Under attack? See this section for how to respond to card testing.
Card testing is a type of fraud where the perpetrator first obtains a large amount of stolen credit card information, and then attempts to determine which of those cards are valid. They do this by making many individual purchases, each with a different card. Other terms for this activity include “carding” or “card checking.”
Though they are usually rare, the potential for a card testing attack is an unavoidable part of running an online business. WooCommerce Payments does have some built-in measures to prevent or limit the impact of such attacks, but ultimately, merchants are responsible for their own fraud prevention.
Fortunately, there are many ways you can prevent card testing from harming your site. We’ve explained a few of these methods below, as well as provided a quick response checklist you can use if your site is attacked in this way.
Monitor transactions↑ Back to top
We recommend reviewing your incoming orders regularly and refunding ones that look risky.
To help detect potential fraudulent charges, WooCommerce Payments has a Risk Level column on the Payments > Transactions page. This column will display Elevated for transactions that aren’t considered risky enough to be blocked automatically but do have suspicious signals.
For Elevated transactions, you should try to contact the customer before fulfilling the order. If you do not receive a response, consider refunding the order as a precaution.
Another common sign of card testing is a large increase in the number of orders being assigned the Failed status. These orders may contain multiple notes about cards being declined. This is because it’s common for card testers to attack a site with hundreds (or even thousands!) of stolen card numbers in a short period of time.
It’s important to note that these orders do not represent missed sales, nor are they caused by issues with your checkout that could prevent legitimate buyers from completing payments. However, card testing can cause other issues for your business, such as an increase in disputes and card decline rates, negatively impacting the reputation of your business.
Configure fraud protection rules↑ Back to top
Our fraud protection feature offers various rules which you can use to block suspicious orders before the customer is charged. These rules can be a useful tool in the fight against carding attacks, especially if there’s a noticeable pattern to the attack.
For example, consider a carding attack where the fraudulent orders are all “purchasing” a very inexpensive item. In such a case, you should strongly consider adjusting your fraud protection rules to block them.
Because card testing attacks can be very sophisticated and change tactics during the attack, you may need to monitor the effectiveness of your rules and adjust them until the attack is over.
Prevent card testing↑ Back to top
Although we do work closely with our payments partner to develop new strategies for preventing card testing attacks, it’s important to note that no fraud prevention system is perfect. Thus, there are some additional measures you can take to protect your store.
- Install a CAPTCHA plugin, such as reCaptcha for WooCommerce or Google reCaptcha for WooCommerce. Either of these plugins will insert a mandatory bot detection mechanism into your checkout process, which can help prevent automated fraud.
- WooCommerce Anti-Fraud is an extension that allows you to set up complex rules that, when triggered, will block the offending transactions. This extension offers even more power and flexibility than the fraud protection rules built into WooCommerce Payments.
- Avoid pay-what-you-want or donation products with no minimum. Fraudsters often use these to make very small transactions that may not be noticed by the cardholder.
If you choose to install one or more of the above plugins, be sure to read the documentation for them thoroughly. If the plugins are not configured correctly, they will offer little or no protection!
Respond to an attack↑ Back to top
If your site is experiencing a card testing attack, follow the steps below.
Keep in mind that the most important step is to refund any orders you suspect to be fraud! Doing so avoids the possibility of the true cardholder disputing the purchase in the future, which could cost your business money in dispute fees.
- In your site’s dashboard, go to Payments > Settings.
- Uncheck the “Enable WooCommerce Payments” box.
- Scroll to the bottom of the page and click Save Changes.
- This will prevent further orders from coming in via WooCommerce Payments, while leaving the plugin itself active so that you can complete the next steps.
- Review any successful orders that seem fraudulent. Try to find a common pattern which you can use to prevent similar transactions using the fraud protection rules mentioned above.
- Consider installing some plugins that can help prevent card testing. These are listed in the Prevent Card Testing section above.
- Contact our support staff. They are trained to assist with card testing incidents, and can provide specialized help.
- Refund any successful orders you suspect to be fraudulent!
- If more than 20 or so fraudulent orders were successful, let our support staff know. We can help refund those transactions in bulk.
- Similarly, if the transactions are not linked to WooCommerce orders (making it impossible to refund them), inform us of that in your email as well.
- Once the successful transactions have been refunded and the card testing attack has ended, you can re-enable WooCommerce Payments under Payments > Settings.