Online Card Not Present Best Practices
Online (Card Not Present) Transaction Best Practices
Global Payments has become aware of an industry wide trend where fraudsters attempt to obtain payment card information such as account numbers, card expiration dates, Card Verification Values 2 (CVV2) and user passwords for online account access through a technique called Card Testing.
What is Card Testing?
In this attack, automated software commonly known as a “botnet” is used as a downloader or a credential-collection tool that generates a large volume of consecutive guesses of account data. A fraudster can continue to run credit card numbers through merchant websites until the authorisation response comes back approved.
What is the impact of Card Testing?
Card Testing can cause excessive authorisation fees to be charged to the merchant’s account for each attempt when not dealt with properly. It’s the responsibility of each software developer to put proactive measures in place to prevent this type of activity for their merchants. Authorisation fees for Card Testing attacks can quickly accumulate as these types of attacks tend to involve several cards so the fraudster can gather as much information as possible.
This means we’re unable to reverse Brute Force Attacks transaction charges if businesses haven’t taken the appropriate measures to protect against Card Testing.
What could make you more susceptible to Card Testing?
Any application that enables online payments and hasn’t implemented online payment best practices, including implementing CAPTCHA, is at risk for a Card Testing attack.
Who do you contact if you believe that you have been a victim of Card Testing?
Please contact our Front Line Helpdesk on 0345 702 3344* and ask for Ecom Support. You can also visit our website which will provide you with the details on how to better protect your business -
Global Payments recommends that you consider implementing the following best practices to help mitigate card testing and other fraudulent attacks:
- Three-Domain Secure 2 Authentication (3DS 2), which may help to prevent automated transaction initiation by robots or scripts (for example, five authorisations from one IP address or card).
- Add a more complicated CAPTCHA including images. Google will offer re CAPTCHA which is free but this should be upgraded to gain the full benefits.
- Use a layered validation approach.
- CVV2 and Address Verification Service (AVS).
- Monitor IP Addresses - include IP addresses with multiple failed card payment data in a fraud detection’s black-list database for manual review. Look for logins for a single card account coming from many IP addresses.
- Velocity Checks - use for small and large transactions as well as authorisation-only transactions.
- Throttling - Throttling injects random pauses when checking an account to slow brute force attacks that are dependent on time.
- Monitor Processing Patterns
- Excessive usage and bandwidth consumption from a single user.
- Multiple tracking elements in a purchase linked to the same device. For example, multiple transactions with different cards using the same email address and same device ID.
- Monitor Login attempts
- Lock out an account if a user guesses the user name / password.
- Lock out any account authentication data incorrectly on “x” number of login attempts.