The Risk You Didn’t Know You Were Taking When You Set Up Your E-commerce Site…

Card testing is a type of fraud in which scammers test stolen credit card numbers on your site to verify that they work. When the card numbers pass, the scammers know that the card details can be used to make fraudulent purchases.

It may sound like a harmless scam given that your site is just being used for “testing,” but card testing can have severe consequences for you and your customers and create serious liabilities for your business in a matter of moments.

Fortunately, you can take steps to protect yourself from these fraudulent activities. Read below to learn how a little card testing can quickly lead to a $25,000 liability.

Why Are Scammers “Testing” Card Numbers?

The goal of card testing is to determine whether the stolen credit card information is still active and whether the card issuer or cardholder has detected the unauthorised use of the card.

Card testing is a type of fraud that occurs when criminals use stolen credit card details to make small transactions through payment gateways to test the validity of the numbers before using them for more significant transactions or withdrawing funds. Although the transactions are small (usually $1 to $25), the impact on your business and liability can be significant.

With the prevalence of stolen card details being sold on the dark web, online thieves have an easier time than ever before accessing stolen credit card details. It’s an increasingly common scam that affects many e-commerce sites, costing them money and damaging their reputation.

Why Would Card Testing Scams Be a Problem for My E-commerce Site?

The scammers will generally run thousands of transactions in one go, testing a long list of stolen credit card numbers. If you don’t identify this quickly and manually refund the transactions, the real owners of the cards are likely to see the transactions in their accounts and dispute them with their banks.

But They’re Small Amounts, and They Get Refunded When Disputed, Right?

For each disputed amount, you’ll be on the hook for a “Dispute Fee.” Currently, the fee on Stripe accounts is $25 per disputed amount. Given that the charge was fraudulent, the merchant returns the funds to the bank, the bank refunds the victim, and the merchant charges you the dispute fee.

In the merchant’s eyes, your API key was used, so you are responsible for the issue. If you haven’t found the issue, terminated the API key, and refunded the payment all before the victim realises and raises a dispute, you’re on the hook.

But It’s Just $25?

$25 for each disputed transaction… Let’s do some math. If a scammer runs 10,000 stolen card numbers through your merchant account and 1,000 of those transactions work and subsequently get disputed, you’re up for 1,000 x $25 = $25,000 in merchant dispute fees!

Anything that can rack up a $25,000 bill while you sleep is certainly something you need to protect yourself from.

Let’s look at how the scammers card test and what you can do to protect yourself.

How Can Scammers Card Test?

There are two main ways scammers will card test. The first is a direct website attack where bots are used to process hundreds, even thousands, of transactions directly on your website.

Website Bot Attacks

Scammers use automated bots to test large volumes of stolen credit card numbers by making small transactions on your e-commerce site. These bots can simulate human behaviour, making it difficult to detect fraudulent activity.

Prevention Measures:

1. Implement CAPTCHA on payment pages to verify human interaction.
2. Use rate limiting to restrict the number of transactions that can be processed in a short period.
3. Monitor and flag suspicious activity, such as multiple transactions from the same IP address or unusual patterns.

API Key Compromise

The second and preferred method of scammers is compromising your secret payment API key and directly running cards with your payment processor.

What is a Payments API Key?

A Payments API key is the secret key system your website uses to connect to your merchant facility provider (Stripe, PinPayments, Banks, etc.) and process credit card payments. There is a Public Key and a Secret Key, which allow you to process customer payments.

The secret key is generally well-secured and not publicly known or available. It will look something like this:

pk_test_41AEaMF0q^Z7V8z0JgkzKkuAC2P4VXDvZqIzG5CO4XtFuyAAcG1mrn32dzGO9GzSU86aXJzs2T9ZkljX9hJhA0004Rg45anS

How Could a Cyber Criminal Get Access to My API Key?

The scammer can get access to your payment API key by:

• Compromising an admin account on your website
• Compromising your business email accounts
• Getting access to your merchant portal login
• Phishing
• Social engineering
• Accessing communications that have shared the API key

Once the scammers access your API key, they skip right past your website and use programs to process the payments at scale directly with your merchant.

What Does Card Testing Look Like, and How Can I Tell I’ve Been Hit?

Card testing fraud can be subtle and complex to detect initially, but there are several indicators that your e-commerce site might be targeted. Being aware of these signs can help you identify and respond to card testing activities promptly.

Signs of Card Testing

1. Unusual Transaction Patterns: A significant increase in small transactions within a short period is a major red flag. Card testers often make very small purchases (ranging from $1 to $25) to verify the validity of the stolen cards without attracting too much attention.
2. High Volume of Declined Transactions: If you notice an unusually high number of declined transactions, this could indicate that card testers are attempting to use invalid or deactivated cards. Monitoring the decline rate is crucial, as legitimate users typically do not trigger multiple declines in quick succession.
3. Multiple Transactions from the Same IP Address: Scammers often use automated bots that originate from a single IP address or a narrow range of IP addresses. Multiple transactions, especially declined ones, from the same IP can strongly indicate card testing.
4. Repeated Use of the Same Card Numbers: Look for patterns where the same card numbers are used repeatedly, often with minor variations in expiration dates or CVV codes. This suggests that scammers are testing the combinations to find valid details.
5. Unusual Geographic Locations: Transactions from regions where you do not typically receive orders or from countries known for high card fraud rates can be suspicious. Monitoring the geographic origin of transactions can help spot fraudulent activities.

How to Confirm You’ve Been Hit with Card Testing

1. Review Payment Gateway Logs: Examine your payment gateway logs for spikes in transaction attempts, especially declined ones. Many payment gateways provide detailed logs that can help you identify suspicious patterns.
2. Monitor Fraud Alerts: Utilise fraud detection tools and alerts provided by your payment processor. These tools often use machine learning and behavioural analysis to flag potentially fraudulent activities.
3. Customer Complaints and Chargebacks: An increase in complaints about unrecognised charges or a surge in chargebacks can indicate that your site has been used for card testing. Pay attention to feedback from your customers and your bank’s chargeback reports.
4. Manual Audits: Conduct manual audits of transactions periodically. Look for the tell-tale signs of card testing, such as high volumes of small transactions, unusual patterns in transaction times, and repeated declines.

Taking Action if You’ve Been Targeted

If you suspect that card testers have targeted your site, take immediate steps to mitigate the damage:

• Temporarily Disable Payments: Consider temporarily disabling your payment gateway to prevent further fraudulent attempts while you investigate the issue.
• Notify Your Payment Processor: Inform your payment processor about the suspected fraud. They can provide additional insights and support to help you address the issue.
• Start Issuing Refunds Immediately: Get the refunds in before people start flagging the transactions with the bank. Also, make sure your Stripe account doesn’t run out of cash with the refunds. If Stripe has already paid you out for the transactions and you need to put money back in, you could be waiting days. If you’re in this situation, call your payments provider immediately and ask them to allow additional refunds to the account. You’ll likely need high-up support to achieve this, but you can’t afford to wait days while the penalty charges start piling up.
• Strengthen Security Measures: To prevent further attacks, implement stronger security protocols, such as two-factor authentication, rate limiting, and CAPTCHA.

What Are Payment Processors Like Stripe Doing to Stop This?

The short answer is, not as much as they say they’re doing. While the websites promote the highest levels of machine learning and payment security, we regularly see these types of fraud in the marketplace.

Stripe offers a card testing protection option, effectively insurance against this. However, to cover this cost, they charge higher transaction fees on all payments. Offering this as an option seems to introduce a moral hazard, given that machine learning and fraud protection should be working on all transactions they are processing.

What Can I Do to Protect Myself from Card Testing Scams?

You can take the following steps to protect your business from card testing scams:

1. Use strong passwords and multi-factor authentication for all accounts that have access to your payment API key.
2. Monitor your payment gateway logs for any suspicious activity, such as large numbers of card testing attempts.
3. Ensure you have a fraud prevention system in place that can detect and block card testing attempts.
4. Look for any sudden spikes in credit card transactions and investigate them immediately.
5. Stay up to date with the latest security trends and stay alert for potential scams or malicious activity targeting your business.
6. Implement lines of defence. Systems like Cloudflare Turnstile, Cloudflare Fraud Detection, Google reCAPTCHA, and Honeypots can all help keep the scammers at bay.

It is important to protect your business and customers from costly card testing scams. The steps outlined above will help mitigate risk and reduce the chance that your e-commerce site will be involved with these dangerous activities.

If you’ve been hit with card testing or need support and advice regarding website security, get in touch. We’re here to help.