Card Testing Best Practices

Once a fraudster finds a vulnerable site they can test stolen cards, they will target that payments page until enough securities are implemented to deter them. Most of these attempts are seconds apart. We require all ecommerce pages to have some form of security to deter and block fraud attempts.

Adding CAPTCHA/reCAPTCHA is the first step and minimum requirement. We recommend reCAPTCHA version 2 (or if have 2 then 3 instead). We are not able to release the hold on your account until you have placed extra layers of security on your page. You can provide us with screenshots showing that CAPTCHA/reCAPTCHA along with any other layers of security you enabled.

Other layers of security we recommend:

• Block IP addresses with known fraud
• CVV2 and Address Verification Service (AVS)
• Velocity Checks
  • Hourly velocity checks (limits the # of authorization attempts in an hour)
  • Transaction IP velocity checks (limits the # of authorization attempt from an IP)
  • Limit the number of attempts allowed on same BIN
  • Limit the number of attempts allowed on same payer
  • Limit the number of times a card can be attempted

• Use Throttling (Throttling injects random pauses when checking an account to slow brute force attacks that are dependent on time.)
• Different billing address than the shipping address
• Block shipping/billing addresses with known fraud
• Set a minimum dollar amount appropriate for your business

If the card brands flag your account, you could be facing large fines and lose your ability to accept credit cards. Card testing is heavily regulated and it is our job, as your processor, to ensure you are upholding the highest standards of security. We highly suggest you put as many security measures in place to prevent any further attempts. If the card testing continues to occur on your payments page, your account could be subject to termination.