What is carding?

Ecommerce websites are increasingly being used by fraudsters to test cards, in a process called carding.

They find an online service or shop that typically has lots of low-value transactions and the fewest hurdles to get over. They then run an automated script, which keeps testing potentially thousands of cards to repeatedly try to secure authorisations.

A successful authorisation, however small, is enough to show the card details are valid and active – and can be used for more extensive fraud elsewhere. 

Brian Kinsella, Elavon’s senior regional fraud manager, said: “We often see that the types of businesses that fall victim to carding attacks are small companies that may not have invested heavily in website security.

“By taking a few simple, low-cost steps, you can prevent your business from falling foul of carding and any card fees for excessive declines.”

What are the risks?

As well as inadvertently supporting criminals – ranging from hackers to international terrorists – in their attempts through apathy, ignorance or negligence of your security, you risk damaging both your reputation and bottom line.

If details emerge down the way that larger fraud was carried out because of carding on your site, you could find yourself exposed and vulnerable to reputation and legal implications. On the other end of that extreme, businesses also face additional fees for excessive authorisations and declines from Mastercard. 

“It’s solely the responsibility of your business to have taken additional security checks to expose and prevent carding,” says Brian. “We can support you on that, but we don’t reverse transaction charges if you haven’t taken the appropriate measure to fully protect against carding.” 

How to stop it

There are many ways you can protect your business from fraudulent carding activity. 

• Having a good ‘captcha’ test on your website could frustrate a fraudster's carding attempts. A ‘captcha’ is a computer program or system used to determine the difference between a human and a robot.
• 3-D Secure is the umbrella name for Visa Secure and Mastercard SecureCode, which have been implemented by the card brands to add an additional level of security for online shopping. By implementing 3-D Secure in your eCommerce, you can fully authenticate the cardholder. This may mean a shift in the liability for chargebacks arising on transactions under certain circumstances, even where the cardholder is not enrolled for 3-D Secure. While 3-D Secure cannot and does not eliminate chargebacks entirely, it does vastly reduce the incidence of fraud.
• Removing the copy and paste function on your payments page will also make it harder for a fraudster to run an automated script to generate these test transactions.
• Seek out other fraud-management products that your payments gateway provider may have available, which will help identify and block such attacks from happening.

For more about carding and protecting your business from fraudsters, check out Visa’s advice.

Please contact your gateway provider to ensure your website is secure and protected from carding attacks.