When fraudsters use websites to run a batch of credit cards to find valid ones, it costs you more than a sale. The long-term effects can damage your reputation with customers and issuers.
Credit card testing, also known as card cycling, is a sneaky way of validating stolen credit card credentials. It’s a simple scheme: Fraudsters find a website where they can make purchases with a small dollar amount, as these often go under the radar (donation platforms are common). They write a computer script that allows them to cycle through thousands of stolen credit card numbers to find valid ones – which ones allow them to finalize a low-dollar payment.
Afterward, the bad actor has a set of valid card details they can use to fraudulently purchase goods at that or another platform (for later resale), or to sell at a premium on the dark web because they have already been verified. Because the active card can be used at any company’s online platform, card testing can lead to a fraudulent purchase on your own platform, even if the testing didn’t take place at your checkout.
Naturally, card testing leads to a high-decline rate because most of the tested payment information belongs to canceled credit cards or is incomplete. A high-decline rate at checkout leads issuers to distrust those merchants. They assume the merchant’s website or verification steps are weak and could lead to chargebacks, so they become more prone to deny purchases from that merchant. Mass card testing can also slow down the merchants’ website, and valid buyers may abandon transactions that take too long.
The resulting damage can range from a higher authorization decline rate for legitimate transactions – due to the issuer’s lower trust in that company – to unhappy customers moving to a competitor to have their purchase finalized. In short: fewer transactions and increased customer churn.
Short-term costs and long-term damage
Credit card testing is on the rise, leading to losses from fraudulent purchases. Our research shows that the average number of card testing events has gone up almost 70% in the first trimester of 2020 compared to the same period in 2019. In terms of the cost of fraudulent purchases, the average fraudulent purchase across retail companies, based on Mastercard 2019 numbers, is around $140.
To evaluate long-term brand damage, consider the lifecycle of your average customer relationship, and the average purchase value. Compare that to your marketing budget and the average cost of acquiring each new customer. Harvard Business Review reported in 2014 that “acquiring a new customer is anywhere from five to 25 times more expensive than retaining an existing one.”
Proactive ways to prevent card testing
Credit card testing uses the retailer’s existing platforms. To prevent it, it is important to monitor the checkout platform, what traffic accesses it and review every transaction that comes through.
While it’s important to reduce friction for valid users, it’s also critical to ensure your security is flexible enough to detect new and potential fraudulent users. Your solution should adjust the amount of friction on each user based on their level of risk to offer a tailored experience. This means adding step-ups to suspicious activity only.
To do this, many companies are leveraging behavioral technologies that detect automated activity at any stage, including checkout. Information such as the type of device, reputation of the IP, account history, or behavioral patterns builds an accurate profile in real time to determine if it is a real user or a machine. By detecting card testing before it takes place, merchants reduce their authorization decline rate and increase the issuer’s trust in their transactions, optimizing further authorizations.
Related to this blog, How do you Stop Payments Fraud With the CARTA Approach?