Doesn’t Take a Holiday: Beware of Card Testing
By Anne Heraghty
If your organization accepts
payments from a payment gateway or eCommerce site, you may be exposed to
a new form of fraud called card testing. Unfortunately, there is
no fail-safe system to protect against it, but your close attention to
daily batch and authorization details will go a long way in alerting you
of a possible problem.
Fraudsters obtain credit card
information from a variety of sources.
To know which cards have not yet been reported stolen and can be
successfully highjacked, they must test the data. The process involves
an account to test the credit card numbers until a valid one is found.
The program then finds the corresponding expiration date that would
allow for a valid transaction.
With card testing, fraudsters
don’t care about an organization’s product or service; they are simply
focused on testing the card number. Charities are frequent targets
because most are donation based, and fraudsters know the amount and
frequency of donations can vary, making their testing attempts less
obvious. Sadly, prime time for fraudsters to slide these transaction
tests through is during the hectic holiday season.
Fraudsters test hundreds, even
thousands of combinations to get a match that will allow them to use a
given card. Because a merchant’s gateway charges for every attempted
authorization—whether it has been approved or not— this testing process
could end up costing you a bundle in fees.
Is there any way to tell if this
is happening at your site? Here are a few things to look for:
include the following:
attempts in a short time frame
strand of tests where card brands rapidly switch - from Visa to
MasterCard back to Visa, etc.
authorizations have FAILED – not “Partial Matches” or “Review” but
- Collect AVS
(address verification system) and CVV (3-digit code on back of the
card) data on your authorization file/gateway settings.
your gateway/internet shopping card can block IP addresses,
block/limit authorization attempts and set other velocity checks
to reduce the likelihood of being targeted by authorization testing.
Many of these enhancements are at no cost or minimal cost, depending
on the gateway.
processor about additional security protocol you may need when
accepting transactions in a card-not-present environment.
processor to any suspicious activity for immediate review. Once a
transaction is settled, you would be liable for chargebacks associated
with unauthorized charges.
Remember to routinely review your daily transactions. If
you have questions or concerns, please call the Veracity
support team. We want to help protect you against fraudulent activity.
the author: Anne Heraghty (firstname.lastname@example.org) is with
the Communications Department of Veracity Payment Solutions (www.veracitypayments.com,
989-464-3229, 888-599-2209.), which offers payment technology and
solutions to nonprofits and businesses worldwide.