It can be challenging to know what payment fraud defense strategies you need based on the varying types of fraud attacks. The loss prevention teams for our US Bank-backed payment processing program offer guidance for combating one of the fastest-growing forms of eCommerce fraud – authorization (auth) testing.

How it worksFraudsters test stolen payment card numbers with a small online purchase to see if the stolen number can be authorized. If it works, the fraudsters quickly start racking up more expensive charges on the stolen card. Since every transaction comes with an authorization cost, this fraudulent activity can cost you valuable dollars and put your business at risk of chargebacks, lost revenue, and a decrease in customer trust.

Common indicators of fraudulent authorization testing

  • Unusually high card authorization volume for low dollar amounts in a short period of time. Many fraudsters auth test for as little as one penny.
  • Frequent identical authorization request volume.
  • A significant increase in declines and specific decline codes.
  • A significant increase in issuing bank/payment brand authorization mismatches.

If you see any of these fraudulent auth testing indicators, contact your software technical support.

Prevention measures

  1. Set hourly or daily velocity limits within your payment acceptance platform and monitor for large groups of transactions within a short period of time.
  2. If you use an outside vendor to develop your eCommerce website, ensure no HTML source code is left exposed or accessible.
  3. Require more than card information for payment authorization. Include pay fields for email address, phone number, and cardholder address.
  4. Scan systems for malware or spyware regularly.
  5. Consider employing some of these common fraud-deterrent tools:
    • Firewalls – Network security systems that monitor and control incoming and outgoing network traffic based on predetermined security rules and transaction parameters.
    • CAPTCHA or reCAPTCHA – Program or system that uses images to distinguish human input from bots.
    • Honeypots – Decoy systems that operate alongside production systems that lure in fraudsters.
    • Device fingerprinting – Technology that detects the originating device to help identify bots.
    • Keystroke recognition – Another biometric tool that uses the unique manner in which an individual types to recognize as human and not a bot.

This article was originally published in Elavon’s Payment Smart newsletter. The Washington Hospitality Association’s payment processing program is backed by U.S. Bank/Elavon.