Help Guide
Minimizing Card Testing Fraud
Posted: October 27, 2021

What is Card Testing Fraud?

Card testing is when a fraudster with a stolen credit card number makes a small purchase to check if the card is active and if the purchase avoids the merchant's fraud detection measures.

Why are Nonprofits a Target?

  • A simple payment process
    Because nonprofits want to offer an easy way for donors to contribute, they opt for a publicly available donation form with a low minimum limit for giving. Unfortunately, this makes it easier for fraudsters to access that form.
  • Flying under the radar
    Fraudsters like to keep testing transactions small to pass "under the radar" of card issuers, banking institutions, and many card holders. Even if a card holder discovers a small charge to a charity, they are less likely to report the activity or challenge the charge if it is minimal.
target

What does GiveDirect do to Minimize Card Testing?

  1. Regular monitoring

    GiveDirect monitors transaction activity and issues refunds when fraud is discovered. However, you know your givers best and may recognize an unusual transaction more easily.

    risk management graphic

    What you can do:
    Log in to your Control Panel on a regular basis and review your transaction reports. If you notice something that looks out of the ordinary, let us know.

  2. Manage the number of active fundraising forms

    With GiveDirect, you can create an unlimited number of fundraising forms. However, since every active form gives fraudsters another opportunity to use that form for card testing, best practices dictate that once a campaign is complete, the form should be deactivated.

    What you can do:
    Once a campaign is complete, deactivate the form. Forms may be reactivated at any time in the future for re-use. Deactivating does not affect your transaction reports or your ability to find transaction activity for the campaign. To re-use a form over multiple periods or years, use the date range search fields to find a targeted campaign period.

  3. Form obfuscation

    It's a big word, but a simple concept. Obfuscation is a method of obscuring or hiding a form's identification number to make it more difficult for bots to find and exploit.

    What you can do:
    If your form is actively being hit, we will ask you to post a custom URL (the obfuscation process will occur on the back end). OR if you want to be proactive, you can request a custom URL from us at any time.

  4. Require a larger minimum donation

    Since testers favor small donation amounts, we recommend you set the form's minimum amount to be at least $15. This will mean legitimate donors will also need to follow this requirement.

    What you can do:
    The caveat to this recommendation is if you want to run a micro campaign for a short period of time. The minimum can be set as low as $1 - as long as the form is deactivated immediately at the end of the campaign. To modify the minimum donation amount, go to your form's edit page under My Campaigns > Fundraising Forms.

  5. ReCAPTCHA

    A CAPTCHA/reCAPTCHA is a method used to distinguish human actions from machine input.

    What you can do:
    An invisible CAPTCHA is active on your form(s) by default. We request that you leave it turned on, but for special circumstances, it can be turned off for a short period of time. You may access the CAPTCHA from your Control Panel > My Campaigns > Fundraising Forms.

  6. CVV/CVC verification

    A card verification value/code is the 3 or 4 digit number on the back (or front) of a credit card.

    What you can do:
    By default, the CVV/CVC is required on all public transactions. There is no option for the charity to disable this function.

  7. Address verification

    The card holder's billing postal code is verified before the transaction is approved.

    What you can do:
    By default, address verification is required on all public transactions. There is an option for the charity to turn this function off, but it is not recommended. If turned off, it is a charity responsibility to closely monitor transaction reports for fraud and testing.

  8. IP controls

    IP controls monitor the number of failed transactions by IP address. After a specified number of failed transactions, the offending IP address is blocked from additional attempts. Although effective in limited situations, more sophisticated hackers will switch IP addresses after one or two declines.

Credit card fraud targeting nonprofits is a significant problem. Being proactive and following these simple guidelines will help to protect your organization from this type of abuse.