Following up on our previous post about implementing order management processes to prevent shipping orders placed using stolen credit cards, we want to highlight one more tip that can help your site avoid being targeting by fraudsters.

Fraudulent orders generally fall into two categories:

  1. Someone wants the goods you are selling and is using a stolen credit card to pay for them. This scenario was addressed in our initial blog post.
  2. Fraudsters use your site to verify if the stolen credit cards are still active. This is the scenario we are covering in this post. “They go through the steps of validating credit cards before they purchase them,” explains Yazan Gable, a Symantec Security Response engineer. “It’s normally just a token amount, anywhere from a penny to $10,” he said. “Normally, it’s just to verify that the credit card company doesn’t have the card on its cancel list.”

The scammer doesn’t care if they get the goods or not, they just need to get the information about the credit card status. They may provide matching shipping and billing addresses, which will pass most manual checks. However, at some point down the road, after you ship the goods, the credit card company will reverse the charge.

As a merchant, the key is to combating becoming a test site is to display the same information regardless of why the credit card was approved or rejected, so a scammer can’t use your response to validate the credit card. To prevent fraudsters from using your site to authenticate their stolen credit cards, set up your shopping cart as following:

  • A data entry error is immediately shown to the customer so they can make a fix and retry the transaction.
  • Other credit card errors and successful purchase redirects to the same “order confirmation” page.

After seeing all of their credit card numbers appear to work on your site, the fraudster will realize they can’t use your site to test and move on. On the back-end, use your shopping cart settings (in the payments section) to hold or process orders based on return codes from the payment processor.  For the orders you placed on hold, follow up with the purchaser to confirm the order. If it’s a legitimate transaction, the buyer will confirm they want the item and you can get a new payment method from them.

The codes will vary depending on your processor and your ability to control the flow may be limited by your cart software but here is a sample from Braintree to explain the approach. Based on the Braintree return codes:

  • Return an immediate error on codes such as 2008 (Card Account Length Error) or 2006  (Invalid Expiration Date) which indicate data entry mistakes
  • “Accept” but then hold orders for return codes such as 2012 (Processor Declined – Possible Lost Card), 2013 (Processor Declined – Possible Stolen Card), 2014 (Processor Declined – Fraud Suspected)
  • Accept and process orders with positive return codes.
Code Text Type
2000 Do Not Honor. This generic response indicates that the customer’s bank is unwilling to accept the transaction. The reasons vary; the customer will need to contact their bank for more details. Soft
2001 Insufficient Funds. At the time of the transaction, the account did not have sufficient funds to cover the transaction amount. Subsequent attempts may be successful. Soft
2004 Expired Card Hard
2005 Invalid Credit Card Number Hard
2006 Invalid Expiration Date Hard
2008 Card Account Length Error Hard
2010 Card Issuer Declined CVV Hard
2011 Voice Authorization Required. This indicates that the cardholder’s bank is requesting that the merchant calls to obtain a special authorization code in order to complete this transaction. Because this is a lengthy process, we recommend obtaining a new payment method. Contact our Support team for more details. Hard
2012 Processor Declined – Possible Lost Card Hard
2013 Processor Declined – Possible Stolen Card Hard
2014 Processor Declined – Fraud Suspected Hard
2015 Transaction Not Allowed. This response indicates that the customer’s bank is declining the transaction for unspecified reasons. It doesn’t necessarily mean that there is an issue with the card, but it does indicate that the bank won’t approve this transaction. Hard
2046 Declined. This generic response indicates that the customer’s bank is unwilling to accept the transaction. The reasons vary; the customer will need to contact their bank for more details. Soft
2060 Address Verification and Card Security Code Failed Hard

This change will make your site significantly less interesting to fraudsters looking to validate credit cards.