We sometimes hear from merchants who notice that their e-commerce website is being used to test stolen credit card numbers. The stolen credit card numbers often come from data compromises like the recent large scale compromise at Target. The credit card number testing is sometimes being done in an automated fashion.
Although there is not a silver bullet solution, it is often fairly easy to get get fraudsters to stop using your website for this type of activity. The key is in deploying speed bumps so that testing cards on your website is no longer easy and is not worth their time and effort. They usually seek the path of least resistence.
Here are some best practices to help mitigate this type of activity.
1. Consider automatically declining, or manually reviewing, any transactions having an Address Verification Service (AVS) mismatch. Often when fraudsters are testing cards (which is often automated), the shipping address will not match the credit card billing address. Automatically declining these transactions often makes the fraudsters go elsewhere since the testing on your website no longer works.
2. Consider automatically declining all orders coming from IP addresses outside of the U.S. As much of credit card testing comes from foreign IP addresses, this can help stop fraudsters from using your website. This may not be an option if you regularly conduct international business from your website.
3. Your gateway solution provider may have a fraud module that can be added on to your authorization and settlement service that uses various types of tools to help weed out fraudulent testing or even help identify fraudulent orders. This option may or may not have a cost.
4. If resources are overwhelmed by the volume of e-commerce transactions that must be reviewed manually for potential fraud, you may want to consider an automated fraud analytics solution.
Fraud analytics solutions are often quite effective in that they analyze order data in real-time and return fraud probability scores in milliseconds based on hundreds of data filters. They also make use of negative databases based on reports filed by other e-commerce merchants. These solutions have a cost, so their return on investment is often based on the volume of e-commerce transactions processed and the amount of time resources are spending manually reviewing transactions.
Wind River Financial is happy to provide further information on any of these options. We recommend that actions such as points 1 & 2 above be attempted first as they may help mitigate the card testing with little or no cost and effort. Please contact us with any questions.