What is carding and how can I prevent it?

Carding is a form of credit card fraud where thieves use stolen credit cards to charge prepaid cards and sell them to others. People perpetrating this type of fraud are called "carders". Because credit cards are often cancelled quickly after being lost, a significant part of carding involves testing the stolen card information to see if it still works. Thieves test card information by submitting purchase requests online, which can impact merchants.

Will I be charged for carding?

All transactions are charged a per-transaction fee, carding included. It’s possible to work with your banking partner to reduce or eliminate these fees, but prevention is the first step, and most banks will only allow one grace adjustment for carding.

Reacting to carding activity.

Credit card fraud can be a significant problem for merchants. If you’re a victim of fraud or suspect fraudulent transactions, take the following actions:

1. Contact your merchant bank and notify them of fraudulent activity.
2. Issue a void or credit regarding fraudulent transactions to avoid chargeback fees from your merchant bank.
3. Verify the security of your login and password information internally and on your website.
4. In PayPal Manager, change the password of the account used to process transactions. After you reset your account password, you can reset the password on your web server. Your shopping cart or application password must match the new password you created. Otherwise, transactions will fail with a User Authentication/Result Code 1 error.
5. Contact your Internet Service Provider (ISP) or hosting company to see if they have a record of the IP addresses where the fraudulent transactions originated. Next, have your account restrict access from those IP addresses.
6. Contact Payflow support for additional information, including the credit card number if needed.
7. File a complaint on the ic3.gov website.
8. Complete a full virus and malware scan of all systems involved, including your website and computers.
9. If you’re using the same account to process transactions and to log into PayPal Manager, it’s highly recommended that you also set up a new Payflow Pro API user account within PayPal Manager. Setting up a new account ensures that changes to your Manager password won’t prevent the processing of your transactions. Also, if a hacker compromises the API user account, they can’t log into Manager and make changes to your account.

See the Payflow Fraud Protection Services Guide for details on how PayPal can help you with your fraud management.

Detecting and preventing carding activity.

We suggest implementing a layered payment review process, including the following features and activities:

• Use a CAPTCHA - CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) issues challenges to ensure automated scripts don’t send payment attempts.
• AVS responses - The Address Verification System (AVS) checks buyers' billing address at checkout against the address the credit card company has on file. The credit card company will immediately respond to inform you if the billing address matches. The typical responses are:
  • Y - Full address match.
  • A - Address match only.
  • Z - Only the zip code provided matches.
  • N - No information matches. The credit card company will not stop a transaction if the AVS response is N unless the card has been reported lost or stolen.

  The AVS system works only in the US, Canada, and the UK. Credit cards issued from any countries that don’t support AVS may return the following responses:

  • U - AVS unsupported.
  • S - AVS system unavailable.
  • G - Global card.

See the Payflow Developers Guide for more information on AVSADDR and AVSZIP.

• CSC responses -The Card Security Code (CSC) system checks the credit card's 3 or 4-digit number and verifies it during authorization. The typical responses are:
  • Y - Matched.
  • N - Does not match.
  • X - Unknown or no response.

You should only accept transactions where the CSC matches. See the Payflow Developers Guide for more information on CVV2MATCH.

• IP geolocation checks - Doing IP geolocation checks is a way to match the IP that the user is accessing your website from against the billing address that they provide when they check out. In addition to checking the IP against the billing address, you should check if the user is accessing your website using a proxy IP. A proxy IP is generated through free or paid services that make it appear that the user is accessing your website from a location other than where they are. If the user's billing address is in one state (such as Nebraska) but their IP is in another (such as Florida), they may be traveling, but this shouldn’t be assumed. This type of mismatch warrants a closer look at the user's information.
• Credit card BIN checks - The Bank Identification Number (BIN) is the first six digits of every credit and debit card. It provides information regarding the type of card being used (Visa, MasterCard, American Express, or Discover). It can also be used to find the name and location of the bank that issued that card. This information can be critical in detecting carding. Typically, you should see a wide dispersal of card BINs. For instance, you may receive two monthly payments from cards with an identical BIN. With carding, especially if credit card information has been purchased online, you may receive ten payments from cards with identical BINs within a day or two. Tracking BINs may help identify this activity.
• Machine ID/device fingerprinting - This can be used to identify problematic or fraudulent customers. Third-party fraud management companies commonly offer it to determine whether a user repeatedly visits a merchant's site using different payment attributes (names, addresses, IPs, credit cards, computer browsers, etc.) to mask their identity. Fraudsters may visit your site often and make several purchases using different payment information, but the device that they use to make the purchase will be the same.
• Velocity checks on your shopping cart - This suggestion refers to checks you do on your website, not through the Payflow velocity fraud filters. Velocity is the number or speed of payments made within a certain period, for example, 10 payments sent from the same customer within seconds or minutes of each other. Monitoring this activity is essential. Even with donation sites, making low-dollar payments in rapid succession may be unusual for a user. Payment velocity can be monitored by dollar amount, user IP, billing address, BIN, or device.
• Shopping cart session velocity - This refers to the number of times that one buyer can attempt to complete an order in one shopping cart session. By limiting the attempts in one checkout session, you have visibility into the number of shopping cart declines, which may assist in identifying a possible carding situation.
• Authorization/capture - If you’re using authorization/capture, review the transactions during the authorization period. Don’t capture the funds if you believe you’re being targeted by carding activity. If you have already captured the funds, you can issue a refund rather than wait for a chargeback.