How do I respond to card testing attacks?

Card testing is a type of fraud where the perpetrator obtains a large amount of stolen credit card data, and then attempts to determine which of those cards are valid. They often do this by making many individual purchases, each with a different card. Other terms for this activity include “carding” or “card checking.”

Though rare, the potential for a card testing attack is an unavoidable part of running an online business. WooPayments does have some built-in measures to prevent or limit the impact of such attacks, but ultimately, merchants are responsible for their own fraud prevention techniques.

Fortunately, there are many ways you can prevent card testing from harming your site, most of which are not specific to WooPayments. Please see the sections below for more info carding prevention measures that are specific to WooPayments.

Our fraud protection feature offers various rules which you can use to block suspicious orders before the customer is charged. These rules can be a useful tool in the fight against carding attacks, especially if there’s a noticeable pattern to the attack.

For example, during an attack where the orders all contain an inexpensive item, you should consider adjusting your fraud protection rules to block those.

Because card testing attacks can be very sophisticated and change tactics during the attack, you may need to monitor the effectiveness of your rules and adjust them until the attack is over. Usually the attackers will move on in time.

As our main carding document mentions, refunding any successful orders that you suspect are unauthorized is of the utmost importance!

To that end, WooPayments is unlike most other payment gateways in that our staff has access to the backend payments system. We can, if needed, issue bulk refunds.

Therefore, if more than 20 or so unauthorized orders were placed successfully via WooPayments, let our support staff know. We can help refund those transactions in bulk. Similarly, if the transactions are not linked to WooCommerce orders (making it impossible to refund them), inform us of that in your email as well.