What is carding ?
Carding is the attempt by fraudsters to find valid card numbers by attempting many transactions on ecommerce using a different card number. Once a card is successful its then used on another site for a fraudulent transaction.
Fraudsters are mining credit card numbers to see which ones have no security and can be used in fraud transactions.
How to prevent carding on my ecommerce store.
- Increase the fraud scoring rules so as to trap more suspect card transactions. This is done on your merchant account settings.
Implement 3d secure on all transactions. - Avoid auto clearing of micro-payments with little authentication.
- Prevent multiple payment submissions based on the same ip in a given period of time with different cards. These are known as velocity alerts.
- Use the re-direct method of payment where possible. Card Number collection is off-site.
- Avoid remote methods of payment. This is where you take the card details on your site and pass them encrypted to the processor.
- Tighten your web hosting firewall.
- Use an external service like MaxMind or other services ( Google “credit card fraud detection services” )
- Create alerts for multiple invocations of the payment button on the 1 transaction. A human may fail a few times but not more than 10, after that its suspect.
- Use AVS
The Address Verification System compares the billing addresses given at checkout to the address the credit card company has on file for the customer. The results of this comparison are immediately sent to you. Common AVS responses are:
Y (a full match)
A (only the address matches)
Z (ZIP code match only)
N (no match at all) - You can set the level of match you require for the credit card to progress.
- Use AVS
- Increase the security on your ecommerce site and put captcha on the checkout. Use Capthca where its verifying the device as opposed to presenting puzzles to the shopper.
- The main purpose of a CAPTCHA is to prevent payment attempts from being sent by an automated script, as human input is required to solve the CAPTCHA. By forcing potential fraudsters to do their carding manually, you make your online store a less appealing target for carding activity.
It’s important to keep in mind that adding a Captcha validation to your checkout process will have a negative impact in your conversion rate since it adds friction to your checkout flow and it’s not a common element of an online store checkout. This needs to be weighed up against charge back incidents. - Adding CAPTCHA does not stop carding. It only stops some robotic processes from carding. ( update 2023 – most Captcha’s are now crackable and captcha is rapidly becoming redundant. )
- Not processing the card payment immediately and opting for delayed settlement may be a safer option while you judge each payment for fraud.
- Use Cloudflare ( I get no commission for this BTW )
What are payment providers doing ?
- Some are charging their merchants for every attempt to process a card regardless of the outcome. Read your T+C’s carefully.
- Some are freezing merchant accounts.
- Some are putting in place software to rebuff the carding attack based on frequency an ip addresses and other methods mentioned above.
- Some have fraud dashboards – be sure not to leave them at default settings.
Summary :
- You need to look closely at your payment processor agreement to see if you are liable for charges in the case of a carding attack. If so what are the scope of the charges.
- Harden your payment gateways for max security.
- Do not presume all is well until you hear from your payment processor, it may be too late and you may have a bill for 1000’s .
- Look at your fraud settings in your Payment Provider Dashboard and make sure its set correctly.
Recent observance across over ecommerce stores is showing that payment providers with cheaper card processing fees are loading more responsibility on the merchant with higher charge back fees, and taking less responsibility for carding attacks.
If charged for carding look for evidence and detailed logs with ip addresses, timestamps and other information to justify the charge. This information will also help you to increase your security if you have not already done so.
Author : Sean Owens md of willows consulting a specialist ecommerce agency based in Dublin Ireland