Minimizing Card Testing Fraud
Published: October 27, 2021
by Janet Bargewell, GiveDirect Support
What is Card Testing Fraud?
Card testing is when a fraudster with a stolen credit card number makes a small purchase to check if the card is active.
Why are Nonprofits a Target?
-
A simple payment process
Because nonprofits want to offer an easy way for donors to contribute, they opt for a publicly available donation form with a low minimum limit for giving. Unfortunately, this makes it easier for fraudsters to access that form.
-
Flying under the radar
Fraudsters like to keep testing transactions small to pass "under the radar" of card issuers, banking institutions, and many card holders. Even if a card holder discovers a small charge to a charity, they are less likely to report the activity or challenge the charge if it is minimal.
What does GiveDirect do to Minimize Card Testing?
-
Regular monitoring
GiveDirect monitors transaction activity and issues refunds when fraud is discovered. However, you know your givers best and may recognize an unusual transaction more easily.
What you can do:
Log in to your Control Panel on a regular basis and review your transaction reports. If you notice something that looks out of the ordinary, let us know. -
Manage the number of active fundraising forms
With GiveDirect, you can create an unlimited number of fundraising forms. However, since every active form gives fraudsters another opportunity to use that form for card testing, best practices dictate that once a campaign is complete, the form should be deactivated.
What you can do:
Once a campaign is complete, deactivate the form. Forms may be reactivated at any time in the future for re-use. Deactivating does not affect your transaction reports or your ability to find transaction activity for the campaign. To re-use a form over multiple periods or years, use the date range search fields to find a targeted campaign period. -
Form obfuscation
It's a big word, but a simple concept. Obfuscation is a method of obscuring or hiding a form's identification number to make it more difficult for bots to find and exploit.
What you can do:
If your form is actively being hit, we will ask you to post a custom URL (the obfuscation process will occur on the back end). OR if you want to be proactive, you can request a custom URL from us at any time. -
ReCAPTCHA
A CAPTCHA/reCAPTCHA is a method used to distinguish human actions from machine input.
What you can do:
An invisible CAPTCHA is active on your form(s) by default. -
CVV/CVC verification
A card verification value/code is the 3 or 4 digit number on the back (or front) of a credit card.
What you can do:
By default, the CVV/CVC is required on all public transactions. There is no option for the charity to disable this function. -
Address Verification
If your form is actively being hit, we will enable address verification for credit card payments. The card holder's billing postal code is verified before the transaction is approved. This can act as a deterrent to card testers.
What you can do:
Be aware of this security feature to help your donors. To correct a billing postal code mismatch, the donor must contact the card issuer to find out what billing zip code is on file for the card. -
IP controls
IP controls monitor the number of failed transactions by IP address. After a specified number of failed transactions, the offending IP address is blocked from additional attempts. Although effective in limited situations, more sophisticated hackers will switch IP addresses after one or two declines.
Credit card fraud targeting nonprofits is a significant problem. Being proactive and following these simple guidelines will help to protect your organization from this type of abuse.