Stolen Credit Card Number Testing Increases 200 Percent in 2017 Proving eCommerce Fraud is set to Explode

Alarming new data from Radial warns retailers of the urgency to manage fraud without compromising revenue or customer loyalty.

01 May, 2017, 09:00 ET

KING OF PRUSSIA, Pa., May 1, 2017 /PRNewswire/ — Just released data from Radial’s leading eCommerce Fraud Technology Lab adds another alarming statistic for retailers to contend with when delivering a seamless customer experience. To date in 2017, data shows a 200-percent increase in credit card testing, a tactic used by fraudsters to test stolen credit card numbers with small incremental purchases before making large-dollar purchases on the card, compared to the same quarter in 2016. Fraud also is up 30 percent year over year, proving to already struggling retailers that this is just the beginning of online fraud in the post-EMV world.

Managing fraud continues to be a double-edged sword for retailers. Many either apply tools that over-reject orders, but in the process decrease their customer transaction approvals and lose valuable revenue in return. Or, retailers build their fraud teams in-house, which often lack the historical data and rules to catch subtle card testing tactics like the ones identified by Radial. Card testing leads to more eCommerce fraud as it’s easily identifiable when a retailer is allowing these types of fraudulent transactions through.

“Our data adds another alarming statistic for retailers who may be unprepared to manage fraud activity in eCommerce. We know fraudsters won’t stop looking for opportunities to monetize their stolen data and will even automate this process once they have a card that appears to be working,” said Stefan Weitz, chief product and strategy officer at Radial. “This results in quick, large volume purchases that leave retailers vulnerable.  When retailers miss card testing, they’re contributing to future card attacks. Fighting card testing is complicated, but can stop millions of unanticipated fraud attacks if tracked and managed efficiently.”

The fraud landscape is rapidly changing and presents pervasive and growing threats for eCommerce merchants. Radial’s Fraud Technology Lab and a team of data scientists use their robust fraud platform to uncover how trends in fraud can drive down retailers’ bottom lines and increase their risk. According to Radial’s analyses, since August 2016, the market segments of electronics, entertainment, jewelry, and sporting goods experienced the highest increases in online fraud during the 2016 peak season.

“Increasing revenue has never been more important for retailers. They cannot afford to be slammed with fees that stem from missing fraud activity and must count on each good order getting approved,” said Weitz. “More retailers claim they are combatting fraud, but underestimate the other areas they’re endangering – like revenue and customer loyalty – when they don’t use the types of data sets Radial has to increase transaction approval and take on full liability of combatting fraud.”

About Radial

Radial is the leader in omnichannel commerce technology and operations, enabling brands and retailers to profitably exceed retail customer expectations. Radial’s technical, powerful omnichannel solutions connect supply and demand through efficient fulfillment and transportation options, intelligent fraud detection, payments, and tax systems, and personalized customer care services.

Hundreds of retailers and brands confidently partner with Radial to simplify their post-click commerce and improve their customer experiences. Radial brings flexibility and scalability to their supply chains and optimizes how, when and where orders go from desire to delivery. Learn how we work with you at

Steps to Reduce Credit Card Fraud For Distribution Industry

dealer fraud credit card processingCredit card fraud is still rampant in the US, even after US EMV liability shift convinced many merchants to purchase terminals to support chip cards. Marine, auto, and other high value parts dealers have long had a problem mitigating fraud risk with local and international parts.

  1. For card not present orders, require self-pay with cardholder authentication. Taking cards over the phone, and or requiring a credit card authorization form, will not protect against all forms of counterfeit card fraud. However, consumer authentication shifts liability back to the issuer; the issuer guarantees payment, and because it’s lower risk, dealers can qualify for lower interchange rates, the bulk of merchant fees. Online payment, ecommerce payment, and electronic bill presentment and payment are the 3 methods dealers can use to enable self-payment.
  2. For retail orders, EMV is mandatory. Not by regulation, but by necessity. If a chip card is presented, and merchant supports, they’re 100% protected from counterfeit card fraud, and sometimes lost or stolen cards; if not supported by the merchant, the merchant can be automatically charged back at the issuers discretion and there’s no dispute process for merchants.
  3. Check guarantee. Whether in person or via echeck, check guarantee services are only good if they don’t reject your checks later on. Surprisingly (or maybe not), some services seem to look for ways not to approve your claim, such as information is missing from checks. This can be avoided with technology that forces users to collect the right data, including for remote self-payers.

If all of the above are implemented, dealers are protected from virtually any type of credit card fraud. The following tips will help prevent other types of lost disputes, or serve as supporting documentation if not all the above are implemented.

  1. Get a signed sales order. This can reduce non-fraud claims related to disputes about what was expected. The sales order should clearly state what was sold, refund policy, and cancellation policy, or refer to another document that specifies the information, but is initialed acceptance on the sales order.
  2. Ship to cardholder billing address. If not possible, then get cardholder approval that states bill to and ship to address are different, and they’re approval.
  3. Require all communications to cardholder business email address if selling wholesale. Free email like gmail is not OK.
  4. Require cardholder respond from business email address approving transaction receipt. This is a strong document in the case of a dispute for “I didn’t approve it”, especially when a third party is picking up the part from the dealer.
  5. The marine, automotive and other distribution companies are hit particularly hard with non-qualified transaction penalties when shifting between retail, key entered, and online payments. It’s critical that transactions are presented properly not only to qualify for lower rates, but to protect against lost disputes that require specific evidence for each type of transaction.

Not related to security, but critical for interchange rate qualification, the bulk of credit card processing fees, all services (retail, MOTO, ecommerce) should support level III processing.

In summary, dealers need US EMV and cardholder authentication to maximize risk mitigation from credit card fraud. US EMV requires terminal certification, and gateway certification* to your merchant account provider. Cardholder authentication requires a payment gateway certified for the service.  There are very few companies that meet all these requirements so if your credit card processing salesperson gives you a blank stare when you ask, it’s time to explore other options.

*A payment gateway certified for level III retail to your acquirer is required; countertop terminals are incapable of sending level III data.

Need an EMV terminal? The problem with desktop terminals for mixed retail & card not present

For mixed retail and card not present merchants, especially with a business to business customer component, a traditional desktop terminal can cause problems including failed PCI compliance, higher merchant fees, and increased losses from customer disputes  – the dreaded chargeback. To comply with EMV, now is the time to address multiple business needs to maximize profits.

Why is a traditional desktop terminal bad for mixed customer base?

Verifone VX520 VX805 EMV terminal

Verifone VX520 with VX805 EMV terminal

  1. Merchants have retail merchant accounts with their swiped terminal. When a transaction is key entered, it’s automatically qualifies for the worst non-qualified rate for the card type, because expected magnetic stripe data is not received.
  2. Key entered or card not present (CNP or MOTO/ mail order telephone order) transactions require additional data to protect against fraud losses. Users can bypass prompts if asked, but more importantly, the transaction is still presented as RETAIL, so retail rules apply for responding to disputes.
  3. Internal paperwork such as credit card authorization forms are PCI compliance nightmares and often don’t meet requirements to win disputes.
  4. For any business with a commercial account aspect, there is NO desktop terminal capable of qualifying merchants for the lowest fees, available only by supplying level III data.

What’s the alternative to a desktop terminal?

verifone MX915 EMV terminal

Verifone MX915 multilane signature capture terminal

Desktop software like PCCharge and ICVerify have all announced end of life because they cannot support new payment technologies like EMV. The swiper wedge that many small businesses have used do not support EMV and that won’t be changing, so they too will disappear. The alternative is a payment gateway with virtual terminal; a cloud based solution. Buyer beware. There are significant differences between gateways; many of them are not much better than a desktop terminal.

Virtual Terminal with EMV Buyer Tips:

  • Choose an agnostic gateway. That way if you want to change processors in the future, it’s not disruptive to operations.
  • Verify the gateway has an EMV certified terminal for your processor today. For example, First Data publishes their list of certified solutions here: First Data Integrated Partner Solutions Certified Listing.
  • Beware language such as, ‘EMV ready’ for both gateway and desktop solutions. EMV certified terminal is not the same as a certified solution that can be EMV enabled today with your processor.
  • Ask if the gateway supports level 3 processing for retail.
  • If the gateway cannot dynamically change transaction representment from retail to MOTO – and virtually none do- key entered transactions have the same risk as a desktop terminal.

What about mobile? Mobile EMV will largely be rolled out next year, as hardware needs to first be certified, and then all the other certification components will follow.

The only payment solution today that is supports level 3 processing for retail is CenPOS, which also has the most EMV terminal certifications of any gateways to date.

CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS’ secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships. CenPOS is available globally. For additional information, contact Christine Speedy, 954-942-0483.

zip code, address verification and cvv code validation responses

avs code responses

Above are all the possible responses for credit card address verification, in a screenshot from the CenPOS merchant parameter manager, where administrators can set rules and automatic alerts to mitigate fraud risk. Zip code and CVV each have additional response options.

Ever wondered what the possible responses when a merchant does a credit card address check? For card not present transactions, performing fraud checks can mean the difference between lost disputes and managed risk. Payment gateways vary widely in the response data returned to a merchant. For example, PASS, FAIL, and UNCHECKED, provide little information for a merchant to make an educated decision about whether to approve a transaction.

Payment Gateway Fraud Tools To Look for:

  • What responses are possible? What depth of information is available to review?
  • Can merchant automatically decline a transaction, but allow a supervisor to override?
  • Can merchant automatically send real time alerts to management of potential risky transactions?
  • Are there other fraud tools that can be used as part of the transaction review?
  • What services cost extra, and what are standard?

Equally important is the ability to automate activating different tools for different situations. For example, if a merchant switches between card present and swiped transactions.

If I have a faxed approval form why do I lose chargebacks?

Do you take orders over the phone? How can you defend against chargebacks? You’re not going to like the answer I outline below because the burden on merchants is nearly insurmountable.

RULE NUMBER ONE.  You must have a MOTO* merchant account. If you run a card absent transaction on an RETAIL account, you will automatically lose because you won’t be presenting the transaction according to the rules of the merchant account with an in-person signature or pin entry AND card swipe or manual imprint. * MOTO is an abbreviation for mail order / telephone order; Faxed orders fall under this rule as well.

RULE NUMBER TWO: If the payment was made via a web page or ecommerce shopping site, the merchant must have an ECOMMERCE merchant account.

What if you accept credit cards via the internet and MOTO? Ecommerce presentment rules generally include MOTO requirements, but MOTO presentment rules do not include all Ecommerce presentment requirements.  You should read the rules carefully as it applies to your particular situation and NOT rely on this article.

Below are excerpts of the relevant rule from Visa and the condition I most often see cited on merchant chargeback forms. (Other cards have similar language. Please note the Visa International Operations Guidelines book is over 1100 pages so to keep this brief, this is a very narrow look, with text beginning from page 836.  Excerpts may be taken out of context to provide insights and should not be replied upon.

Reason Code 83 Fraud—Card-Absent Environment
Overview: Time Limit: 120 calendar days
Cardholder did not authorize or participate in a Card-Absent Transaction or Transaction was
processed with a Fictitious Account Number or no valid Card was outstanding bearing the Account
Number on the Transaction Receipt.

Chargeback Conditions – Reason Code 83
1. Cardholder did not authorize or participate in a Card-Absent Environment Transaction.

Representment Processing Requirements – Reason Code 83
b. Evidence of Imprint and signature or PIN  (Yes, it really says this under card not present!)
d. For Chargeback Condition 1, compelling evidence that the Cardholder participated in the
Transaction, excluding U.S. Domestic Transactions.


8. Mail/Phone Order or Electronic Commerce Transactions, if both: This provision applies to U.S.
Domestic Transactions (This only applies in the U.S. Region.)
a. Merchandise was shipped or delivered, or services were purchased (This only applies in the
U.S. Region.)
b. Issuer was not a participant in the Address Verification Service on the Transaction Date and
Acquirer received an Address Verification Service response code “U” (This only applies in the
U.S. Region.)

Additional Information – Reason Code 83
1. “Signature on file” notation is not an acceptable signature.
2. Pencil rubbing of the Card or a photocopy of the Card is not considered proof of a valid Imprint.


  • When a merchant account is opened merchants are issued a metal plate with their required merchant account identifying information to use with imprinting forms.  Don’t toss is into a drawer. Buy an imprinter (about $25 from most office supply stores) and some voucher forms, put your plate in and keep it secured but handy in case you need it.  If you don’t know where your plate is, call your processor and ask for a new one. To mitigate risk, run the form through your imprinter, fill in all the information and then send the form to your customer. They must a) rub a pen across it to simulate as if the imprint mechanism ran across it. b) sign the form. This creates additional burdens to the merchant for PCI Compliance, since the imprint would have to be stored for 180 days, the current allowable chargeback time. But think of the burden of proof trail you’ll be able to produce- the form is sent to the customer address, the card must  pass AVS verify (address on card matches address mailed to), and you have a signature.
  • To save time, merchants frequently only partially fill in the form, but this is not sufficient. All fields must be completed and the customer must sign.
  • Ship merchandise with signature required, only to addressee.
  • Shipping address and billing address must match. (You will lose automatically if they don’t unless you have special supporting document signed by the customer stating their desire to have shipped to a 3rd party address.)

Editors note: This article primarily addresses card absent,  not ecommerce.  A merchant solution to help mitigate risk is Cenpos. Here’s a few ways you can use CenPOS tools:

  • Restrict user permissions for transactions.
  • Set additional requirements to pass a transaction over merchant defined thresholds.
  • Set up email alerts for notification of transactions over thresholds.
  • Restrict types of cards accepted and rules for acceptance.

Is a pencil rubbing of the credit card or a photocopy of the credit card OK to defend against chargebacks? Yes, but only if the merchant has an imprint of the card on a credit card voucher form that is fully completed and signed by the customer.

Is a faxed approval form for the charge amount OK to defend against chargebacks? No. The merchant must have an imprint of the card on a credit card voucher form that is fully completed and signed by the customer.