WooCommerce Stores are the #1 Target of Card Testers

Card testing is a type of fraud where criminals use stolen credit card information to make small purchases on online stores, in order to verify which cards are valid and can be used for larger transactions later. This can cause serious problems for WooCommerce merchants, who may face increased disputes, fees, and damage to their reputation.

In this article, we will explain what card testing is, how it affects WooCommerce merchants, and what you can do to prevent or limit its impact on your business.

What is card testing and how does it work?

Card testing, also known as carding or card checking, is a technique used by fraudsters to test the validity of stolen credit card numbers. They do this by making many small purchases on different online stores, using different cards for each transaction. The goal is to find out which cards are active and have sufficient funds, and which ones are expired, canceled, or have insufficient funds.

Card testing can be done manually or automatically, using bots or scripts that can generate hundreds or thousands of transactions in a short period of time. The fraudsters usually target online stores that sell low-cost items or services, such as digital downloads, subscriptions, or donations. They may also look for stores that have weak security measures, such as no captcha, no fraud protection rules, or no verification of billing address or zip code.

The fraudsters do not care about the products or services they are buying, they only care about the confirmation or decline messages they receive from the payment gateway. Once they find a valid card, they can use it for larger purchases on other sites, or sell it to other criminals on the dark web.

How does card testing affect WooCommerce merchants?

Card testing can have serious consequences for WooCommerce merchants, such as:

– Increased disputes: If the cardholders notice the unauthorized charges on their statements, they may file disputes or chargebacks with their banks, claiming that they did not authorize the transactions. This can result in lost revenue, fees, and penalties for the merchant.

– Increased fees: Some payment gateways charge fees for each transaction, regardless of whether it is successful or not. This means that the merchant may end up paying fees for transactions that were declined or refunded due to card testing.

– Increased decline rates: If the payment gateway detects a high volume of declined transactions from a single source, it may flag the merchant as high-risk and increase the decline rate for future transactions. This can affect the merchant’s ability to accept payments from legitimate customers.

– Damaged reputation: If the customers receive multiple emails or notifications about failed transactions from the merchant’s site, they may lose trust and confidence in the merchant’s security and reliability. This can lead to lower conversion rates, customer satisfaction, and loyalty.

What can you do to prevent or limit card testing?

There are several steps you can take to protect your WooCommerce store from card testing attacks, such as:

– Monitor transactions: You should review your incoming orders regularly and look for signs of suspicious activity, such as multiple orders from the same IP address, orders with different billing and shipping addresses, orders with mismatched zip codes or countries, orders with low amounts or unusual items, etc.  OpenPath can monitor the transactions for you and send an email or text alert when card testing is detected.

You should also check the risk level column on the Payments > Transactions page in your dashboard, which will indicate if a transaction has elevated risk of being fraudulent. If you find any risky transactions, you should contact the customer before fulfilling the order, or refund the order as a precaution.

– Configure fraud protection rules: You can use the fraud protection feature in WooPayments to set up rules that will block certain transactions based on criteria such as amount, country, zip code, etc. For example, you can block orders that are less than $5.00, orders from countries where you do not ship to, orders with zip codes that do not match the billing address, etc. You may need to adjust your rules depending on the pattern of the attack and your business needs. For a full list of rules parameters visit: How Rules Work

– Use captcha: You can add a captcha to your checkout page to prevent bots or scripts from submitting fake orders. A captcha is a challenge-response test that requires human interaction to complete. For example, you can use Google reCAPTCHA v3 which will assign a score to each user based on their behavior and block suspicious ones.

– Use verification tools: You can use additional verification tools to confirm the identity of the cardholder and prevent unauthorized charges. For example, you can use 3D Secure (also known as Verified by Visa or Mastercard SecureCode), which will prompt the cardholder to enter a password or a one-time code sent to their phone or email. You can also use Address Verification System (AVS), which will compare the billing address entered by the customer with the one on file with the card issuer.

In Conclusion

Card testing is a serious threat for WooCommerce merchants, as it can result in increased disputes, fees, decline rates, and damage to their reputation. However, by following the steps above, you can prevent or limit the impact of card testing on your business and ensure a safe and smooth checkout experience for your customers.

To learn more about how OpenPath helps the largest merchants in the county, book a demo here.

By: Joseph Watkins