detailed view, here is a helpful list from Stripe of the negative impacts of card checking: 

• Disputes—Many types of card testing involve payments, some of which succeed. Customers notice successful payments and report them as fraud, which will result in disputes that cost you time and money.
• Higher decline rates—Card testing usually causes a large number of declines to be associated with your business. A high decline rate damages the reputation of your business with card issuers and card networks, which makes all of your transactions appear riskier. This can result in an increased decline rate for legitimate payments, even after card testing stops.
• Additional fees—Card testing activity can result in additional fees, such as authorization fees for custom pricing plans, and dispute fees.
• Infrastructure strain—Card testing usually results in numerous network requests and operations. This additional traffic can overburden your infrastructure and disrupt legitimate activity.
• Damages ecosystem health—Card testing has negative impacts on the financial system as a whole, so both Stripe and our financial partners want to help you stop it.

How Can Merchants Mitigate Card Testing Fraud?

Although this blog has focused primarily on smaller merchants because they experience the most outsized impact of card checking, it’s important to note that even larger multi-national merchants with robust fraud controls have fallen victim to card checking. In fact, without identity-proofing technology, any merchant can fall victim to this pernicious crime. That’s why every merchant needs to take measures to protect themselves. 

‍

Here are the top five ways to protect your business from card checking:

1. Conduct phone-centric identity proofing for all new customers in a very simple way. To prevent card testing, you need to figure out who your customer is. Of course, this is easier said than done in our digital age. Fortunately, Prove has the technology to quickly and easily verify the identity of your consumers while still respecting their privacy using a device that’s already in their pocket– their cell phone! We identity-proof consumers in three easy steps that we call a PRO check. 
2. Authenticate customers when they return for fast and easy checkout. Consider offering customers offers and discounts for undergoing an authentication process. This is a great way to reduce the probability of card checking while ensuring your return customers feel appreciated. 
3. Make sure your merchant processor fraud detection systems have a velocity check and can warn you of an active card testing attack. If your sales system is overloaded with thousands of unexpected purchases, this may not be a cause for celebration. Instead, leverage a velocity check system so you can stop the card checking ASAP.   
4. Enable 3D Secure 2.0 in your processing flow. In addition to meeting the Strong Customer Authentication (SCA) compliance under PSD2, there are other important benefits to the new 3DS 2.0 protocol, especially from a mobile payments standpoint.‍
5. Ensure BOT protection on your website service provider's website. Fraudsters don’t want to waste their time checking the validity of a few cards at a time. They want to check thousands at a time almost instantly. To do this, they employ bots. By investing in a robust bot protection program for your website, you can make your business a much less vulnerable target to fraudsters.

Conclusion:

Whether you’re a small business owner or a fraud exec at a major merchant, you need to protect your business from card testing to protect your bottom line. Fortunately, with Prove’s technology, you can easily identity-proof your customers without adding friction to the customer journey.

Want to stop card checking? Speak with a fraud expert today. 

‍