Small and mid-size businesses should be proactive with fraud management to protect against fraudsters who may regard them as easy targets.
You may think that the size of your business makes you less vulnerable to fraud attacks, but the opposite can often be the case. Sophisticated fraudsters have a good idea about which businesses have less protection or don’t have a dedicated fraud manager. In particular, they may target what they regard as relatively undefended businesses with card testing attacks. We've written about card testing before, but here's a quick refresh of what it is and how it can affect your business.
What is card testing?
Fraudsters use card testing to determine the validity of stolen or fraudulently obtained card details. They attempt multiple purchases on an eCommerce website like yours (often using a botnet for speed and scale). If a transaction is approved, they know they can use the card. If, on the other hand, a card has already been canceled by its owner, authorization will be declined, and the fraudster will move on to testing the next card.
What are the likely effects of a card testing attack?
Our risk analysts have found that a card testing attack can negatively affect an unprepared business for several months, causing financial and other losses. Here's a typical timeline of what you could experience:
Day 1 (attack day)
The fraudster submits potentially thousands of orders, many of which could be approved. Approved orders for physical goods could start to ship, resulting in lost product. Once card issuers become aware of what's happening, they may ask your acquirer to shut down your ability to process transactions. You'll need to provide proof of a mitigation strategy before you can restart transaction processing.
Because the fraudster submitted so many transactions, you may have to pay significant authorization processing fees to your acquirer and payment gateway. For example, your authorization fees could jump from an average of $40 a month to $15,000 a month. To add insult to injury, you won’t earn any revenue on these transactions, either.
Chargebacks and their associated fees start to roll in because transactions weren't reversed during the initial attack.
Your business could experience brand and reputational damage and loss of customer trust.
What can I do to protect my business from card testing?
Unfortunately, once a card testing attack is in progress, there's little you can do. Your future self will thank you if, instead of reacting to an attack, you take a proactive approach to preventing card testing (and other types of fraud) instead of reacting to an attack after it occurs.
No single solution can completely stop fraud, which is why we recommend a multi-layered strategy. Consider combining best practices like risk reviews, minimum payment thresholds, and early identification of anomalies (which we wrote about here) with a range of capable tools.
How Cybersource can help
In addition to following best practices, a fraud management tool is another layer of defense against card testing and other types of fraud.
If you already use Cybersource’s payment platform, consider integrating Fraud Management Essentials to help prevent fraudulent transactions (including card testing) before they get as far as authorization.
Fraud Management Essentials is ready to use and easy to configure. Developed with Cybersource's expertise and built on Visa’s scale, its powerful features include:
- Velocity rules that can track, count, and reject repeated transaction attempts that share common data elements or exceed transaction volume limits
- Amount thresholds that can limit transactions to those that are appropriate for your business
Not an expert at managing eCommerce fraud?
Don’t worry. To help you get started, Fraud Management Essentials comes with online training modules that you can access anytime.
By combining best practices with fraud and risk tools, you can better protect your business against card testing and other types of fraud and avoid the associated costs and negative impact on your brand.