What is credit card testing, and how can it impact you? Credit card testing — often referred to as "carding" in shorthand lingo — is a method that bad actors use to validate stolen credit card data for future use elsewhere. Fraudsters run this testing because some stolen data may no longer be active. This activity is typically carried out with bots that make several small transaction attempts within a very short period of time (usually within a few seconds), giving a quick answer as to which cards can then be used for larger purchases.
Small ecommerce stores are prime targets for these fraudsters. The main reason for this is that smaller sites will typically lack the stricter security methods of large companies and are, therefore, easier to hit. Additionally, sites that sell lower-cost products or sites that accept donations (where a user can freely enter any charge amount) are more appealing for the small transactions these fraudsters want to run. The smaller the amount, the less likely the cardholder is to notice it and cancel the card.
Taking measures to protect your store from card testing fraud is important, as successful attacks can wreak havoc on your business through chargebacks, fees, and temporary or even permanent suspension of your merchant account. This block means that you will not be able to process transactions through that provider until the suspension is lifted. That can take time. In the case of a permanent suspension, you'll need to find a new provider altogether. Even a short period of downtime on your site can prove costly, let alone an extended period, while you go through the approval process with a new provider.
While it isn't possible to completely prevent fraudsters from attempting card testing attacks on your site, the good news is that there are several steps you can take to protect your business and keep your store as secure as possible.
Identifying credit card testing attacks
Knowing what to watch out for is the first step. If you think you may have already been hit with a carding attack, you may see some of the following signs:
- A spike in the number of small transactions
- Multiple transactions from a location you don't normally sell to
- Repeated transaction attempts from the same user, email address, or IP address
- An increase in failed transactions
- A sudden spike in sales during a time you're not expecting it
- A sudden drop in the average order total
Any of the above activities should prompt a thorough review of the transactions in question. These occurrences also indicate that some additional measures should be put in place to prevent future attacks. There is a lot that can be done! Let's review some of the options.
What you can do to protect your site from credit card testing attacks
As fraudsters are creative and constantly honing their methods, a combination of measures will be most effective in protecting your site. There is not any one thing you can do to prevent all credit card testing attacks. But being aware of how fraudsters operate and what can be done to combat them will give you what you need to choose the best combination of tools for your particular WooCommerce store. The first step is to take some general security precautions across your whole WordPress site.
General security steps for your site
Using a quality host
Understanding how to secure your WordPress site will get you off to a great start! One of the most essential foundations for protecting your site is using a quality hosting provider that values security. Here at Nexcess, security is a top priority. We, and other quality hosts, include firewalls and malware monitoring with your hosting plan. A firewall, in particular, can help monitor the traffic coming to your site and also stop certain types of malicious activity. It will also allow you to blacklist specific IP addresses, so if you have had an attempt before, you can prevent that IP address from trying again in the future. This base level of security is important not just for preventing card testing but for keeping your entire site safe from other types of fraud attacks as well.
Running regular updates
Software updates will often include security patches or new security features that protect you from some of the latest trends fraudsters use. Because WordPress is an open-source platform currently powering over 40% of websites, it's a prime target for bad actors. They are always looking for vulnerabilities and new ways to exploit them. This fact makes it particularly important to implement security updates as soon as they are released. The same applies to WordPress plugins, like WooCommerce and your payment gateway. Don't forget to follow best practices when updating, including testing the updates on a staging site first and running a backup of your live site!
Monitoring activity
Implementing an activity log on your site is very helpful when you think an attack has been carried out. This configuration will allow you to look back in time and get some information on what happened. For example, you can review a record of which users took which actions at the time in question. This analysis allows you to take the appropriate steps to prevent future attacks, such as blocking certain users or IP addresses. Logging is also useful for other reasons in addition to security, such as recording errors, keeping track of changes made by other admins, and getting a better understanding of how customers are interacting with your site. There are several plugins out there that will add additional logging, such as the free Activity Log plugin.
WordPress security plugins
WordPress security plugins are also plentiful! Free and premium options are available, and some are better than others. We recommend using Solid Security Pro to stop automated and brute force attacks, monitor the site for suspicious activity, block bots, and much more.
There are even WooCommerce-specific security plugins that can add another layer of protection to your store. The WooCommerce Anti-Fraud extension is one such example. This plugin adds several additional features, including risk assessment of an order before it's processed, options for pausing or blocking suspicious orders, and notifications for orders determined to be high risk.
Options for the WooCommerce Checkout Page
The goal of adding credit card testing prevention measures to the checkout page is to stop fraudulent transaction attempts from being submitted in the first place, protecting your merchant account from suspension. Transaction attempts identified as fraudulent won't reach your payment processor at all. If you're offering multiple payment options (for instance, PayPal plus credit card payments through your merchant services provider), the nice thing about securing your checkout page is that these measures will apply to all of your payment options simultaneously.
Disabling guest checkout
Requiring users to be logged in to check out is a quick and easy step that you can take to filter out bots. This functionality is enabled or disabled in the WooCommerce plugin settings under:
WooCommerce > Settings > Accounts & Privacy > Allow customers to place orders without an account
Adding a reCaptcha
Prompting users to complete a quick reCaptcha challenge before submitting an order is another great tool to halt credit card testing attacks from bots. Many WordPress or WooCommerce reCaptcha plugins, such as Google reCaptcha for WooCommerce, make it easy for you to add a reCaptcha not only to your checkout page but on other submission pages as well.
These challenges are becoming quite common across the web. Some sites may only present them when suspicious activity is detected so that not all users will need to complete the challenge to complete a submission. If you're concerned about this extra step affecting conversion rates, a more advanced reCaptcha may be the better option for you.
Requiring full credit card and billing information
The fraudster trying to validate cards may not have complete credit card and billing information, so requiring this is another method that will prevent fraudulent transactions from going through. Some gateway plugins will include options on whether or not to display the CVC/CVV and expiration date fields. Enabling those fields is strongly recommended.
All billing address fields will be required by default in WooCommerce. However, there are WooCommerce extensions that will allow you to modify the checkout page to exclude the default billing fields to make the checkout process as seamless as possible. While it is true that quicker checkout processes tend to improve conversion rates, removing this requirement also leaves your site more vulnerable to credit card testing attacks. Keeping the billing address fields in place will also be necessary to take advantage of some more advanced fraud protection features on the merchant account side, such as Address Verification Services discussed below.
If you're selling physical products that need to be shipped, validating the shipping address is also a good idea, as fraudsters will often use invalid shipping information. No need for a real address if the goal isn't to receive the products! As a bonus, this feature also improves the customer experience by ensuring customers enter accurate shipping information — and preventing you from shipping products to the wrong place. Some plugins will help with this step as well, such as Postcode/Address Validation.
Options within your merchant account
Banks and payment processors may require some or all of the fraud protection measures outlined below to be enabled. Even without that requirement, though, setting them up is highly recommended. Your merchant services provider will be able to walk through each of the available options with you during the account setup process. Discussing this with your representative early on will help ensure that your site has protection from carding attacks right from the start and prevent account activation delays due to requirements not being met. Don't forget this important topic when you begin the application process!
Address Verification Services (AVS)
Fraudsters testing credit cards will often have only the card number — and not the billing information. For this reason, implementing AVS in your merchant account settings will help prevent fraudulent transactions from going through. This service will submit the billing address entered by the user on your WooCommerce checkout page to be matched with the address on file with the card issuer. A code indicating the result will be returned, allowing you to determine what you'd like to do with that transaction (reject it, hold it for review, etc.).
Velocity filters
Due to the nature of how credit card testing attacks are carried out — many transaction attempts over a very short period of time — velocity filters make an excellent tool for stopping carding attacks in their tracks. They will typically have a variety of options associated with them and may vary somewhat from one merchant services provider to another. However, you will commonly be able to set up filters for:
- A certain number of transactions submitted over a certain period of time
- Repeated attempts from the same user (based on email address, name, or other user-specific information), IP address, or regional location
- A certain number of transactions submitted with repeated order information, such as the shipping address
You can then decide what action should happen when one of the velocity filters is triggered. For example, you may want to set up a rule to automatically reject transactions which trigger a velocity filter and originate from a specific region of the world that you don't sell to often and that is known for generating a high volume of credit card testing attacks. But, you may want to alternatively hold transactions for review if they come from an area that you sell to frequently. There could be a legitimate reason for a spike, such as a flash sale or a marketing campaign that is driving a higher-than-normal amount of traffic at a given time. Holding those transactions for review so that you can double-check them before they are processed can make a lot of sense in those cases and help prevent your filters from blocking legitimate sales.
Depending on your specific store's pricing and average order totals, you may also want to take the transaction amount into consideration. We know that fraudsters typically test cards using small transaction amounts. This additional condition can help you be more specific in targeting high-risk transactions.
3DSecure
3DSecure (three-domain secure) is an authentication protocol that enhances the security of your site's transactions by involving the bank that issued the credit card. The customer will be required to either enter an additional password or a one-time password sent to a phone or email address the card issuer has on file. The transaction will only proceed if the card issuer approves it. A denial from the card issuer will stop the transaction.
Many payment processors and gateways (though not all) currently support 3DSecure. Check with your processor and gateway plugin to confirm if this is something that you can enable on your site. Note that support will be needed on both ends to get this up and running in WooCommerce. If you're just getting set up or are looking to change gateways or payment processors, check for this feature ahead of time.
Your particular merchant account may include additional options to the ones outlined here. Be sure to review all available options with your merchant services provider to determine which will generate the best result on your site.
Final thoughts on automating prevention and detection of credit card testing fraud
We've covered several options for automating the prevention and detection of credit card testing fraud, but you can take one other important step. Simply auditing your shop routinely will help you catch suspicious activity early on.
Discover managed WooCommerce hosting from Nexcess
Officially recommended by WooCommerce, web hosting at Nexcess is made for online businesses like yours. We have optimized the technology and infrastructure for the WooCommerce platform.
Did you notice an unexpected spike in sales last week? Are you seeing orders coming in for odd amounts? Is one particular user making an unusually high number of purchases? Knowing what "normal" is for your store will make it easy to identify irregular activity so that you can address any problems as quickly as possible.
With credit card testing fraud and many other types of ecommerce fraud always on the rise, WooCommerce fraud prevention is critical. There is however a balance to be found between implementing reasonable fraud protection measures and maximizing conversion rates with a simple checkout process. It may be tempting to push for the highest possible conversion rates. But the consequences of successful carding attacks can be substantial. Understanding how card testing works, what fraudsters are trying to accomplish, and what options are available to combat these attacks will help you find that balance.