
Stripe reports – An easy guide for business owners
Do you know how you can use Stripe reports to grow your business? If not, this guide will lend you a helping hand!
Lost revenue, increased costs, damaged reputation – card testing attacks have the potential to seriously impact an e-commerce merchant’s bottom line.
While credit card fraud has been steadily increasing over the past decade, COVID-19 has fueled an explosive growth in fraudulent activity, with fraud losses expected to reach $38 billion by 2027!
Time to hit the panic button?
Not necessarily.
If detecting and preventing card testing attacks is high on your priority list, there’s nothing to be afraid of!
In this blog, we’ll discuss how card testing fraud impacts your business, how you can spot unauthorized attacks, and what kind of tactics you should use to hackproof your website!
First things first, what is card testing?
If you’re unfamiliar with the topic, let’s discuss the meaning of card testing attacks first. (If you already know the ins and outs, feel free to jump to the next section!)
Card testing attacks are one of the most common fraudulent activities experienced by websites that accept online payments.
Card testing fraud occurs when cybercriminals get their hands on stolen credit card numbers and try to buy low-priced items online.
Their aim is to test those numbers to see which of the stolen cards are still valid. If a purchase is successful, they’ll know the card is still active and can be used for further fraud.
Sadly, the cost of card testing attacks can be substantial for many businesses:
Typically, you’ll see a sharp rise in card authorization volume for low-dollar transactions submitted within a short period of time. These will come from different card numbers. Often, you’ll see multiple transactions from the same card number with different expiration dates each time.
In case of card testing attacks, expect to see an unusually high number of declines as well. Disputes for unauthorized purchases may start rolling in, and within a few days, a large number of chargebacks may show up in your account.
The most important thing to remember is: no single factor can prevent card testing attacks!
Instead, you’ll need to apply a multilayered approach.
The question is: how can you strike a delicate balance between keeping your transaction process simple to maintain high conversions and keeping your customers safe to avoid fraud?
Let’s see the exact steps!
Your first line of defense to protect against automated transactions on your website should be adding Google reCAPTCHA to your checkout.
Google reCAPTCHA will keep most bots from performing card testing attacks on your website. (Nevertheless, it won’t stop manual testing.)
Legitimate users will be able to create accounts, log in, and make purchases, However, fake users will be blocked.
If you’re using WP Full Pay as your payments plugin for your WordPress site, you can enable reCAPTCHA in 2 simple steps:
Go to “WP Full Pay / Settings” in the WP admin panel and select “Security”:
Next, check what you’d like to protect (inline forms, checkout forms, or customer portal), and enter the reCAPTCHA API key:
WP Full Pay supports reCAPTCHA v2. You can obtain the API keys here.
Companies that offer small transaction sizes or microtransactions are an attractive option for hackers, as these kinds of purchases are less likely to be noticed by the seller or the card owner. Also, they’re less likely to be flagged by the bank.
For this reason, forms where the user can set the payment amount are especially exposed to card testing attacks.
Most often, the following types of forms are impacted:
The solution? Simply set a minimum value in your form. The higher the number the better; however, make sure it doesn’t prevent your honest donors/customers from using your website as designed!
Using WP Full Pay, you can set the minimum payment amount on the “Payment tab” of the form:
For further tips regarding creating secure forms, make sure to read our secure forms blog post!
As the next step, make sure you discourage card testing attacks by eliminating guest checkout.
The goal is to have all your transactions come from registered customers.
Requiring new users to go through a registration process will discourage card testers from invading your site.
Velocity checks are critical to mitigate card testing attacks. They help you monitor specific transaction data elements occurring in specified intervals within a short period of time.
Therefore, you should create a velocity logic ruleset to track specific actions and filter test attempts by IP address, transaction amount, and repetition. These rules help you blacklist any IP addresses that meet your criteria.
For instance, you can create a logic ruleset that sends alerts for small transactions using the same credit card number or IP address multiple times within a short time frame. Or, you can filter an abnormally large number of purchases over a short period of time.
These real-time notifications will allow you to identify anomalies early on and quickly take action.
Another simple technique to prevent card testing fraud is to limit the number of times a user can attempt to complete an order in one shopping cart session.
This way, card testers won’t have the opportunity to test multiple numbers to check data such as addresses, CVV numbers, or ZIP codes.
3D Secure (3DS) offers an additional layer of security used by online business owners to ensure a purchase is from a legitimate cardholder.
The process typically involves an additional 3D Secure step at checkout. The buyer is redirected to the authentication page on their bank’s website. Here, they have to enter a verification code sent to their phone or email.
You can decide which transactions require 3D Secure authentication. For instance, you might first filter high-risk transactions and then decide to further secure these with 3D Secure.
While the above best practices all play a critical role in fighting card testing attacks, partnering with a secure payment service provider offers a layer of protection you can’t afford to ignore.
Selecting a payment solution with a strong risk management engine and smart fraud prevention tools will give you peace of mind, allowing you to focus on growing your business.
Stripe is definitely one of the most well-known online payment service porviders you can trust. Used by millions of companies of all sizes around the globe, it provides fraud prevention solutions that guarantee an exceptional level of security.
Its smart fraud prevention tool Stripe Radar uses machine learning that trains on data across millions of companies worldwide to detect and block card testing attacks in real time. It also helps you distinguish fraudsters from customers and applies Dynamic 3D Secure to high-risk payments.
You can enable requesting 3DS on the “Payments / Rules” page of the Stripe dashboard:
You can set up lists, such as a suspicious IP address block list or card country block list,
on the “Payments / Lists” page to reference in your Radar rules:
Failing to detect and block card testing attacks can inflict massive damage on e-commerce merchants. A successful strategy involves applying a multilayered approach to defend your business. The above best practices help you mitigate fraud without compromising conversions.
Stay on top of the latest news about WP Full Pay
Do you know how you can use Stripe reports to grow your business? If not, this guide will lend you a helping hand!
How does Buy Now Pay Later shopping work? What are its benefits for your business? How to choose the right provider? Here you go →