5 Ways to Improve Payment Security in Your Business

Payment fraud is a huge problem for eCommerce and online retail businesses. Even among the world’s biggest companies, there are horror stories about payment security problems like credit card data theft and financial fraud:

• In 2011, personal data from 77 million PlayStation network users was leaked online
• In 2013, more than 150 million credit card details were stolen from Adobe
• In 2021, Neiman Marcus announced the theft of 4.6 million customer payment card details.

Cyberthreats like carding attacks are responsible for most modern large-scale data theft. Payment fraud losses cost companies more than $33 billion in 2021 — and this is expected to rise to more than $40 billion by 2027.

But credit card thieves don’t just target well-known businesses like Sony, Adobe, and Neiman Marcus. Any business without the right payment security infrastructure is at risk. And as the eCommerce industry grows, it’s only going to become a bigger target for attackers.

So how do cybercriminals get hold of customer credit card details — and how can you strengthen your payment security against carding attacks?

How carding attacks work

Carding attacks are a type of brute force attack in which criminals use automated programs called bots to validate stolen card details.

Criminals buy stolen payment card details from the dark web. Using these details, bots attempt to make thousands of small payments that the attacker hopes will go unnoticed by the merchant or cardholder. This technique can reveal omitted information (such as missing digits, expiry dates, and CVV numbers) or authorize a full set of payment card details.

When criminals have valid credit or debit card details, they use them to make other, larger purchases. This continues until the cardholder or their bank notices and blocks the unusual activity.

The rise and risks of carding attacks

Losing money to a carding attack is distressing for customers, both financially and emotionally. But there are long-term consequences, too. Fraudulent activity remains on a customer’s credit report for up to 13 months, potentially jeopardizing their ability to finance a car or get a mortgage in that time.

Businesses also suffer from carding attacks. If customer card details are stolen from your website, you may be subject to regulatory penalties. Plus, the impact on customer trust and confidence can be severe, resulting in social media backlash and fewer sales.

But it’s not just your customer reputation you need to worry about. Carding attacks also threaten your reputation with payment processors.

Fraudulent transactions and carding activity can lead to chargebacks. Chargebacks happen when you’re found to be at fault for a fraudulent or unauthorized transaction — so the payment processor claims the money back from your business. If you experience a high number of chargebacks, payment processors will consider you a risk, and may limit your account or decide to withdraw their services altogether. And without a payment processor, many online businesses are unable to operate.

As eCommerce grows, the risk of carding attacks increases. Since Adobe was targeted in 2013, global payment fraud losses have increased by almost 250%.

But there are ways to decrease carding attack success rates on your site. Here are five things you can do right now to minimize the risk of carding and other online payment fraud.

5 ways to reduce the risk of carding attacks

Make sure your website uses a secure protocol (HTTPS)

All websites associated with your business should have a secure HTTP protocol. HTTPS provides three layers of site security:

• Data encryption — data sent and received across the site can’t be seen or tracked by other site users
• Data integrity — nobody can change or interfere with the data sent
• Site authentication — site users can be sure they’re interacting with your site, rather than a spoofed website.

Having HTTPS in place won’t stop carding attacks by itself, as bots can easily perform credential stuffing attacks on a secure website. But it can protect your website from data theft in the first place, making it less likely that your customer details will end up on the dark web.

If you don’t have an HTTPS protocol, browsers may alert your site visitors to this fact. This makes them less likely to complete transactions on your website, so you can lose legitimate business if your site isn’t secure.

Activate security features in your payment gateway

Most popular payment gateways offer optional features to improve payment security:

• Address Verification System (AVS) — the processor checks the entered billing address against the address on file with the bank or credit card company
• Credit Verification Value (CVV) — also known as CSC or CVV2, this field requires the payer to input a three-digit code from the back of their card
• 3D Secure (3DS) — this requires the cardholder to verify the transaction with their bank by redirecting to another page.

Adding these functions makes it more difficult (although not impossible) for bots to enter and verify correct card details.

While they’re worth implementing to protect your customer data, additional security features can have a detrimental effect on your user experience. So, make sure you consider how to improve UX without compromising your security.

Limit payment attempts

Limiting payment attempts can reduce the chances of successful card verification. If a payment method is declined a set number of times, consider blocking any further attempts from that user.

If you use a WordPress site, plugins are available to limit card payment attempts per order.

This method isn’t foolproof. Programmers can build sophisticated bots that create separate orders to circumvent your payment attempt rules. Bots may also verify card details within the first few attempts.

But setting up alerts to notify you when a customer reaches your payment attempt limit can make you aware of carding attacks. You can then block the relevant IP addresses to stop bots placing orders on your site.

Monitor your payment gateway site traffic

Monitoring your real-time site traffic can help you anticipate a carding attack, or other high-volume threats like DDoS attacks.

When monitoring your site traffic on a platform like Google Analytics, look for:

• Surges in unusual site traffic (especially during busy shopping periods)
• Traffic coming from unusual locations
• Large amounts of traffic placing small orders
• Traffic attempting to place lots of orders in quick succession.

If you identify suspicious traffic, you can block the relevant IP addresses to prevent bots from reaching your site. But real-time site monitoring is a full-time job — and carding attacks don’t just happen during office hours. You’ll need vigilant staff in place at all times — so this is rarely the most cost-effective way to banish attackers.

Use a bot management system to block bad bots from your site

Carding attacks are performed by malicious bots. So, the best way to prevent these attacks and protect your payment gateway is to block bad bots from your site altogether.

Using a bot management system is the most effective, efficient way to prevent carding attacks and improve your payment security. An advanced bot manager can:

• Detect advanced bots — with a machine learning engine, you can identify even the most sophisticated malicious bots, while allowing good bots to crawl your site unimpeded
• Block bots automatically — you don’t need to manually monitor your site traffic, the software blocks carding attack bots automatically
• Protect your data without causing site slowdown — with server-side protection, there’s no impact on site performance or user experience
• Boost protection with an expert human threat team — the Netacea team is on hand to help you make tough cybersecurity calls if you need support.

If you’re worried about your business’s online payment security, learn more about how Netacea prevents carding attacks — or watch a two-minute demo of how our bot management software works.