Card testing is a type of fraudulent activity where someone tries to determine if stolen card information can be used to make purchases. Other common terms for card testing are “carding”, “account testing”, and “card checking”.
Fraudulent activity such as card testing is an unavoidable part of online commerce. At Stripe, we’re constantly improving our tools and systems to detect and reduce fraud, but you must remain vigilant with respect to fraud.
What Stripe does to prevent card testing
Stripe has many automated and manual controls in place to mitigate card testing, including rate limiters, alerts, ongoing reviews, and more.
These measures alone can’t prevent all card testing, but your continued attention to this issue can make it much more difficult for those who want to defraud you. Your API keys give you access to Stripe’s systems and a global financial network. That access is what card testers want to exploit, so it’s important to keep your keys safe and put safeguards around the functionality those keys provide to prevent fraud and other malicious activity.
If your Stripe integration is being exploited by card testers, you should mitigate the fraudulent activity as soon as possible. Card testing has many negative aspects, some of which get worse over time as card testing continues.
- Disputes: Many types of card testing involve payments, some of which will succeed. Many of those successful payments will be noticed by the cardholder and disputed as fraudulent, which will result in disputes that cost you time and money.
- Higher decline rates: Card testing usually causes a large number of declines to be associated with your business. A high decline rate damages the reputation of your business with card issuers and card networks, which makes all of your transactions appear riskier. This can result in an increased decline rate for legitimate payments, even after card testing stops.
- Additional fees: Card testing activity can result in additional fees, such as authorization fees for custom pricing plans, and dispute fees.
- Infrastructure strain: Card testing usually results in numerous network requests and operations. This additional traffic can overburden your infrastructure and disrupt legitimate activity.
- Damages ecosystem health: Card testing has negative impacts on the financial system as a whole, so both Stripe and our financial partners want to help you stop it.
How card testing works
Card testers use both authorizations and payments to determine if the stolen or generated card information they have is valid or not.
- Authorizations: This is the preferred method to test cards, as authorizations don’t typically show up on cardholder statements. This also makes it less likely the cardholder will notice or report the fraudulent activity.
- Payments: Card testers prefer smaller payments, which are less likely to be noticed by cardholders and reported as fraudulent. This makes donation pages and businesses that facilitate small-value purchases ideal targets for card testers.
Identify card testing
You can identify most card testing activity by a significant increase in declines. When investigating card testing, you can view declines in two places in the Dashboard:
- The graphs in the Developers section of the Dashboard show recent activity on your Stripe account. Elevated decline rates caused by card testing will usually show up on these graphs.
- Specific card testing declines will be in your failed request logs as 402 errors.
These two sections of the Dashboard give you both a high-level and detailed view of card testing activity.
Prevent card testing
Card testers employ a wide variety of techniques to make their fraudulent activity difficult to block. As a result, simple firewall rules or filters based on things like user agent strings are usually not sufficient to prevent card testing on their own.
Systems that lack security measures to prevent unrestricted access to certain Stripe functions may be vulnerable to card testing. Endpoints targeted by card testers typically allow them to do one of the following:
- Attach a card to a customer
- Make a payment
Adding security restrictions to endpoints that expose this functionality will help you prevent or mitigate card testing. The restrictions you implement should make card testing impractical while having little to no impact on your legitimate traffic.
The specific security measures you add to your integration will vary depending on your situation and the needs of your business. Several common approaches are described below.
Add a captcha
Card testers often use automated scripts that can be blocked using a captcha.
Google’s reCAPTCHA is often effective for blocking card testing. They provide options for both visible and invisible captchas, depending on your needs.
If you’ve added a captcha to your integration but card testing hasn’t stopped, check the following:
- Make sure the captcha requires validation on all requests that enable card validations or payments with Stripe.
- Review the captcha’s documentation to make sure it has been implemented properly.
- If you’re using a captcha that provides a score, adjust the threshold at which you prevent requests from succeeding.
- Try a different captcha solution, such as switching from an invisible captcha to a visible one, or using a different captcha solution entirely.
Add rate limits
In some cases, you can stop card testing by adding rate limits. Tailor these rate limits to stop the specific kind of card testing you’re experiencing.
For example, if card testers use your integration to validate cards by attaching them to new customers, an effective deterrent might be to limit the number of new customers that can be created by a single IP address in one day.
Require login or session validation
Card testing can often be prevented by requiring login or session validation when performing certain actions, such as creating an account or making a payment. Some of the safeguards that protect against Cross-Site Request Forgery (CSRF) attacks are also effective against some types of card testing, such as CSRF tokens.
Detect and prevent unusual behavior
As soon as you’ve identified card testing activity, you can compare it to typical legitimate traffic, then build rules or filters that limit or prevent only the card testing activity.
For example, you might make changes to your system that:
- Limit the number of cards that can be attached to a single customer
- Limit the number of customers that can be created with a single IP address
- Filter out requests with certain user agents or other parameters
If card testers are making payments with your integration you might be able to use custom Radar rules to mitigate the fraudulent activity. For example, the following rule could be effective to stop some instances of card testing:
Block if :declines_per_ip_address_daily: > 3
Creating custom Radar rules requires Radar for Fraud Teams, and Radar rules only apply to payments. Radar can’t be used to stop card testers from performing card validations.
Use a combination of mitigations
It might make sense to combine multiple approaches to stop card testing in order to maximize the impact on fraudulent activity without having an adverse effect on legitimate traffic.
For example, you might combine captchas and rate limits so the first payment attempt from an IP address succeeds without restriction, but subsequent requests made by that same IP address for the next several hours require a captcha verification to succeed.
Active card testing checklist
If your Stripe integration is being exploited by card testers we recommend that you take the following actions immediately:
- Identify the card testing activity.
- Refund fraudulent payments to avoid disputes.
- Add one or more mitigations to your integration to stop the card testing.
- Monitor your integration to ensure your mitigations are effective.
Card testing is often a stressful experience, but we’re here to help! If you need assistance with card testing please let us know!