Mitigate Card Testing Attacks Best Practices

Card testing, also called carding, is a fraudulent practice where criminals use randomly generated or stolen credit card information to test whether the cards are valid and to determine their available balance. Compromised cards are then resold to other fraudsters.

In collaboration with Worldpay, Worldpay for Platforms has seen an increase in the number of card testing attacks globally and we advise you and any of your service providers to be diligent, increase your awareness, and review your current detection controls to help prevent these types of fraudulent attacks. 

We will continue to notify you of any suspicious authorization activity that might be potential card testing, but additionally, we’ve worked in partnership with the major credit card brands to compile a list of best practices to support card testing mitigation efforts: 

Take Action

Implement these measures to enhance security and prevent card testing:

• Analyze time zone differences and browser language consistency from the cardholder’s IP address and device. Classify these transactions as potentially high risk and perform more stringent reviews.
  Implement multifactor authentication (MFA) to add an extra layer of security for transaction initiation and account access.

• In addition to velocity checks for small and large transactions, use velocity checks for low amounts or authorization-only transactions.

• Include IP addresses with multiple failed card payment data in a fraud detection blacklist database for review and analysis.

• Inject random pauses, or “throttling” when checking an account to slow brute force attacks that are dependent on time, especially for Bank Identification Numbers (BINs) that have been determined to have a high fraud incidence.

• Leverage authentication and CAPTCHA controls to prevent automated transaction initiation by bots or scripts. For example, five authorizations from one IP address or account.

• Refunding successful card testing payments does not prevent or guarantee that a chargeback settle in the merchant's favor. Instead, allow the chargeback process to play out and respond appropriately to each dispute.

• Use a layered validation approach that employs Card Validation Codes and Address Verification Services.

• Use fraud detection systems that support device fingerprinting and botnet detection.

Maintain Awareness

Regularly monitor these indicators to identify and mitigate potential risks:

• Lock an account if a user guesses the username or password and any account authentication data incorrectly after a set number of login attempts.

• Look for excessive usage and bandwidth consumption from a single user.

• Look for logins on a single account coming from many IP addresses.

• Look for multiple tracking elements in a purchase linked to the same device (for example, multiple transactions with different cards using the same email address and the same device ID).

• Review logins with suspicious passwords that hackers commonly use.

Protect Integrated Payment Pages

PayFields and PayFrame products are typically used as a hosted checkout field on public payment pages, such as shopping cart checkout, company payment pages, donation pages, and other publicly viewable payment pages. As these payment pages can be viewed and used in a public space, they can be vulnerable to being used for card testing attacks.

Included are some best practices for using PayFields in a public form to ensure the security of the information and to deter anyone from using PayFields for card testing:

• Add a Failed Authorization Decision rule.

• Create payment tokens.

• Implement a rolling API key system.

• Protect your API keys.

• Use transaction session keys.

For a comprehensive guide on implementing these cybersecurity measures for PayFields or PayFrame, see Integrated Payment Pages: Best Practices.