Under attack? See this section for how to respond to card testing.
Card testing is a type of fraud where the perpetrator first obtains a large amount of stolen credit card information, and then attempts to determine which of those cards are valid. They do this by making many individual purchases, each with a different card. Other terms for this activity include “carding” or “card checking.”
Though they are usually rare, the potential for a card testing attack is an unavoidable part of running an online business. WooCommerce Payments does have some built-in measures to prevent or limit the impact of such attacks, but ultimately merchants are responsible for their own fraud prevention.
Fortunately, there are many ways you can prevent card testing from harming your site. We’ve explained a few of these methods below, as well as provided a quick response checklist you can use if your site is attacked in this way.
We recommend reviewing your incoming orders regularly and refunding ones that look risky.
To help detect potentially fraudulent charges, WooCommerce Payments provides a Risk Level column on the Payments > Transactions page. This column will display Elevated on transactions that are not considered risky enough to block automatically, but do have some suspicious signals. For Elevated transactions, you should try to contact the customer before fulfilling the order. If you do not receive a response, consider refunding the order.
Another common sign of card testing is a large increase in the number of orders being assigned the Failed status. These orders may contain multiple notes about cards being declined. This is because it’s common for card testers to attack a site with hundreds (or even thousands!) of stolen card numbers in a short period of time.
It’s important to note that these orders do not represent missed sales, nor are they caused by issues with your checkout that could prevent legitimate buyers from completing payments. However, card testing can cause other issues for your business, such as an increase in disputes and card decline rates, negatively impacting the reputation of your business.
As noted above, WooCommerce Payments has built-in measures to prevent fraud. We also work closely with our payments partner to develop new strategies to prevent card testing attacks.
However, no fraud prevention system is perfect! Because of this, there are some additional measures you can take to protect your store.
- Install a CAPTCHA plugin, such as reCaptcha for WooCommerce or Google reCaptcha for WooCommerce. Either of these plugins will insert a mandatory bot detection mechanism into your checkout process, which can help prevent automated fraud.
- WooCommerce Anti-Fraud is a powerful and flexible extension that allows you to configure various rules that, when triggered, will block the offending transactions.
- Avoid pay-what-you-want or donation products with no minimum. Fraudsters often use these to make very small transactions that may not be noticed by the cardholder.
If you choose to install one or more of the above plugins, be sure to read the documentation for them thoroughly. If the plugins are not configured correctly, they will offer little or no protection!
If your site is experiencing a card testing attack, follow the steps below.
Keep in mind that the most important step is to refund any orders you suspect to be fraud! Doing so avoids the possibility of the true cardholder disputing the purchase in the future, which could cost your business money in dispute fees.
- In your site’s dashboard, go to Payments > Settings.
- Uncheck the “Enable WooCommerce Payments” box.
- Scroll to the bottom of the page and click Save Changes.
- This will prevent further orders from coming in via WooCommerce Payments, while leaving the plugin itself active so that you can complete the next steps.
- Consider installing some plugins that can help prevent card testing. These are listed in the Prevent Card Testing section above.
- Contact our support staff. They are trained to assist with card testing incidents, and can provide specialized help.
- Refund any successful orders you suspect to be fraudulent!
- If more than 20 or so fraudulent orders were successful, let our support staff know. We can help refund those transactions in bulk.
- Similarly, if the transactions are not linked to WooCommerce orders (making it impossible to refund them), inform us of that in your email as well.
- Once the successful transactions have been refunded and the card testing attack has ended, you can re-enable WooCommerce Payments under Payments > Settings.