Protect against credit card testing

Learn what Give Lively and Stripe do to forestall credit card testing, and what additional voluntary efforts you can make to do even more.

Examples

No items found.

Before You Get Started

Video Overview

Text Walkthrough

What is credit card testing?

Also known as “carding,” “account testing” and “card checking,” credit card testing is how criminals determine if illegally obtained credit card numbers — bought on the dark web, stolen or collected through phishing and spyware — are valid for fraudulent use. 

The testing is accomplished by attempting low-value online purchases or donations through a merchant’s or nonprofit’s website. The details of any card discovered to be viable (those that haven't been canceled) are then used for larger purchases.

If done manually, credit card testing is slow and laborious. However, criminals with access to networks of compromised computers can program botnets to run many hundreds, or even thousands, of small transactions in a short amount of time.

Nonprofits, especially those with a well-established public profile, are sometimes selected for credit card testing because less information is needed to process a donation than a typical e-commerce purchase, and donations can be as low as $1, a transaction minimum that might be easily overlooked by card holders. 

IMPORTANT: If your nonprofit’s website is used for credit card testing, take a breath and remember three things:

  • Your website has likely not been compromised.
  • The security of Give Lively’s services, including its donation forms, has probably not been breached.
  • There are steps you can take to protect against ongoing use of your website for credit card testing.

What does Give Lively do to protect against credit card testing?

Give Lively has implemented several measures to forestall credit card testing. These tactics are not foolproof, because card testers are always finding ways to work around blocks. However, our system’s protections do make it much more difficult for card testers to proceed.

Our tactics include, but are not limited to:

  • using a CAPTCHA — a short test that helps determine if a user is human — on all of our donation pages and forms. The version we currently use is Google's reCAPTCHA;
  • deploying Cross Site Request Forgery (CSRF) tokens that monitor expected user flows through donation pages and invalidate used tokens;
  • employing a robust Web Application Firewall (WAF) that includes botnet detection and prevention, rootlet detection, NIDS sensors, network sniffers and more; and
  • utilizing Stripe’s verification checks (see more here), like CVC verification, as an added layer of required information for a transaction to be successful.

How can you protect against credit card testing?

Stripe automatically puts numerous fraud detection and prevention measures in place. If credit card testing transactions are being blocked, these measures are helping to protect an account.

However, even Stripe acknowledges that its automatic measures can’t prevent all credit card testing, so it encourages the implementation of additional voluntary security restrictions capable of exposing credit card testing and then working to preempt or mitigate it. These restrictions should make credit card testing impractical without impacting legitimate traffic.

Directly below are three important voluntary steps that can be taken. They are built into Stripe Radar and/or Stripe Radar for Fraud Teams, two Stripe tools that aid with fraud protection. Stripe offers them for a fee of $0.05 or $0.07 per transaction, respectively, in addition to its normal payment processing fees.

Give Lively does not enable or maintain these Stripe services; they must be set up and overseen by the Stripe account holder. However, once implemented, these services allow for the Stripe account holder to turn on rules in the Radar rules settings of the Stripe dashboard that can block charges that don’t pass rules tests.

  • First and foremost, enable a rule blocking charges when a CVC and/or ZIP code check fails. CVC and ZIP checks require the CVC (three- or four-digit number printed directly on the credit card) and ZIP code associated with a credit card to match the CVC and ZIP code entered with the credit card donation. A failed check can indicate that the donation is fraudulent, but won’t necessarily block it. That’s what a specific block rule can do.
  • Enable a rule that places “elevated” risk charges in a review queue (in addition to “high risk” payments) for your team to accept or decline.
  • Turn on additional Stripe Radar features for protections that block transactions from a specific country (or countries) if it is the origin of the majority of test cases.

What to do if your nonprofit has been used for credit card testing?

First, remember that: 

  • Your website has likely not been compromised.
  • The security of Give Lively’s services, including its donation forms, has probably not been breached.

Then, consider steps that will protect against ongoing abuse of your website for credit card testing:

Downloads

No items found.

Related Articles

Learn how strongly we believe in data privacy and security

Generosity should never be compromised. That's why we take privacy, security, and transparency very seriously. With both donors and nonprofits, we pursue proper steps to protect data and keep private and secure what should remain private and secure.
No items found.

Create, activate and manage a Stripe account (required to use Give Lively tech)

Stripe is an industry-leading payment processor trusted by over 100,000 companies and nonprofits. To use Give Lively technology, you must have an activated Stripe account connected to Give Lively. A fully effective account is also enabled for ACH (bank) transfers and has applied for Stripe’s nonprofit discount. Learn how to set it up.
No items found.