Card cycling damages brands – even if it doesn’t happen in your environment

When fraudsters find websites where they can run a batch of credit cards to see which are valid, it costs you more than a sale. The long-term effects can damage your reputation with customers and issuers.

Credit card cycling is a sneaky way of testing and validating stolen credit card credentials. It’s a pretty simple scheme, really. Fraudsters find a website with a vulnerable interface (donation platforms are common). They write a computer script that allows them to cycle through thousands of stolen credit card numbers to test which are valid – which ones allow them to make a low dollar amount payment.


Afterwards, the bad actor has a set of valid card details they can use to fraudulently purchase goods at that or another platform (for later resale), or to sell at a premium on the dark web because they have already been verified. Because the active card can be used at any company’s online platform, card testing can lead to a fraudulent purchase and damage your brand, even if the testing didn’t take place at your checkout.


Naturally, card testing leads to a high decline rate, because most of the tested payment information belongs to cancelled credit cards or is incomplete. A high-decline rate at checkout leads issuers to distrust those merchants. They know the merchant’s website is vulnerable and could lead to chargebacks, so they become more prone to deny purchases from that merchant. Mass card testing can also slow down the merchants’ website and valid purchasers may abandon transactions that take too long.

The resulting damage can range from a higher authorization decline rate for legitimate transactions, due to issuer’s lower trust on that company, to unhappy customers moving to a competitor to have their purchase successfully finalized. In short: fewer transactions and increased customer churn.

Short-term costs and long-term damage

Credit card testing is on the rise, leading to losses in fraudulent purchases. Our research shows that the average number of card testing events has gone up almost 70% in the first trimester of the year compared to the same period in 2019. In terms of cost of fraudulent purchases, the average fraudulent purchase across retail companies, based on Mastercard 2019 numbers, is around $140.


To evaluate long-term brand damage, consider the lifecyle of your average customer relationship, and the average purchase value. Compare that to your marketing budget and the average cost of acquiring each new customer. Harvard Business Review reported in 2014 that “acquiring a new customer is anywhere from five to 25 times more expensive than retaining an existing one.”

Proactive ways to prevent card cycling

Credit card cycling uses retailer’s existing platforms, and to prevent it, it is important for companies to monitor the checkout platform and what traffic accesses it.


While it’s important to reduce friction for valid users, it’s also critical to ensure your security is flexible enough to detect new and potential bad users. Your solution should adjust the amount of friction on each user based on their level of risk to offer a tailored experience. This means adding step ups to suspicious activity only.


To do this, many companies are leveraging behavioral technologies that detect automated activity at any stage, including checkout. Information such as the type of device, reputation of the IP, account history, or behavioral patterns build an accurate profile in real time to determine if it is a real user or a machine. By detecting card testing before it takes place, merchants reduce their authorization decline rate and increase the issuer’s trust in their transactions, optimizing further authorizations.


Behavioral analytics prevent this type of attack by evaluating users in the background, without additional friction.


Real-time fraud management, behavioral analytics and the use of machine learning will become critical to managing a successful payment experience. NuData, for example, analyzes hundreds of behavioral traits such as how users scroll their phones, their typing patterns, or where they prefer to work from. You could invisibly look for deviations in the smallest behavioural traits.


NuData can help guide merchants and issuers to the most seamless experiences to authenticate users. 


Related to this blog How do you Stop Payments Fraud With the CARTA Approach?