Visa guidance on how to protect your eCommerce site from Card Testing Schemes and Enumeration Attacks.
Visa Merchant Business News Digest is a resource for merchant-related news topics and publications. Every month, Visa highlights recent news and tips to educate merchants on important issues, products, and rules. In the bulletin, Visa reported that they had “observed a sustained increase in enumeration attacks and account testing.”
Credit card fraud is the leading type of identity theft. And recent stats show that Card-not-present fraud accounts for 65% of all fraud losses.
Visa takes steps to protect the payment system, using both machine learning analytics and real-time detection of fraud. But it is also the obligation of the clients using the system to safeguard cardholders and payment card information.Visa wants to remind merchants that the best way to quickly detect and block them is through the maintenance of adequate controls. Because of this, they also offered guidance to help merchants know how to maintain adequate controls to detect and block these schemes.
Here, we explain what each of these cyber attacks entails. We’ll talk about how the tactics used are evolving with the payment system. And we’ve broken down Visa’s suggested guidance into plain English to help merchants better understand what they can do to protect themselves, the payment system, and cardholders from these fraudulent activities.
Certain types of fraudulent attacks exploit eCommerce credit card processing and payment rails. These are bothBoth of these attacks target merchants’ eCommerce websites and use automated scripts or software to carry out the attack. The goals of both types of attacks are the same: (1) to learn payment account information they need, or (2) to validate payment card data. The attacks are similar, but there are a few distinct differences.
Enumeration Attack: Uncovering the correct combination of numbers that match a payment account.
Automation software rapidly attempts transactions cycling through numeric or alpha-numeric sequences until the correct combination is found and a transaction is approved. The payment values they are looking for generally include the primary account number (PAN), the expiration date, the CVV2 code from the back, and the billing zip code.
Account Testing Scheme: Testing payment card data for validity
This is a scheme where payment card data that was either stolen or bought on the dark web is tested for validity. The fraudster usually submits one or two very low value transactions for approval. Once they receive approval, they know the account is active and the card data is valid. Automation software can test thousands of cards within a short amount of time.
Card testing schemes go by many names, including card tumbling or stuffing, BIN testing, and Credit Master attacks.
Fraudsters are targeting specific merchant types and attempting to unlock credentials within specific issuing BINs. Some of the most targeted merchant categories include pharmacies and drugstores, CBD merchants, and colleges at all levels.
Visa believes that lack of adequate fraud controls are the main reason fraudsters are targeting these types of merchants. This is usually because certain businesses don’t believe they would be a target for fraud.
There are also industries that use special POS system or payment platforms developed specifically for their industry. If the third party software provider lacks robust fraud control within their software, their clients become a target. Once a fraudster learns of a specific segment using this type of software, they target merchants within that industry.
The most obvious impact of enumeration attacks and card testing schemes is the compromise of the cardholder's account. But these schemes also result in negative impacts to many other parties involved in the payments system. Lingering repercussions from these types of fraud cost money, affect business processes, and expose businesses to compliance risk.
Here are just a few of the ways these attacks create problems beyond the initial fraud:
Every time a transaction is attempted, the merchant incurs several processing fees. These include authorization fees for both approval and declines, interchange fees, gateway fees, and settlement fees.
Merchants who were not involved with the initial attack will now incur costs and penalties as a result of the compromised accounts. These cards will ultimately be used to make fraudulent purchases with other merchants. Once the cardholder realizes they have unauthorized purchases on their card, they will initiate a chargeback filing with their card issuer. The merchant not only loses the product or service rendered and the compensation for the product, they also incur costs, fees and penalties due to the chargeback filing.
Merchants will incur additional operational expenses due to dealing with the attacks and subsequent fraud. There may be staffing expenses for additional customer service. There are increased staffing costs for responding to chargeback filings. Gathering and submitting paperwork and meeting chargeback deadlines is very time-consuming for merchants. Merchants also risk possible loss of business from the victims of account compromise. And the fraud opens the merchant up to the potential for being charged assessments for non-compliance.
Card issuing banks also incur extra expenses due to reissuing new payment cards to victims of account takeover.
Merchants hit hard could be entered into Visa’s risk monitoring programs, which puts their merchant account at risk and comes with additional fees.
Merchants who are victims of widespread fraud risk the potential for brand damage. Brand damage can cause long-term problems with the bank and affect the consumer’s perception of their reputation.
This is why a layered approach is so important. First, we must reduce the chance they can find an open door. Then there must be adequate controls for detecting and blocking fraud attempts that do get in.
Fortunately, if merchants follow Industry Best Practices for payment card security, they can reduce their chances of being a target.
One of the first lines of defense against fraud is to use CAPTCHA on check-out pages. This will stop fraudsters from using bots and scripts to automate transaction initiation.
Velocity controls are a fraud prevention tool that detects potential fraud based on the rate at which multiple transactions are submitted. Velocity controls will monitor both increases and decreases in certain factors.
They detect spikes in authorization attempts across numerous data points. They can detect attempts using sequential account numbers, the same issuer, or the same BIN. They can also recognize when numerous transactions occur in the same or similar transaction amounts.
Velocity checks also detect and flag declines based on specific decline response codes. Certain decline codes would be common in enumeration attacks and card testing schemes.
Common decline codes include:
Websites should be continually monitored for suspect or unauthorized connections. Employ the use of P2PE (point-to-point encryption) or PCI-validated cryptographic keys.
Implement per-session velocity limits. This will limit the number of transactions that can be completed per user session. And set session limits so that they expire after a determined period of inactivity.
Require unique login credentials, periodic password changes, and implement employee training on social engineering and phishing schemes.
Confirm that all third-party integrators employ adequate fraud detection and prevention controls.
In business, accepting credit cards is not a choice, it's a must. But that doesn't mean that merchants should be subjected to high costs and increased risk due to fraud.
At MonerePay, we believe it's our job to help protect merchants, their customers, and the payments ecosystem from fraudulent activity. Because of this dedication, we strive to provide solutions that employ only the highest level of security protocols. In addition, we offer merchants Enhanced Fraud and Chargeback monitoring solutions. This is one of the best ways to detect and protect against potentially fraudulent transactions.
But we also believe that merchants deserve access to fair and transparent pricing with a merchant service provider focused on service.
When you partner with MonerePay for your merchant account, rest assured you have a partner that is focused on your success. You will have a team of experienced, certified payment professionals dedicated to creating a solution tailored to your specific needs. And you'll know you have a dependable merchant account with the most fair and transparent pricing available.
To learn more about how we’re changing merchant services for the better, call us today. One of our ETA Certified payments professionals will be happy to serve you.