Card testing is a frustrating but often unavoidable part of running an ecommerce business. At Helcim, we want to help you protect your business by providing tools like Helcim Fraud Defender to help you review and flag potentially problematic transactions and by providing educational resources so you can better understand what card testing is and how it could affect your business.
If you're accepting payments online, for example through a payment page, helcim.js, API, 3rd party plugin, or an online store, it's important to be aware of card testing as it is an inherent risk that you may encounter. To add to the frustration, card testers often change the way they test stolen credit cards to overcome security settings and safeguards put in place by payment processors which is why it's important to both make use of tools provided as well as keep an eye on your transactions for suspicious behavior.
What is Card Testing
When someone obtains credit card information illegitimately, they perform card testing to determine the validity of the card information. This can occur in two ways - either as authorizations that confirm the card works and has an available balance or as a small purchase that is less likely to be flagged and reported by the actual cardholder.
If you notice a sudden increase in the rate of new customers being added to your account or in transaction activity, with an increase in declined transactions, and small purchase amounts, it could be an indication that someone is card testing on your account.
Risks of Card Testing
Card testing can have a negative impact on your business and should be stopped as soon as you notice suspicious transaction activity on your account. Here are some of the risks to your business if card testing occurs:
Chargebacks or Disputes: If there are successful transactions, the actual cardholder will notice the activity on their account and will likely file a chargeback or dispute to get their money back. These disputes can result in additional fees for your business.
Negative Effect on Your Business Reputation: Often card testing will result in a high number of declines in your transactions, this can negatively affect the overall perception of your transactions and potentially make your business appear higher risk.
How Helcim's Systems Help Prevent Card Testing
Helcim has automated and manual controls that can help block card testing, but due to the vast array of methods fraudsters use to commit this type of fraud - no single method can be 100% effective against this type of activity - a layered approach is your best defense. Helcim's system can block fraudsters from continuing to test cards that are being declined after a certain number of transactions, as well as monitor your business's overall transaction activity and react if it detects patterns it determines are suspicious.
If you have questions about your security settings, please contact Helcim to review your options.
Add reCAPTCHA: Using a captcha prevents fraudsters from using automated scripts to test cards as the scripts won't be able to complete the captcha requirements
The Helcim Online Store and Helcim Payment Pages will automatically have reCAPTCHA built-in, you can also enable reCAPTCHA for your Helcim.js configuration using the security setting options. If you're using the Helcim API you will need to add reCAPTCHA yourself.
If you are using a third-party plugin for your transactions, such as Magento or WooCommerce, you will need to contact your third-party service provider to confirm which tools they use to prevent card testing.
You can ask customers to log in before being able to complete a checkout in an online store. While more secure, this could have a negative effect on successful checkouts as it adds more steps to the checkout process.
Keep an eye on your overall processing activity.
What to do if you Notice Card Testing
If you suspect that your business has been a victim of card testing we recommend that you follow these steps:
If possible and if it will not negatively affect your business, temporarily disable the checkout page to discourage the fraudster from continuing to test. If needed, you can still process payments by keying cardholder information directly in your Virtual Terminal or sending invoices
Review your recent transactions to confirm card testing took place