What is Card Testing and How to Protect Your Ecommerce Website

    MCO has built-in payment fraud detection tools which are easy to enable without any additional integration effort

    Ensure you’ve enabled fraud prevention tools like AVS (Address Verification System), CVV (Card Verification Value), 3D Secure, Kount and minimum transaction amount limit

    Enable auto-decisioning  to prevent potential card testing transactions from being sent to the Issuer for authorization 

    MCO leverages Cloudflare, a cloud company security provider that offers enterprise-grade firewall protection against DDoS attacks, malicious bots and other web security vulnerabilities

   Most card testing attacks use scripts and automated tools to quickly test a large number of cards on a merchant website

   Use Google reCAPTCHA v3 or hCaptcha on your checkout and payment forms

    Google reCAPTCHA v3 provides a score between 0 and 1 to help identify potential bot activity, without requiring user interaction

    hCaptcha presents users with a challenge, such as identifying images—easy for humans but difficult for bots

    Card testing often involves high-frequency attacks using stolen or generated cards

    Set up rate limiting on how many times a user/IP can attempt a transaction in a short period

    Use device fingerprinting to track suspicious devices and compare them with known fraud patterns

    Card testers often submit many low-value transactions or multiple failed attempts

    Flag accounts with excessive failed attempts

    Watch for multiple transactions from the different accounts using the same email or device 

    Monitor for patterns like many small purchases, rapid transaction submissions, or unusual card BINs (Bank Identification Numbers) for example: a card issued in a foreign country.

    Use the Moneris Kount Enterprise solution for real-time fraud monitoring

    Legitimate customers typically do not make multiple rapid-fire transactions

    Limit the number of attempts per IP/device/account/email/card number per hour/day

    Block suspicious IPs or locations, for example: a user who normally logs in from Vancouver suddenly makes a high-value purchase from an IP in Germany, using a VPN, and ships to a P.O. box in Florida. That combination would likely trigger fraud alerts.

    Use Web Application Firewalls (WAFs) such as Cloudflare Bot Management, to  block card-testing patterns

    Require the user to register before checkout and add verification such as a code or email confirmation

    Limit the number of user accounts that can be added in a certain period

    Limit the number of cards that can be added to a customer account 

    Add a session time limit with a timeout mechanism

    Card testing can often be detected early by monitoring transaction declines

    Set up alerts for a sudden spike in declines

    Analyze logs to identify common IP addresses and devices used in attacks

    If your API token is compromised, attackers can bypass your website entirely

    Re-generate your Moneris API token in the Moneris Resource Center: Ensure refunds, voids, or pre-authorizations are completed before generating a new token

    Review your API keys safeguarding policies

    Fraudsters may attempt to exploit your website's front-end

    Protect your public APIs (e.g. via authentication tokens)

    Hide non-customer-facing payment endpoints

    Ensure your website uses HTTPS to encrypt all communication between the front-end and back-end servers

    Restrict the use of API keys on your front-end as much as possible

    Use WAF services like Cloudflare, AWS WAF, or Akamai to detect and block attacks

    Outdated software can be  vulnerable to fraud

    Regularly patch your e-commerce platform, and keep all plugins and libraries up to date