In this tutorial I will give you an overall idea of what card testing is and the options you can use to protect your site against it.
Stripe’s website defines card testing as the following:
Card testing is a type of fraudulent activity where someone tries to determine whether stolen card information is valid so that they can use it to make purchases. A fraudster may do this by purchasing stolen credit card information, and then attempting to validate or make purchases with those cards to determine which cards are still valid. Other common terms for card testing are “carding”, “account testing”, and “card checking.”
Source: Stripe.com
Table of Contents
Why Protection Against Card Testing is Needed
Our Accept Stripe Payments plugin uses Stripe elements (Stripe’s UI building blocks) to offer a fast, easy and unique checkout experience (without any branding from Stripe). The checkout process happens completely on your site as opposed to sending the customers to Stripe’s website. In most cases, the customers won’t even know that you are using Stripe to process the transactions. This can be great for your own brand.
Since the payment buttons are open on your site, a bot can try to use it to do card testing transactions. If you have ever received a spam comment on your website then you know how a bot can submit a comment on your website (when you don’t have any mitigation techniques in place).
The bots have gotten smarter these days, so it is prudent to activate protection against it.
Please fully read the card testing issue explained on Stripe’s website before you use this plugin.
Prevent Card Testing
This plugin has a few mitigation techniques (recommended by Stripe) built into the code. However, using a captcha is the most effective way to prevent card testing.
1) Using a Captcha Option
This plugin has the following captcha options available in the Captcha settings. Using any of the “I am not a robot” checkbox captcha option is the most effective.
2) Daily Transaction Limit
When this plugin is used without configuring a captcha option, it will automatically apply a daily transaction limit of 25. If your site will only do a handful of transactions daily then you can adjust the daily limit to a low number in the plugin’s captcha settings tab.
This should limit the card testing attack if you have forgotten to activate the captcha option.
Even if you enable captcha, you can keep a transaction limit based on your average expected daily sales number. It can provide an additional protection. There is an option to remove the limit by entering a value of -1 in the “Daily Transaction Limit with Captcha” settings field.
There is also an option in the settings menu to get an email notification when this transaction limit is reached. This should allow you to look into the situation and make adjustments (if needed).
3) Collect Customer Address During Checkout
Use the “Collect Address” option in the product to collect the customer’s address at checkout. You can collect just the billing address or both the billing and shipping addresses.
Our plugin will submit this data to the Stripe API. This can help Stripe determine card testing attempts and block fraudulent payments. This feature is particularly useful when configuring your donation product.
Contact Us
If you have an issue with card testing on your site, please contact us. We can guide you through the process and help you adjust your settings to prevent it from happening again in the future.
When you contact us, make sure to include details of your setup so we can analyze it and provide help.
If you have any feedback on this matter, feel free to send it to us also.