This article was originally published in Elavon’s Payment Smart newsletter. Find out more about our program with U.S. Bank/Elavon here.

It’s hard to know what payment fraud defense strategies you need based on the varying types of fraud attacks. Our partner, U.S. Bank, has guidance from their Loss Prevention teams for combating one of the fastest growing forms of eCommerce fraud – authorization (auth) testing.

How it works
Fraudsters attempt to test stolen payment card numbers with a small online purchase from an unsuspecting merchant to see if the card payment gets authorized. If it does, they quickly start racking up bigger charges on the stolen card. Since every transaction comes with an authorization cost, this fraudulent activity can cost you valuable dollars and put your business at risk of chargebacks, lost revenue and a decrease in customer trust.

Common indicators of fraudulent auth testing

  • Unusually high card-authorization volume for low dollar amounts in a short period of time. Many fraudsters auth test for as little as one penny.
  • High identical authorization request volume.
  • A significant increase in declines and specific decline codes.
  • A significant increase in issuing bank/payment brand authorization mismatches.1

If you identify any of these fraudulent auth testing indicators, contact technical support for your payment processor.

Prevention measures

  1. Set hourly or daily velocity limits within your payment acceptance platform, and monitor for large groups of transactions within a small period of time.
  2. If you use an outside vendor to develop your eCommerce website, ensure no HTML source code is left exposed or accessible.
  3. Require more than card information for payment authorization. Include pay fields for email address, phone number and cardholder address.
  4. Scan systems for malware or spyware regularly.
  5. Consider employing some of these common fraud-deterrent tools:
    • Firewalls – These are network security systems that monitor and control incoming and outgoing network traffic based on predetermined security rules and transaction parameters.
    • CAPTCHA or reCAPTCHA – A program or system aimed at distinguishing human input from bots with images.
    • Honeypots – These are decoy systems that operate alongside production systems that lure in fraudsters.
    • Device fingerprinting – Helps identify bots with technology that detects the originating device.
    • Keystroke recognition – Another biometric tool that uses the unique manner in which an individual types to recognize as human and not a bot.

1https://www.jpmorgan.com/merchant-services/insights/card-testing-prevention*