Online fraud is a huge problem. In 2017, there was $57.8 billion in fraud losses, 30% more than the year before. 92% of all fraud is identity theft. John Collison, co-founder of Stripe, recognizes that fraud is a huge pain for internet businesses. “Anyone trading or doing business online has this problem,” he said.
As a business that accepts online transactions (where you can’t guarantee the person making the transaction is the cardholder), you must take steps to protect yourself from fraud. If you fail to detect and prevent fraud, you could pay unnecessary fees, lose time dealing with disputes, and suffer reputation damage with payment processors and card-issuing banks.
In this article, we’d like to cover four important steps you can take to prevent spam and fraud attempts. These simple actions will go a long way toward protecting your business.
Step 1: Set up reCAPTCHA
reCAPTCHA is an invaluable tool to protect your website from abuse and fraud. It prevents non-humans (bots and scripts) from interacting with your pages. This means that an automated system set up by a malicious party won’t be able to use your payment forms.
How does it work? According to Google, “reCAPTCHA uses an advanced risk analysis engine and adaptive challenges to keep malicious software from engaging in abusive activities on your website. Meanwhile, legitimate users will be able to login, make purchases, view pages, or create accounts and fake users will be blocked.”
Basically, it understands how people behave differently than bots. If it identifies a bot, it blocks their access. We strongly recommend it.
To enable reCAPTCHA, register your site with Google choosing the reCAPTCHA v3 type. After registering, you will be redirected to a page where you can retrieve the necessary credentials to use with your payment form plugin (such as WP Simple Pay).
If you’re using WP Simple Pay, visit our documentation article on configuring your reCAPTCHA settings.
Step 2: Understand Card Testing
Card testing (also called “carding,” “account testing,” and “card checking”) is a type of fraudulent activity when someone tries to determine if a stolen card’s information is valid to make purchases.
Fraudsters might use your website to determine if a card is valid before using it on another website. They prefer to use authorizations because they don’t show on the cardholder’s statement. In other cases, they might try to make a small payment by making a small value purchase that’s less likely to be noticed by the cardholder.
This creates several negative effects for you.
- A high number of declines damages the reputation of your business with card issues and networks, which makes all of your transactions seem risker.
- Additional fees, such as authorization fees for custom pricing plans, and dispute fees.
- Numerous network requests could put unnecessary strain on your website.
- If testing succeeds, you’ll end up with payments that eventually get disputed as fraudulent. This results in disputes that cost money.
Stripe and other payment processors have tools and systems in place to detect and reduce this kind of fraud. This includes rate limiters, alerts, ongoing reviews, and more. These measures can’t prevent all card testing, however, so it’s important that you remain vigilant on your end.
You can identify card testing by keeping an eye on your declines, especially if they happen in a short period of time. In Stripe, you’ll see this in the Developers section of the Dashboard and in your failed request logs as 402 errors. Here are some ways to prevent card testing:
- Set up reCAPTCHA like we mentioned earlier. This will prevent automated card testing.
- Add rate limits. These are tailored responses to the specific type of card testing you’re seeing. For instance, if card testers try to validate cards using new customer accounts, you could limit the number of new accounts per IP address. WP Simple Pay provides built in IP-based rate limiting for requests.
- Use custom rules in Stripe Radar to mitigate fraudulent activity once you identify some kind of pattern you can fight back against.
In fact, it’s best to employ all of the methods we listed above so you don’t become a haven of card testers who use your site to check their stolen goods.
Step 3: Set up Stripe Radar
Radar is a powerful machine learning detection algorithm from Stripe that identifies fraudulent activity on their platform. It quietly reviews every transaction for signs of fraud and scores each payment based on thousands of signals. Since 2016, Radar has blocked billions of dollars in fraud across the Stripe network for companies of all sizes.
What’s unique about Radar is that it’s not a static piece of software. It learns over time based on new data and improved models, learning from the millions of payments that happen on Stripe’s network. This trove of behavioral data makes it accurate at predicting patterns of fraud.
It’s true that other payment processors have systems to recognize fraud and block transactions. Radar, however, goes the extra mile by informing you why transactions are blocked. As a business owner, you need information when payments fail to go through so you can make smart decisions.
Furthermore, Radar also gives you control over what gets refused. For instance, instead of blocking a transaction completely, you may want to reach out to the customer for additional information to see if you can process the sale. You can also create your own custom rules to refuse transactions that Radar’s default rules don’t already block.
All in all, Radar is a powerful tool to have in your toolbox. It’s automated enough to protect you at scale, but it also gives you plenty of control to prevent fraud. Learn more in our deeper dive into Stripe Radar.
Step 4: Run Address Verification
An Address Verification Service (AVS) is a fraud prevention system that verifies that the address entered by the customer matches the address on the cardholder’s account. This process happens in seconds. The customer has no idea. This simple check can spot fraud attempts and ultimately limit chargebacks.
Why does it work? The cardholder’s address is a collection of data points the cardholder would know, but aren’t available on the card. If the card were stolen, the thief would also need to acquire the address in some other way to complete the transaction.
Obviously, AVS isn’t perfect. If someone steals their friend’s card, there’s a chance they would know the address off hand. You should use AVS in conjunction with other fraud detection mechanisms, such as IP address verification, 3D Secure, device authentication, CVV, and even biometric analysis. But AVS greatly reduces the number of fraud attempts that complete a transaction. This is why most major credit card companies and payment processors use this service.
Where do you get AVS? The mainstream payment processors (such as Stripe) and gateways offer this service. If you have your own merchant account, you have access to AVS as well. If your processor or gateway doesn’t offer this service, you should consider paying a third-party service provider.
When it comes to preventing spam and fraud, vigilance is key. Keep a watchful eye on the reports and metrics provided by your payment processor, especially in regards to blocked or declined transactions.
As our tools evolve, so will the fraudsters. With WP Simple Pay we are committed to providing a product as secure as possible, and we continuously enhance our anti-spam and anti-fraud functionality. If you use WP Simple Pay, make sure to keep it updated to gain access to these additional layers of protection.