• Developers
  • Reporting
  • Disputes
  • Contact us
  • Log in

Main Navigation

  • Account

      Account

        • Customer docs & pricing

          Find important documents such as our Terms of Service and Merchant Operating Instructions, as well as more information on things like Stored Credential Transactions and the Account Updater Service

        • Compliance & security

          For more information on Strong Customer Authentication, PCI Compliance, and fraud prevention best practices

        • Stationery ordering

          Order your tally rolls, card scheme logo stickers, and more

        • FAQs

          Our FAQs can help you with queries including pricing changes, cleaning and restarting your terminals, and Multi-Factor Authentication

  • Products

      Products

        • POS help
        • Ecommerce help
        • Bank Payment
  • Insights
  • Trending Articles
Sign up
Search

Main Navigation

  • Account
      Account

      Account

    • Customer docs & pricing
    • Compliance & security
    • Stationery ordering
    • FAQs
  • Products
      Products

      Products

    • POS help
    • Ecommerce help
    • Bank Payment
  • Insights
  • Trending Articles
    • Developers
    • Reporting
    • Disputes
    • Contact us
    • Log in
    Sign up /en-gb/sitecore/content/gpn/corporate/corporate/home/modals/signup-homepage

Sidebar Navigation

  • Account -
    • FAQs +
      • Pricing frequently asked questions +
      • PCI Frequently asked questions +
      • Best practice for cleaning your POS device(s) +
      • Terminal restart guide +
      • CNP FAQs - resubmitting declined transactions +
      • Multi-Factor Authentication for Global Payments Ecommerce Portal +
      • Ecommerce FAQs +
      • Bank Payment FAQs +
      • Your invoice explained +
      • How do I make a complaint +
    • Customer Docs & Pricing +
      • Terms of Service +
      • Merchant Operating Instructions +
      • Interchange fee update +
      • Recovered card form +
      • Mastercard and Visa Interchange rates +
      • Merchant Data Processing Notice +
      • Enhanced Authorisation Data Service merchant implementation guide +
      • Stored Credential Guide +
      • SCT Technical Implementation Guide +
      • SCT Decision Tree +
      • Account Updater Service +
      • Account Updater migration to UK Ensurebill +
    • Compliance & Security -
      • Ecommerce fraud management +
      • Know the risks +
      • Online Card Not Present Best Practices -
      • Fraud Hints and Tips Guide +
      • Reducing Risk of Fraud Guide +
      • Guide to Patching +
      • Know the risks +
      • What To Do If You're Compromised +
      • PCI Frequently asked questions +
      • SCA +
        • One-off payments without saving card details
        • One-click payments without saving card details
        • Card saved for recurring, automatic payments
        • Payment over the phone (MO/TO)
        • What Do I Need to Do to Be SCA Compliant?
        • PSD2 and SCA Technical Information Guide
        • Strong Customer Authentication Decision Tree
        • How to use the Strong Customer Authentication (SCA) Authentication Outage Indicator
    • Stationery ordering +
    • How do I understand my invoice? +
  • Products +
    • Point of Sale Help +
      • Quick Start Guide Miura M10 Device +
      • Quickstart Guide Miura M20 Device +
    • Ecommerce Help +
      • Transaction management +
      • Customer management +
      • Fraud Management +
      • Resetting your password +
      • Virtual Terminal +
      • Ecommerce portal navigation +
      • User Management +
      • Transaction reporting +
      • Ecommerce FAQs +
    • Bank Payment +
      • Bank Payment FAQs +
      • Bank Payment sales sheet +
  1. Home
  2. Account
  3. Compliance & Security
  4. Online Card Not Present Best Practices
Last updated 02/06/2023
2 Min Read Time

Online Card Not Present Best Practices

POS COMPLIANCE 

Online (Card Not Present) Transaction Best Practices 

Global Payments has become aware of an industry wide trend where fraudsters attempt to obtain payment card information such as account numbers, card expiration dates, Card Verification Values 2 (CVV2) and user passwords for online account access through a technique called Card Testing. 

What is Card Testing? 

In this attack, automated software commonly known as a “botnet” is used as a downloader or a credential-collection tool that generates a large volume of consecutive guesses of account data. A fraudster can continue to run credit card numbers through merchant websites until the authorisation response comes back approved. 

What is the impact of Card Testing? 

Card Testing can cause excessive authorisation fees to be charged to the merchant’s account for each attempt when not dealt with properly. It’s the responsibility of each software developer to put proactive measures in place to prevent this type of activity for their merchants. Authorisation fees for Card Testing attacks can quickly accumulate as these types of attacks tend to involve several cards so the fraudster can gather as much information as possible. 

This means we’re unable to reverse Brute Force Attacks transaction charges if businesses haven’t taken the appropriate measures to protect against Card Testing. 

What could make you more susceptible to Card Testing? 

Any application that enables online payments and hasn’t implemented online payment best practices, including implementing CAPTCHA, is at risk for a Card Testing attack. 

Who do you contact if you believe that you have been a victim of Card Testing?

Please contact our Front Line Helpdesk on 0345 702 3344* and ask for Ecom Support. You can also visit our website which will provide you with the details on how to better protect your business - 

Recommendations: 

Global Payments recommends that you consider implementing the following best practices to help mitigate card testing and other fraudulent attacks: 

  • Three-Domain Secure 2 Authentication (3DS 2), which may help to prevent automated transaction initiation by robots or scripts (for example, five authorisations from one IP address or card). 
  • Add a more complicated CAPTCHA including images. Google will offer re CAPTCHA which is free but this should be upgraded to gain the full benefits. 
  • Use a layered validation approach. 
  • CVV2 and Address Verification Service (AVS). 
  • Monitor IP Addresses - include IP addresses with multiple failed card payment data in a fraud detection’s black-list database for manual review. Look for logins for a single card account coming from many IP addresses. 
  • Velocity Checks - use for small and large transactions as well as authorisation-only transactions. 
  • Throttling - Throttling injects random pauses when checking an account to slow brute force attacks that are dependent on time. 
  • Monitor Processing Patterns 
    • Excessive usage and bandwidth consumption from a single user. 
    • Multiple tracking elements in a purchase linked to the same device. For example, multiple transactions with different cards using the same email address and same device ID. 
  • Monitor Login attempts
    • Lock out an account if a user guesses the user name / password. 
    • Lock out any account authentication data incorrectly on “x” number of login attempts. 

     

  • Account
  • Products
  • Customer Docs & Pricing
  • Compliance & Security
  • Industry news
  • Trending articles
  • Notices and Policies
  • Sitemap

Already a customer?

Log in

Connect

  • LinkedIn
  • Twitter
  • Facebook
  • YouTube
{D6036E8F-C9A1-420D-AEC3-5680EC9FBE35}
 

Global Payments is a trading name of GPUK LLP. GPUK LLP is authorised by the Financial Conduct Authority under the Payment Services Regulations 2017 (504290) for the provision of payment services and under the Consumer Credit Act (714439) for the undertaking of terminal rental agreements. GPUK LLP is a limited liability partnership registered in England with company number OC337146. Registered Office: Granite House, Granite Way, Syston, Leicester, LE7 1PL. The members are Global Payments U.K. Limited and Global Payments U.K. 2 Limited. Service of any documents relating to the business will be effective if served at the Registered Office.

Global Payments is also a trading name of Pay and Shop Limited. Pay and Shop Limited is a limited company registered in Ireland with company number 324929. Registered Office: The Observatory, 7-11 Sir John Rogerson's Quay, Dublin 2, Ireland. Service of any documents relating to the business will be effective if served at the Registered Office.

© 2023 GPUK LLP. All rights reserved. Privacy Statement | Terms of Use  | Ethics Reporting Hotline | Gender Pay Report  | Anti Slavery Statement