Table of Contents
- What is Card Testing?
- How to Identify Card Testing on an Account
- What happens if my Merchant Account has been Hit with Card Testing?
- Ways to Help Prevent Card Testing
Prerequisites
The tools mentioned in this article are available on NMI Partner Portal and NMI Merchant Portal.
What is Card Testing?
Card testing is a common type of fraud where fraudsters test a large number of stolen credit card numbers. Fraudsters acquire stolen partial or full card credentials and use them to make small purchases on a website to determine the validity of a credit card. If they receive an approval, they will know the card is valid and use it to make a larger fraudulent purchase elsewhere. They would use different tools, bots, or scripts, that submit hundreds to thousands of card not present (CNP) transaction requests on an e-commerce site within minutes. Sometimes, if a merchant's credentials are stolen or guessed, this type of fraud can occur even if you don't have an e-commerce site.
These types of attacks can be harmful to merchants as this can result in extremely large transaction fees, chargeback/dispute fees, and could potentially expose the merchant to additional fraud.
How to Identify Card Testing on a Merchant Account
There's a few ways to identify fraudulent card testing on an account. When you run a transaction report, you may notice:
- High card authorization volume for low dollar amounts in a rapid course of time.
- The transaction amounts can be all the same.
- The BIN range (the first four to six numbers on a card) are the same for all transactions (this suggests that someone is "spinning" through cards).
- If the transactions include a first and last name, usually the name would be the same for all transactions or the fraudsters would use a generic name.
- Take notice of the amount of transactions being processed within the day; if the merchant usually takes 50 transactions a day and all of a sudden they have 50,000 transactions in a day, that may indicate fraudulent activity.
What happens if my Merchant Account has been Hit with Card Testing?
In order to protect your merchant account, the following actions may take place if our engineers detect fraudulent activity on the account:
- If we detect card spinning in the API, API access will be removed from the user and you will be notified with the username that was attacked.
- If we detect ongoing card testing activity, the gateway account will be Restricted as a result. You will be notified of the Gateway ID(s). Once you implement necessary actions to prevent fraudulent activity on the account, you can un-restrict the account by pulling up the merchant from your partner portal and select Edit next to Merchant Status. Select the appropriate status and save the changes.
- If we detect unusual activity on the account, you will be notified of the account.
* We recommend adding as many contacts as possible in your Partner Portal under Settings → Account Information → Additional Contacts to improve your communication with NMI in the event we need to notify you of any fraudulent activity.
Ways to Help Prevent Card Testing
As fraudsters are getting more sophisticated with their tactics, you need to take action to protect your business, your merchants, and card holders. Here are some additional tips/tools to help with fraud:
- Activate Kount Fraud Manager - Kount Fraud Management is unique in that its adaptive AI uses a combination of supervised and unsupervised machine learning, to provide real-time risk analysis and fraud assessment. You can offer/enable this value-added service for the merchant or the merchant can sign up for it through the Marketplace UI.
- Activate Fraud Prevention - have the merchant activate Fraud Prevention (NMI's value-added service) and set proper parameters. There are added cost for this service. We've added a new feature to Fraud Prevention that has a more aggressive restriction called 'Approval Rate Requirement'.
- Adding Address Verification Settings - the Address Verification Settings (AVS) is a system used to verify the address of a person claiming to own a credit card. The system will check the billing address of the credit card provided by the user with the address on file at the credit card company. You can access this in the Merchant Portal → Settings → under Security Options → Address Verification.
- Making CVV a required Field - the Card ID Verification settings allow you to choose when to reject transactions based on CVV/CVC results. You can access this in the Merchant Portal → Settings → under Security Options → Card ID Verification.
- Create new users to prevent username/password sharing - Merchant User Accounts Permissions and Notifications Settings. You can access this in the Merchant Portal → Settings → under General Options → User Accounts.
- Erase security keys and create new ones - Periodic Rotation is key! You can access this in the Merchant Portal → Settings → under Security Options → Security Keys.
- Change the passwords - you can access this in the Merchant Portal → Settings → under General Options → User Accounts → click on the username you want to change the password for → for sub-users, click 'Re-send User Welcome Email'; for primary users, click 'Change Password'.
Other Security Options
- IP Restrictions - IP Restrictions Settings is another security feature available on all Gateway accounts. This allows you to specify only the specific IP addresses permitted to log in to your account’s Control Panel and API.
- Never re-use a password from another site for your merchant account, and be sure to enable Two-Factor Authentication.
- Add CAPTCHA - use a CAPTCHA or other measures to protect your e-commerce site from large volumes of automated purchase attempts.
- We also recommend that the merchant reach out to their developer or software provider and let them know about any fraudulent activity they have experienced. Depending on the circumstances they may have some rules they can put in place at no charge, enabling Captcha, etc.. Often we see where the processor will have rules as well.