From the blog Don‘t Fall Prey to Authorization Testing

Have you ever been in the drive-thru, gone to pay for your meal and had your debit or credit card shut off? Have you gotten the call from the security department at your bank alerting you that you may be a victim of fraudulent charges? Usually, the fraudster tests your card number with a smaller purchase and if it goes through, they start racking up the charges, all courtesy of you. This fraudulent activity is referred to as Card Probing or Authorization Testing and it is the most common form of credit card fraud.

It’s easy to relate to this as a consumer. Most of us are not a stranger to some sort of fraudulent activity. But what about the business that is victim of the testing? What can they do once they fall prey to this activity? What measures can be put in place to lower the risk? As payment consultants, MSP Consulting is no stranger to this type of fraud and can offer solutions.

Authorization testing fraud can often times be missed by merchants because the fraudster starts with a lower transaction amount for the test. While the merchant may experience chargeback fees, this is a just a part of the overall risk. Merchants face even greater risk, headache, and expense associated with Authorization Testing:

  • Reputation risk—if noticed by its customers, trust and security around purchases becomes diminished.
  • Transaction and authorization fees—this is potentially one of the more expensive costs associated with this type of fraud as fraudsters often run thousands of cards using programs called Bots.   Since every test transaction, even one that is declined, is still charged a transaction fee, this can cost the merchant thousands of dollars in one evening of testing.
  • Website lockout—all of the test emails may also bog down and lock out real customers from the merchant website. Lost business leads to lost revenue.
  • Closure of the Merchant Account – If the account continues to experience fraudulent authorization testing, the processor will terminate the account; and possibly report the business to the card associations making it extremely difficult for the business to secure a new merchant account.

It’s important to understand how to set up your merchant account to guard against this type of fraudulent activity.

Card Authorization Testing can cost a company a lot of money and headache. Know how to plan against it and what to do if you fall victim. There are a few different types of breaches around this type of fraud. The first is Merchant Account number (MID) or Gateway Account Compromise. This type of breach is when a business receives a phone call asking for information about their merchant account and/or payment gateway. This can also come in the form of email and will tell the business that their merchant account is locked and need to provide certain information to unlock it. It is important to not relay this information. However, if the merchant already provided the information, they need to shut down the merchant account and open a new one. If the merchant also provided Gateway credentials, then they should contact their gateway vendor and reset their credentials (ID/PW).

The second way a fraudster can get in is through a merchant’s website. If a company has not received phone calls or emails about their MIDs or Gateway, and testing is still happening, it is most likely coming through the website. In this case, the perpetrator sends bots out to scan and make smaller charges to see if they are stopped. Setting up a few filters on a merchant’s website can eliminate this behavior.  

The merchant should contact their Gateway provider and ask them to add Velocity Filters. These filters set parameters around transactions. In this case, a merchant would want to have IP Address filter set. This monitors repeat purchases from the same computer and will flag the transaction in question. The other velocity filter that can be set is an Account number filter. This filter sets the number of times a single card could be tried and flags the transactions in question.

Further, merchants should add CAPTCHA to their website. CAPTCHA helps bots from getting through on a website.

Finally, merchants should scan their systems for Malware & Spyware.

All of these steps can seem daunting for most merchants. The most important thing a merchant can do to guard against any kind of fraud is to have a well-known relationship with your merchant services company.  Make sure you are set up with a merchant services company that will help you walk through these types of issues and will set your business up to avoid them from the start. You need a company that will work as an extension of your business and advocate for the best interest of your company and your customers.

If you have questions about your merchant services, preventing fraudulent activity or how to set some of these parameters in place to guard against fraud, contact us today.

Are you ready to grow together?