What Is Card Testing?
Card testing is when a fraudster tests whether a stolen debit or credit card is still active (“live”) before they go on to use it – as well as if it has funds left.
Testing involves conducting card activity less likely to be flagged as suspicious and is often done on long lists of illegally acquired card credentials, to separate the wheat from the chaff.
Card testing can be conducted on physically stolen bank cards, physical reproductions of cards from scraping, generated card information, as well as on stolen card credentials, also known as card fullz.
Card testing & carding can be a huge pain point. Find out how to stop it at payment gateways and other touchpoints.
How Does Card Testing Work?
There are two primary methods used by criminals to conduct a card testing attack: pushing through small payments and conducting authorizations.
The fraudster attempts to use a card to make a small payment. Acceptance of the payment will show them if the card is live, but it is also likely to draw the attention of the legitimate cardholder, as it will appear on their statement.
Even rejected payments can occasionally return useful information in terms of what caused the rejection, helping the fraudster to fool the system upon their next attempts.
Method benefits: easy to find places to use it; rejections can help criminals
Method risks: more likely to be caught
Unlike payments, authorizations are a query sent through the payment processor to the issuer as the first step in a payment, asking whether the customer has the funds to cover the transaction. These will take much longer to appear on card statements, giving the fraudster more time to use the active card.
Method benefits: cardholder not likely to find out; subtler method
Method risks: advanced anti-fraud methods will still catch these
At this point, the legitimate card owner might notice and contact the card issuer. This is bad news for the criminal but is also unfortunate for the merchant, who will be facing chargeback requests, which require time and often money to resolve – as well as affecting their chargeback rate, which can be catastrophic.
It is estimated that each case of fraud costs merchants up to 3.60 times the money lost in that transaction.
Another thing fraudsters testing stolen debit and credit cards are wary of is causing too many declines on each card. Depending on the issuer, this can lead to the card automatically freezing, which means it can’t be used anymore.
Card testing can be done on credit cards, as well as debit cards, prepaid cards and gift cards (for gift card fraud prevention), usually in card-non-present environments. In fact, card-not-present (CNP) fraud is projected to cause losses of USD 34.66 billion to the economy every year.
What Is Card Testing Used For?
Card testing is conducted to see whether stolen cards and/or credentials (fullz) are still active. From there, fraudsters will:
- resell live cards for a profit (verified cards sell for more than untested cards)
- use them to conduct fraud, including chargeback fraud
- use them to buy gift cards or cryptocurrencies
- use them to buy goods to reship
- use them to buy criminal or unlawful services on the dark web
- as well as any other act that involves card payments
How Does Card Testing Fraud Harm Ecommerce?
Fraudsters tend to target digital goods and services, as well as non-profit organizations, and the donation and support pages of content creators, mainly because they provide instant feedback on whether the card is live and has funds available.
Merchants have much to lose from credit card testing, both repetitive and one-off. These consequences include:
- Chargeback rate rises: Card testing will cause chargeback requests from cardholders and as such, it can affect the chargeback ratio – which can ultimately even lead to being banned as a merchant.
- Chargebacks: Chargeback requests are always detrimental to the merchant, and are highly likely in card testing attacks.
- Higher processing fees: Merchants can be flagged as high risk, thus being forced to pay higher fees to payment processors, for all transactions.
- Increased risk overall: Successful testing signals low anti-fraud protocols to criminals, opening a Pandora’s box of subsequent fraud attacks. In other words, fraudsters are more likely to attack you.
- Extra fees: Additional costs include dispute fees, interchange fees, work hours spent, resolution fees.
- Infrastructure strain: Card testing and its results can put a strain on merchant resources, including human resources.
- Morale and reputation affected: There is increased possibility for a drop in employee morale, as well as reputational damage.
- Cost to financial ecosystem: Card testing enables further fraud, thus affecting the economy as a whole.
Of course, also at risk from card testing are payment gateways, where fraudsters spam orders using different credentials to see which will go through, as well as card issuers themselves.
How to Stop Card Testing Fraud
Protection from card testing attacks primarily concerns payment gateways and card issuers. However, merchants also have a vested interest in preventing this type of fraud, mainly because of its effects on their chargeback ratio.
Moreover, identifying testing in a timely fashion is of benefit to everyone except the criminal world, as it prevents credit card testing fraudsters from then using the credentials for larger transactions and schemes at the detriment of several stakeholders as well as the wider economy.
Generally speaking, the more information on the customer you have, the easier it is to figure out their intentions. Technologies and tools that enable organizations to prevent and mitigate card testing include:
- data enrichment – which finds out extensive information starting from single data points, for instance, the buyer’s IP address or provided email address
- PCI-DSS – a widely accepted set of standards that helps boost the security of card payments from major issuers
- device fingerprint analysis – where fraud fighting tools examine a consumer’s hardware and software to reach conclusions about their intentions
- risk analysis – strategies and software that calculate the risk off card testing and implement strong protocols that scale
- SCA protocols – a means to ensure that those who pay with credit cards online are the actual, legitimate cardholders
- velocity rules – these checks can identify patterns over time, flagging, for example, multiple attempts at payment with too many cards from the same device or location
- risk scoring – this fraud prevention staple factors in all gathered data to create a score that reflects the likelihood of a transaction being fraudulent
- dynamic friction – this type of fraud fighting strategy will ask suspicious customers only for additional proof they own their payment cards, thus providing card testing fraud prevention without adding friction for legitimate customers.
The general idea is to gather as much information about the customer attempting a payment as possible while keeping friction to a minimum, so as not to deter legitimate consumers.
For purposes of credit card testing fraud prevention, anti-fraud platforms will look into several data points acquired through data enrichment, device, canvas and browser fingerprinting, considering them over a wider period of time using velocity rules, as well as comparing them to historical data for that business and type of transaction specifically.
The result gives an overall risk score per customer and/or transaction that can trigger KYC protocols, manual review or even outright bans, effectively discouraging and even catching card testing and other types of fraud.
There is a lot we can find out from the first part of a credit card number, known as the BIN, which is the same for each issuer bank. Enter the first few digits in SEON’s BIN lookup tool below to see for yourself:
Free BIN lookup!
Enter the first 6 or 8 digits of a card number (BIN/IIN)
Contact Us for a Demo
Feel free to reach out to us for a demo!