Over the past year, we have seen a steady rise in fraudulent Card Authorization Testing. This activity – also known more simply as auth testing – occurs when fraudsters steal a credit card number then test it with a small purchase on an unsuspecting merchant to see if the transaction gets authorized. If it does, then they start racking up bigger charges on the stolen card number.
To make matters worse, the existence of software applications, known as bots, can be programmed to test anywhere from hundreds to tens of thousands of stolen payment card numbers on a single digital checkout site. The bot allows the fraudster to automate the transactions at a rapid speed, testing the account status of the stolen payment card numbers.
With eCommerce more prominent than ever, this fraudulent activity can cost you valuable dollars, as every transaction comes with an authorization cost. It is important to be aware of the risk and costs to your business associated with fraudulent auth testing, along with ways to help combat it.
Five preventive measures
Here are several things you can do to minimize the risk of falling victim to fraudulent auth testing.
- Continually review high-ticket transactions or unusually low-ticket transactions. Many fraudsters auth test for as little as a penny. Business owners can set a transaction threshold that, if the transaction seems oddly low or much higher than their average transactions, can automatically decline the transaction or pend for later.
- Require more information when setting up pay fields, which will make things more difficult for auth testing. Many pay fields simply require the credit card information, but adding in email addresses, phone numbers and addresses make auth testing less likely as fraudsters need to build a much longer script with all that information.
- Since authorization testing often happens in large groups of transactions within a small period of time, set hourly or daily velocity limits within your payment acceptance platform. The goal is to specify an upper limit of expected transactions to occur within the selected timeframe to a specific IP address.
- Be especially cautious if you use an outside vendor to develop your eCommerce website. Coders may leave HTML source code exposed or accessible, leaving the door wide open for fraudsters to auth test thousands of cards through your website. Talk to your vendor about making sure your source code is well hidden.
- Scan systems for malware* or spyware regularly.
Please note that if you use Converge, most of these security measures are built-in options within the platform that just need to be enabled. We can help you get these security settings turned on. If you use a different company for online payment acceptance, we encourage you to contact them to find out what security settings are available to you.
This article was originally published in Elavon’s Payment Smart newsletter. The Washington Hospitality Association’s payments processing system is backed by U.S. Bank/Elavon.