Carding is a form of credit card fraud in which a stolen credit card is used to purchase goods and services or to acquire bitcoin, prepaid or store-branded gift cards. In the case of prepaid gift cards, they are then sold to others or are used to buy products that can be sold for cash.

There are other names for carding, including card cracking, card testing, card stuffing, and card checking. But whatever you call it, it's a very serious threat to anyone accepting credit card payments online. The threat comes from the additional fees you will be charged for the carding transactions, and from the loss of shipped products as a result of the "payments". After a carding event, if you have not appropriately managed all the transactions, you may also be faced with dispute fees from consumers contesting the charge on their card as fraud.

These costs mount up very quickly.

In this article, we discuss how carding works, the costs involved as well as how to avoid your site being used in a carding event.

How carding works.

Carding begins when the attacker uses an automated bot to perform small purchases on stolen credit cards, which may have been purchased off the Dark Web or procured by themselves. Each attempt at a purchase, tests a card number against a merchant's payment processing system in order to learn if a card is indeed valid and an available balance is associated with it. Carding is done thousands of times until a complete, and a thorough list of valid credit cards is produced.

The attacker will then either use the list for their purposes or sell this list on to a third-party.

Unfortunately, there are a lot of bad guys out there.

It's sad but true—there are plenty of bad actors looking to take advantage of business websites and their credit card processes. They are quite sophisticated and need to be taken very seriously.

Many carders operate through a carding forum, which is an illegal site used by carders to obtain the stolen credit card data they need for carding. To disguise their movements, carders often use cryptocurrency to pay for the data that has been stolen. They are also very adept at abandoning one carding forum once it's been discovered by legal authorities and moving on to another forum.

Currently, Russian and Chinese carding forums that operate on the dark web are very active. Russian carding sites, in particular, have strict protocols that make it very hard for counterintelligence officials to discover them and shut them down. Hence, they are very popular among cybercriminals.

The carding sharks are always circling. Beware.

Are you vulnerable to a carding attack?

Carders tend to look for websites requiring the least amount of customer verification. Basically, carders like to take advantage of the fact that merchants want to make it as easy as possible for their customers to make a purchase.

It's precisely these sites that are offering the least amount of what is called friction that are also, unfortunately, the most vulnerable to attack by carders.

The cost of carding to merchants can be quite high.

Carding can exact a heavy price on merchants. For starters, the strain on a merchant's processing infrastructure can make it complicated to differentiate between legitimate and bad payment requests. Causing goods or services to be provided to fraudulent completed sales.

When discovered, there is the time and energy spent responding to a carding attack. Research into what happened will tie up all the company's teams for potentially days. A company's reputation depends enormously on the security of its e-commerce platform, and how quickly they respond to a carding event.

In addition, there are the fees that must be paid whether a credit card sale was approved or declined. Paying fees for fraudulent sales is not a productive business activity, to say the least.

Finally, the merchant risks being exposed to disputes for completed sales that have not been voided or refunded. Disputes, as we all know, are very expensive.

How do you know carding bots have infiltrated your processing system?

One key indication that your website is being attacked by carding bots is seeing multiple failed payment authorizations coming from the same user IP address. Another is an unnaturally high proportion of failed payment authorizations.

It also pays to keep close attention to what is happening with your shopping cart. Do you see unusually high shopping cart abandonment rates? This can be an indication that a bot is attempting to use your website fraudulently.

Keep a close eye on this. It's filled with hints about possible carding attacks.

Keep a close eye on this. It's filled with hints about possible carding attacks.

Lucky for you, there are a lot of techniques a merchant can do to help mitigate against carding. Qualpay recommends using all of them, as it makes sense to your business, starting with placing an automated test on the checkout page called CAPTCHA.

CAPTCHA is a way for you to tell whether a real human is accessing the payment portion of your website. You've probably seen CAPTCHAs before. It's a challenge-and-response feature that can only be answered by an actual person. This may involve repeating a randomly-generated word pattern or answering a question about a visual that appears in the CAPTCHA. Bots are becoming more sophisticated and can sometimes fool the CAPTCHA into allowing the transaction to occur. For this reason, we suggest that you combine CAPTCHA with other mitigation efforts.

Implement AVS and CVV fraud screening features.

AVS stands for Address Verification Service, and CVV for Card Verification Value. Both of these features require a cardholder to provide information that a carder may not have access to. With AVS, the cardholder provides his or her address at checkout. With CVV, a cardholder must present a three- or four-digit number that appears on the actual physical card for a transaction to be completed. Carding may involve rotating through values to guess not only the expiration date of a card but also the CVV and Zip Code.

Set both the ceiling and floor limits on individual transactions.

This is to protect you from the random amounts that carders charge in order to test websites for their susceptibility to theft.

Check for Duplicate Processing

You should also configure your processing system to block transactions from the same card for the same amount within a specified period of time. This is not only good for protecting you from carding, but it also prevents accidental re-processing of the same payment by a legitimate customer.

Monitor the transactions

Further, it's important to use your reporting platform to monitor transactions for high volumes and abnormal behavior. Additionally, you'll want to create automatic rejection lists to block transactions from a card or customer demonstrating repeated fraudulent activity.

Don't forget to employ traditional security methods in order to stop carding.

Use more than one Prevention Technique.

Employ more than one of the suggested prevention techniques, if not all of them. Fraudsters spend their days thinking of ways of being more effective at stealing and finding good credit card numbers, just as you spend your time on how to sell more.

Qualpay is always here to help you.

You are not alone in the battle against carders. Qualpay is always ready to help you in any way we can.

About Qualpay

Qualpay is a fully-integrated payments platform that utilizes the most up to date technology to reduce costs and streamline back-office operations. Its comprehensive system addresses and resolves the payment challenges businesses face, ensuring a stronger, more robust infrastructure that allows companies to focus on growing their business. Qualpay's reporting intelligence and data analytics allow customers to quickly and efficiently manage their payment finances, saving them both time and money. Simply put, Qualpay provides a better way to manage payments. For more information, please visit