Card testing and how to protect your business against it

Article provided by Authorize.net

Someone paying a bill with a phone

Small and mid-size businesses should be proactive with fraud management to protect against fraudsters who may regard them as easy targets. You may think that the size of your business makes you less vulnerable to fraud attacks, but the opposite can often be the case. Sophisticated fraudsters have a good idea about which businesses have less protection or don’t have a dedicated fraud manager. In particular, they may target what they regard as relatively undefended businesses with card testing attacks.

What is card testing?

Fraudsters use card testing to determine the validity of stolen or fraudulently obtained card details. They attempt multiple purchases on an eCommerce website like yours (often using a botnet for speed and scale). If a transaction is approved, they know they can use the card. If, on the other hand, a card has already been canceled by its owner, authorization will be declined, and the fraudster will move on to testing the next card.

What are the likely effects of a card testing attack?

Our risk analysts have found that a card testing attack can negatively affect an unprepared business for several months, causing financial and other losses. Here's a typical timeline of what you could experience:

Day 1 (attack day)

The fraudster submits potentially thousands of orders, many of which could be approved. Approved orders for physical goods could start to ship, resulting in lost product. Once card issuers become aware of what's happening, they may ask your acquirer to shut down your ability to process transactions. You'll need to provide proof of a mitigation strategy before you can restart transaction processing.

Day 2-30

Because the fraudster submitted so many transactions, you may have to pay significant authorization processing fees to your acquirer and payment gateway. For example, your authorization fees could jump from an average of $40 a month to $15,000 a month. To add insult to injury, you won’t earn any revenue on these transactions, either.

Day 31-120

Chargebacks and their associated fees start to roll in because transactions weren't reversed during the initial attack.

Ongoing

Your business could experience brand and reputational damage and loss of customer trust.

What can I do to protect my business from card testing?

Unfortunately, once a card testing attack is in progress, there's little you can do. Your future self will thank you if, instead of reacting to an attack, you take a proactive approach to preventing card testing (and other types of fraud) instead of reacting to an attack after it occurs.

No single solution can completely stop fraud, which is why we recommend a multi-layered strategy. Consider combining best practices like risk reviews, minimum payment thresholds, and early identification of anomalies with a range of capable tools.