Would you allow a customer to walk into your store and hand you 5,000 or 10,000 credit cards and ask you to process one right after another? Of course not. If you have a website and accept payments with a “pay button” or shopping cart, the bad guys could be doing this right now in your “store”. Set up protective measures for your website just as you would your store front….
Card tumbling is when the bad guys use a legitimate merchant account to test stolen cards to see if they are “good” so they can sell them on the dark web to others who will commit fraud with those cards. Some of the biggest issues for a business who suffers this type of attack is the transaction fees which are nominal but after 5,000-10,000 authorization attempts, it results in a large monthly bill on the processing statement. Also, your business will receive numerous calls from cardholders asking why you charged their credit card. Your employees will have to spend time explaining the fraudsters attempt and that it wasn’t your business processing this. There are several ways to prevent this from happening to your website. The first and easiest is to establish a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). CAPTCHA is a security measure you see when you visit a website and must type in something you see on the screen or click on certain pictures with images in them. This extra step is to prevent a bot from using the website to complete a transaction instead of a human. There are other measures to also consider if the bad guys can evade the CAPTCHA. Through the back-office tools for your website or shopping cart you can utilize and set a transaction alert for a large number of attempts that fail. Watch for authorization attempts for a small dollar amount ($0.10, $1.00, $2.00). Analyze time zones that originate transactions. Most of these fraud attempts come from an IP address that is not consistent with your location or customer’s location. Look for excessive usage and bandwidth consumption from a single user. Multiple transactions with the same email address can also be a red flag.
If you have an IT person, discuss with them the potential risks of having the bad guys use your account for this type of activity. Having a business website is a great way to have a second sales channel or offer your customers a convenient way to pay. Either way, your website needs to be treated as an additional store front as it has the same risks and security concerns as your primary store. Don’t turn out the lights, go home and leave the front door unlocked!
Crystal Laake holds the Certified Payments Professional (CPP) designation and has been an FRF team member for 17 years. Contact Crystal with any payment processing questions at crystal@frf.org.