- Overview
- Prerequisites
- How does Card Testing Detection work?
- Merchant Experience
- Partner Experience
- Frequently Asked Questions
- Video Tutorial
Overview
NMI’s Automated Card Testing Detection quickly notifies merchants of potential fraud. When the algorithm detects card testing, all configured users will be notified immediately, and the merchant’s account will be restricted to protect from damage. The merchant’s administrators can go into the portal to manage the fraud and release their account.
Prerequisites
For email notifications - the merchant's user will need the "Receive Card Testing Notifications" user permission to receive Card Testing email notifications. Any user can be notified, but only those with “Access Administrative Options” permission enabled will receive a link to un-restrict the account.
For SMS text message alerts - the merchant's user will need the "Receive Card Testing Notifications" user permission and provide their Mobile Phone Number (required) in their user account, to receive Card Testing SMS text alerts. Any user can be notified, but only those with “Access Administrative Options” permission enabled will receive a link to un-restrict the account.
Primary users will automatically have the "Receive Card Testing Notifications" user permission set and be prompted to provide a phone number upon next log in.
How does Card Testing Detection work?
Our automated Card Testing Detection makes it faster and easier to prevent fraudulent activity by sending real-time alerts via text and email directly to users. The streamlined process takes them from the alert to a landing page where they can review and un-restrict their account to mitigate potentially devastating fraud.
- Your merchants directly manage alerts and restricted accounts without having to call support teams
- Real-time text alerts enable fast card-testing fraud detection and mitigation
When the algorithm detects card testing, it immediately alerts the merchant and restricts the account to protect from damage. Primary users will automatically receive real-time email and SMS text alerts (once they've enroll in SMS alerts by providing their Mobile Phone Number in User Accounts) when card testing is detected and transactions are suspended. Text and email messages link to a temporary landing page outside of the portal, allowing the merchant to quickly take action on the restricted account. Merchants can review the potential fraud data and, if they deem the account safe, un-restrict their account to restart processing transactions again. These permissions can be granted for additional users. Partners will also receive an email notification and can manage restrictions from their Partner Portal.
Merchant Experience
Once Card Testing Detection is rolled out, upon logging into their portal, Merchants primary user will be greeted with a pop-up to add their phone number to enroll in SMS alerts when the fraud detection algorithm is triggered:
Once the merchant saves their mobile phone number, within a few seconds they will receive a text message confirming the number has now been enrolled for fraud activity notifications:
- The text message will keep branding for any white-labeled accounts - instead of reading NMI, the message will present the Partners company name.
Once the merchant receive their confirmation text, they will need to confirm they received the text in their Merchant Portal:
The gateway will prompt for re-confirmation of the mobile phone number every 3 months:
If the phone number or email is ever updated, a message will be sent to the original phone number/email notifying them the information has been changed.
Merchants have the option to enable these notifications to any of their sub-users by editing the sub-users account. The sub-user will need the “Access Administrative Options” permission enabled to receive a link to un-restrict the account. In the Merchant Portal, head over to Settings → User Accounts → click on the username → enter their Mobile Phone Number → check off "Receive Card Testing Notifications" notification → click Save.
In the event the algorithm detects fraudulent activity, it will restrict the account and send both an SMS text alert and email notification to the Merchant and any user that is also enrolled, notifying them that their account has been restricted. If the merchant hasn't logged in to provide their mobile phone number, they will still receive an email notifying them of the detected fraudulent activity. These notifications will contain a link (only for Administrative users) to view the restricted transactions statistics and ability to un-restrict their account. If the transactions are non-fraudulent, they must un-restrict their account by tapping the link within the SMS or email and follow prompts.
Fraudulent Card Testing SMS Notification with the Link:
Fraudulent Card Testing Email Notification with the Link:
- The additional features listed in the email will only list what is available to the merchant, e.g. if Kount Fraud Manager service is not offered to the merchant, they will not see this in the list.
Once the merchant clicks on the link, they will be sent to a temporary landing page outside of the portal where they can quickly take action on their restricted account and see some metrics on why the gateway suspected card testing (how many transactions were attempted and the percentage of how many were declined). This link will expire in 48 hours. The merchant can also log in to their Merchant Portal to un-restrict their account (with the correct permissions) where they will be presented with the same form.
Were these transactions intentional?
If the merchant says NO it was not intentional (it was fraudulent card testing) - the merchant can choose whether or not to immediately un-restrict the account:
-
Unrestrict the account?
- Yes - if yes is selected, card testing may happen again if steps were not taken to ensure further protection.
-
No - if no is selected, once they log in to their merchant portal, they will see their account set to Restricted. Restricted accounts mean the merchant is able to log in to generate reports and change options, but they cannot process any transactions. They can then take further action to protect their account by enabling some of these additional features before unrestricting their account:
- IP Restrictions
- Adding Address Verification Settings
- Making CVV a required Field
- Create new users to prevent username/password sharing
- Enable Two-Factor Authentication
- Fraud Prevention
- 3-D Secure
- Kount Fraud Manager
- Additional information on How to protect your account from Card Testing can be found here.
Once they've secured their account, in their Merchant Portal, they can un-restrict their account by clicking on the Restricted button on the top right → and click on Unlock:
From there, the form will pop-up again and this time they can un-restrict their account: Were these transactions intentional? → No → Unrestrict the account? → Yes → Submit:
If the merchant says YES it was intentional - the merchant can categorize whether it was actual customer transactions or themselves testing.
Once they submit the form, they will see the following message with their Partners Support Contact details:
Partner Experience
If the detection algorithm is triggered for a merchant, you, the Partner, will receive an email notification once an account is restricted with the Merchant Name, their Gateway ID, and what steps they can take to try to avoid this from happening again. The partner email notification will also be sent to the Risk Management Contact email, if it is different than the primary user email.
- For partners' sub-affiliates - the additional features listed in their email will only list what is available to that sub-affiliate, e.g. if Kount Fraud Manager service is not available for that sub-affiliate to resell, they will not see this in the list.
Once you pull up the merchant account in your Partner Portal under List Accounts, you will see their Current Status as Restricted - Card Testing (if the merchant hasn't taken any action on it yet). Any merchant with the status of Restricted - Card Testing will float to the top of your List Accounts page:
Here you can un-restrict the merchant account by clicking Edit under Merchant Status. Please keep in mind, if the transactions were not intentional, card testing may happen again if steps were not taken to ensure further protection before unrestricting the account.
Frequently Asked Questions
Can my merchant opt-out of Card Testing Detection? Card Testing Detection is a gateway automatic feature. Merchants cannot 'opt-out' or 'turn-off' Card Testing Detection.
How long will the account stay restricted? The account will stay restricted until the partner or merchant un-restricts the account.
What's the process to get back up and running? The primary user will get an email with steps provided. If the user also provides a phone number, a text will be sent. The partner can also log in and navigate to the merchant details page to un-restrict the merchant once securing the account if the transactions were not intentional.
Can I see who un-restricted an account? Yes, this will be listed under the Merchants Status history, which is visible when you click on Edit.
Can I see what response the merchant chose in the form? Yes, the gateway will report the response that was chosen from the form, along with which user answered it, in the Notes section of the account in the Partner Portal: