What do I need to know about carding attacks, prevention, and the Payflow carding prevention module?

Payflow has implemented a carding feature that is designed to help merchants minimize fraudulent carding attacks and the costs associated with them. The feature will be enabled by default. Once the carding prevention module has been released, Payflow will monitor accounts for a high level of declines and invalid information provided. If the number of declines or invalid transactions exceeds the threshold set by PayPal, the carding module will be triggered and the account is blocked from processing any additional transactions until the block has been lifted/removed.

If your business model generates a high number of valid declines or invalid transactions within a brief period, you have the option to set your account to 'Whitelist'. Batch processing transactions is an example of a business model that might generate high declines and invalid transactions. Note: Any accounts that opt out of the carding module and set their account to Whitelist are fully responsible for any fees associated with carding on their account.

Note: While this service minimizes carding attacks, please be aware that customers are responsible for any transactional fees imposed by PayPal, or their bank, that result from carding attacks.

What happens when the carding module is triggered?

If the carding module is triggered the following will occur:
  1. An email is sent to all ADMIN users on the account, informing them that PayPal has noticed an increase in declines on their account and the account has been blocked from processing any additional transactions.
  2. The account is blocked and ALL transactions are rejected.
  3. PayPal returns result code 170, with the message of Fraudulent activity detected: Carding, for all attempted transactions while the account is blocked. 

Unblocking an account

You can unblock your account by completing the following steps:
  1. Log into PayPal Manager.
  2. Click Account Administration.
  3. Under Manage Security, click Carding Prevention.
  4. To allow transactions to be accepted and return your account to normal processing, select Not Block under Enable Carding Prevention. It might take up to 5 minutes for the changes to take effect. Note: If your account is flagged for carding attacks again, it will be blocked again.
The rest of this article provides information about carding and what you can do to prevent it, using Payflow and other techniques:

What is carding?

Carding is a form of credit card fraud where thieves use stolen credit cards to charge prepaid cards and sell them to other people. People perpetrating this type of fraud are called "carders". Because credit cards are often canceled quickly after being lost, a major part of carding involves testing the stolen card information to see if it still works. One way thieves test card information is by submitting purchase requests on the Internet, something that can impact merchants.

Investopedia has a great article about carding if you want to learn more: https://www.investopedia.com/terms/c/carding.asp

Do I get charged for carding activities? All transactions valid or not are charged a per-transaction fee by PayPal and your bank; carding included.  It is possible to work with your banking partner to eliminate these fees, but prevention is the first step and most banks will only allow one grace adjustment for carding.

Reacting to carding activity

Credit card fraud can be a significant problem for merchants. If you are a victim of fraud or suspect fraudulent transactions, take the following actions: 
  1. Contact your merchant bank and notify them that fraudulent activity has taken place.
  2. Issue a VOID or CREDIT to the card or cards to avoid chargeback fees from your merchant bank.
  3. Verify the security of your login and password information both internally and on your website.
  4. In PayPal Manager, change the password of the account used to process transactions. After you reset your account password, you can then reset the password within your web server. Your shopping cart or application password must match the new password you create, otherwise, transactions will fail with a User Authentication/Result Code 1 error.
  5. Contact your Internet Service Provider (ISP) or hosting company to see if they have a record of the IP addresses where the fraudulent transactions came from. Next, have your account restrict access from those IP addresses.
  6. Contact PayPal Merchant support by phone at 1-888-883-9770 or by email at payflow-support@paypal.com for additional information, including the credit card number if needed.
  7. File an internet complaint on the ic3.gov website.
  8. Complete a full virus and malware scan of all systems involved including your website and computer stations.
  9. If you are using the same account to process transactions and to log into PayPal Manager, it is HIGHLY suggested that you also set up a new Payflow Pro API user account within PayPal Manager. Setting up a new account ensures that changes to your PayPal Manager password will not prevent the processing of your transactions. Also, if a hacker compromises the API user account, they cannot log into the PayPal Manager and make changes to your account.
See the Payflow Fraud Protection Services Guide for details on how PayPal can help you with your fraud management. 

Detecting and preventing carding activity

As with any other fraudulent activity, there is no magic bullet to detect and prevent all carding. We suggest implementing a layered payment review process, including the following features and activities: 
  • Use a CAPTCHA CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) creates challenges to ensure that payment attempts are not sent by automated scripts.
  • AVS responses - The Address Verification System (AVS) checks the billing address that buyers provide at checkout against the address that the credit card company has on file for them. The credit card company sends a response immediately to let you know if the billing address matches. The common responses are:
    • - Full address match
    • - Address match only
    • - Only the zip code provided matches
    • - No information matches. The credit card company will not stop a transaction if the AVS response is N unless the card has been reported lost or stolen.

      The AVS system works in the U.S., Canada, and the U.K. only.  Credit cards issued from any countries that do not support AVS may return the following responses: U (AVS unsupported), S (AVS system unavailable), or G (Global card.)  See the Payflow Developers Guide for more information on AVSADDR and AVSZIP.
  • CSC responses -The Card Security Code (CSC) system checks the 3 or 4 digit number of the credit card and verifies it during the authorization processes. The common response is:
    • Y - Matched
    • N - Does not match
    • X - Unknown or no response

      You should only accept transactions where the CSC matches.  See the Payflow Developers Guide for more information on CVV2MATCH.
  • IP geolocation checks - Doing IP geolocation checks is a way to match the IP that the user is accessing your website from against the billing address that they provide when they check out. In addition to checking the IP against the billing address, you should also check to see if the user is accessing your website using a proxy IP. A proxy IP is generated through free or paid services that make it appear that the user is accessing your website from a location other than where they actually are. If the user's billing address is in one state (such as Nebraska) but their IP is in another state (such as Florida), it is possible that they are traveling but this should not be assumed. This type of mismatch warrants a closer look at the user's information.
  • Credit card BIN checks - The Bank Identification Number (BIN) is the first six digits of every credit and debit card. Not only does it provide information regarding the type of card that is being used (Visa, MasterCard, American Express, or Discover), but it can also be used to find the name and location of the bank that issued that particular card. This information can be very important in detecting carding. Typically, you should see a wide dispersal of cards with the same BIN. For instance, you may receive two payments from cards with the same BIN in a month; with carding, especially if credit card information has been purchased online, you may receive ten payments from cards that have the same BIN, within a day or two. Tracking BINs may help identify this activity.
  • Machine ID/device fingerprinting - This can be used to identify problematic or fraudulent customers. It is commonly offered by third-party fraud management companies to determine whether or not a user is repeatedly visiting a merchant's site using different payment attributes (names, addresses, IPs, credit cards, computer browsers, etc.) to mask their identity. Fraudsters may visit your site often and make several purchases using different payment information, but the device that they use to make the purchase will be the same.
  • Velocity checks on your shopping cart - This suggestion refers to checks you do on your website, not through the Payflow velocity fraud filters. Velocity is the number or speed of payments made within a certain period of time, for example, 10 payments sent from the same customer within seconds or minutes of each other. Monitoring this activity is important. Even with donation sites, it may be unusual for a user to make low dollar payments in rapid succession. Payment velocity can be monitored by dollar amount, user IP, billing address, BIN, or device.
  • Shopping cart session velocity - This refers to the number of times that one buyer can attempt to complete an order in one shopping cart session. By putting a limit on the attempts in one checkout session, you have visibility into the number of shopping cart declines which may assist in identifying a possible carding situation.
  • Authorization/capture - If you are using authorization/capture, review the transactions during the authorization period. If you believe that you are being targeted by carding activity, do not capture the funds. If you have already captured the funds, you have the option to issue a refund rather than wait for a chargeback.