Take Action to Prevent Card Testing Fraud

During the pandemic, merchants experienced more losses to fraud due to a significant increase in card-not-present transactions. We will likely continue to see an increase in fraud as we move to a post-pandemic world. According to the Nilson Report (opens in new window), payment card industry losses due to fraud will amount to $408.50 billion over the next 10 years.

UCSF’s merchants need to understand how credit card fraud can happen and its consequences. Review these important tips for detecting a common type of credit card fraud activity – known as card testing - and for protecting your merchant account.

 

Credit Card Fraud and Card Testing

Credit card fraud can take many forms, including:

  • Card-not-present (CNP) fraud: Occurs without the use of the physical card, mainly online.
  • Counterfeit and skimming fraud: Occur when card details are taken illegally, directly from a credit card using a device hidden in a regular card reader called a skimmer, to create a counterfeit credit card.
  • Lost and stolen card fraud: Occur with cards that have been lost or stolen.
  • Card-never arrived-fraud: Occurs on cards ordered by a customer that they never receive in the mail.
  • False application fraud: Occurs when an account is established using someone else’s identity.

Card testing is a type of fraudulent activity where a payment or payment authorization is made to determine whether stolen credit card information is valid in order to use it to make purchases later. For example, fraudsters may purchase stolen credit card information and then attempt card testing to validate which cardholder data are still valid.

Card testers use two common methods to determine whether stolen card information is valid. Testing activity could happen against any merchant’s account – including accounts at UCSF.

  • Authorizations: Fraudsters prefer to test cards via payment authorizations. Because authorizations do not usually show up on cardholder statements, cardholders are less likely to identify or report this activity.
  • Payments: Card testers usually make small dollar value purchases that are less likely to be identified and reported as fraudulent. Donation sites and businesses that normally have small value purchases are ideal targets for card testers.

As manual testing requires considerable time and labor, fraudsters often program networks of compromised computers (known as bots) to make many small dollar value purchases as quickly as possible. Purchases may be from the same card information or from multiple cards.

Card testing attacks can leave a merchant with expenses from authorization processing fees, not to mention the resource costs to correct the damage. Additional consequences of card testing include:

  • Disputes: Card testing may result in successful payments. Cardholders who notice these payments will report them as fraud to their credit card company, requiring time and effort to resolve.
  • Higher Decline Rates: Card testing causes a high rate of declined sales. A high decline rate damages UCSF’s reputation with card issuers and card networks, which makes all of UCSF’s transactions appear riskier. This can result in an increased decline rate for legitimate payments, even after card testing stops due to the merchant account being locked.
  • Additional Fees: Card testing activity can result in additional fees, including authorization fees, chargeback fees, and dispute fees.

 

How To Tell If Your Merchant Account Has Experienced Card Testing

Card testing has negative impacts on UCSF’s entire financial system. UCSF Merchant Services, the Controller’s Office, and our merchant banks want to help you detect and stop it. If you see any of the following, there is a good chance that your merchant account is experiencing a card testing attack:

  • Any unexpected or sudden spike in your average daily transactions
  • Repeated small transactions from the same credit card number or IP address
  • A large number of authorization failures, which could indicate that a fraudster is testing combinations of credit card details looking for valid information
  • A large number of Address Verification Service (AVS) alerts
  • A sudden increase in the number of credit cards declined
  • Declines with CVV errors, which often occur when the fraudster does not have the correct Card Verification Value (CVV) information

As a last line of defense, the Controller’s Office will receive a notice from our merchant bank informing us of suspected fraudulent activity. UCSF Merchant Services will research the activity, notify the affected merchant, and work with the merchant to remediate the damage.

If you experience any of the above, contact UCSF Merchant Services immediately.

 

Best Practices to Protect Your Merchant Account

No single method can prevent card testing fraud. Review these best practices and reach out to UCSF Merchant Services to discuss how to best protect your merchant account.

  • Establish minimum thresholds: It is common to see card testing transactions for very low amounts, usually less than five dollars. The smaller the charge, the less likely it is to attract attention that results in the cardholder reporting the fraudulent activity. If possible, a merchant should request a minimum value that is as high as possible while still being appropriate for the business. This is especially true for donation sites.
  • Apply velocity limiters: Our credit card processors have several tools to track not only transaction totals, but also other specific data elements called velocity checks. These tools identify potential fraud based on the rate at which a buyer submits multiple transactions. A buyer is identified based on a variety of factors including (but not limited to) email address, IP address, device fingerprint, card number, first name, and last name. UCSF Merchant Services will help you determine if and how velocity tools can help you prevent fraud.
  • Require CAPTCHA for online payments: CAPTCHA is an effective challenge-response test technology used to determine if a user is human. CAPTCHA can sometimes block automated scripts used by card testers.
  • Keep merchant account details secure: Don’t publish your account information, especially your API key.
  • Monitor refund requests: Merchants should never issue a refund on any card other than the card from the original transaction. There may be circumstances when another approved refund process is preferred or necessary. A merchant should work with UCSF Merchant Services to document their Controller’s Office approved alternate refund processes. However, if you suspect a refund request may be fraudulent, contact UCSF Merchant Services before issuing the refund.

There is no single solution that can prevent card testing fraud. Merchants need to use a combination of best practices and risk tools at every stage, from account events to transaction requests, to successfully counter credit card fraud. Through this multilayered approach, we can protect UCSF from credit card fraud.