Protect against credit card testing
Learn what Give Lively and Stripe do to forestall credit card testing, and what additional voluntary efforts you can make to do even more.
Before you get started
Video Overview
Walkthrough
Before you get started
Video Overview
Walkthrough
Before you get started
Video Overview
Walkthrough
Before You Get Started
Video Overview
Walkthrough
What is credit card testing?
Also known as “carding,” “account testing” and “card checking,” credit card testing is how criminals determine if illegally obtained credit card numbers — bought on the dark web, stolen or collected through phishing and spyware — are valid for fraudulent use.
The testing is accomplished by attempting low-value online purchases or donations through a merchant’s or nonprofit’s website. The details of any card discovered to be viable (those that haven't been canceled) are then used for larger purchases.
If done manually, credit card testing is slow and laborious. However, criminals with access to networks of compromised computers can program botnets to run many hundreds, or even thousands, of small transactions in a short amount of time.
Nonprofits, especially those with a well-established public profile, are sometimes selected for credit card testing because less information is needed to process a donation than a typical e-commerce purchase, and donations can be as low as $1, a transaction minimum that might be easily overlooked by card holders.
IMPORTANT: If your nonprofit’s website is used for credit card testing, take a breath and remember three things:
- Your website has likely not been compromised.
- The security of Give Lively’s services, including its donation forms, has probably not been breached.
- There are steps you can take to protect against ongoing use of your website for credit card testing.
What does Give Lively do to protect against credit card testing?
Give Lively has implemented several measures to forestall credit card testing. These tactics are not foolproof, because card testers are always finding ways to work around blocks. However, our system’s protections do make it much more difficult for card testers to proceed.
Our tactics include, but are not limited to:
- deploying third-party services to detect and mitigate automated card testing and bot attacks
- using a CAPTCHA — a short test that helps determine if a user is human
- deploying Cross Site Request Forgery (CSRF) tokens that monitor expected user flows through donation pages and invalidate used tokens
- employing a robust Web Application Firewall (WAF) that includes botnet detection and prevention, rootlet detection, NIDS sensors, network sniffers and more
- utilizing Stripe’s verification checks (see more here), like CVC verification, as an added layer of required information for a transaction to be successful.
How can you protect against credit card testing?
Stripe automatically puts numerous fraud detection and prevention measures in place. If credit card testing transactions are being blocked, these measures are helping to protect an account.
However, even Stripe acknowledges that its automatic measures can’t prevent all credit card testing, so it encourages the implementation of additional voluntary security restrictions capable of exposing credit card testing and then working to preempt or mitigate it. These restrictions should make credit card testing impractical without impacting legitimate traffic.
Directly below are three important voluntary steps that can be taken. They are built into Stripe Radar and/or Stripe Radar for Fraud Teams, two Stripe tools that aid with fraud protection. Stripe normally offers them for a fee of $0.05 or $0.07 per transaction, respectively, in addition to its normal payment processing fees; however, at present, Stripe Radar is automatically enabled and the $0.05 fee is waived for Give Lively member nonprofits.
Give Lively does not enable or maintain these Stripe services; they must be set up and overseen by the Stripe account holder. However, once implemented, these services allow for the Stripe account holder to turn on rules in the Radar rules settings of the Stripe dashboard that can block charges that don’t pass rules tests.
- First and foremost, enable a rule blocking charges when a CVC and/or ZIP code check fails. CVC and ZIP checks require the CVC (three- or four-digit number printed directly on the credit card) and ZIP code associated with a credit card to match the CVC and ZIP code entered with the credit card donation. A failed check can indicate that the donation is fraudulent, but won’t necessarily block it. That’s what a specific block rule can do.
- Enable a rule that places “elevated” risk charges in a review queue (in addition to “high risk” payments) for your team to accept or decline.
- Turn on additional Stripe Radar features for protections that block transactions from a specific country (or countries) if it is the origin of the majority of test cases.
What to do if your nonprofit has been used for credit card testing?
First, remember that:
- Your website has likely not been compromised.
- The security of Give Lively’s services, including its donation forms, has probably not been breached.
Then, consider steps that will protect against ongoing abuse of your website for credit card testing:
- Review the three protections mentioned directly above.
- Take a careful look at Stripe’s other proposals, keeping in mind that Give Lively has already implemented several of them.