2 minute read

Online card not present transaction best practices

Tuesday, January 31, 2023

2 minute read

There is an industry-wide trend where fraudsters attempt to obtain payment card information such as account numbers, card expiration dates, Card Verification Values (CVV2), and user passwords for online account access through a technique called card testing. 

What is Card Testing? 

In this attack, automated software commonly known as a “botnet” is used as a downloader or a credential-collection tool that generates a large volume of consecutive guesses of account data. A fraudster can continue to run credit card numbers through merchant websites until the authorization response comes back approved. 

What is the impact of Card Testing? 

Card Testing can cause excessive authorization fees to be charged to the merchant’s account for each attempt when not properly managed. It’s the responsibility of each software developer to put proactive measures in place to prevent this type of activity for their merchants. Authorization fees for Card Testing attacks can quickly accumulate as these types of attacks tend to involve several cards so the fraudster can gather as much information as possible. This means we’re unable to reverse Brute Force Attack transaction charges if businesses haven’t taken the appropriate measures to protect against card testing. 

What could make you more susceptible to Card Testing? 

Any application that enables online payments and hasn’t implemented online payment best practices, including implementing CAPTCHA, is at risk of a card testing attack. 


Global Payments recommends that you consider implementing the following best practices to help mitigate card testing and other fraudulent attacks: 

  • Three-Domain Secure 2 authentication (3DS 2.0) may help to prevent automated transaction initiation by robots or scripts (for example, five authorizations from one IP address or card). 
  • Add a more complicated CAPTCHA including images. Google will offer a CAPTCHA which is free but this should be upgraded to gain the full benefits. 
  • Use a layered validation approach. 
  • CVV2 and Address Verification Service (AVS). 
  • Monitor IP Addresses. Include IP addresses with multiple failed card payment data in a fraud detection’s black-list database for manual review. Look for logins for a single card account coming from many IP addresses. 
  • Velocity Checks can be used for small and large transactions, as well as authorization-only transactions. 
  • Throttling injects random pauses when checking an account to slow brute force attacks that are dependent on time. 
  • Monitor Processing Patterns: 
    • Excessive usage and bandwidth consumption from a single user. 
    • Multiple tracking elements in a purchase linked to the same device. For example, multiple transactions with different cards using the same email address and the same device ID. 
  • Monitor Login attempts:
    • Lock out an account if a user guesses the user name/password. 
    • Lock out any account authentication data incorrectly on “x” number of login attempts.