From startups to legacy brands, you're making your mark. We're here to help.
Key Links
Prepare for future growth with customized loan services, succession planning and capital for business equipment.
Key Links
Institutional Investing
Serving the world's largest corporate clients and institutional investors, we support the entire investment cycle with market-leading research, analytics, execution and investor services.
Key Links
Providing investment banking solutions, including mergers and acquisitions, capital raising and risk management, for a broad range of corporations, institutions and governments.
Key Links
A uniquely elevated private banking experience shaped around you.
Whether you want to invest on your own or work with an advisor to design a personalized investment strategy, we have opportunities for every investor.
Explore a variety of insights.
Key Links
Insights by Topic
Explore a variety of insights organized by different topics.
Key Links
Insights by Type
Explore a variety of insights organized by different types of content and media.
Key Links
We aim to be the most respected financial services firm in the world, serving corporations and individuals in more than 100 countries.
Key Links
By Una Ryan Kearns
VICE PRESIDENT OF FRAUD, J.P. MORGAN
By Una Ryan Kearns
Fraudulent card testing has emerged as a growing threat due to COVID-19 driving a significant increase in online and mobile transaction volume. Relatively difficult for some merchants to detect, unmitigated card testing attacks can be very expensive – increasing transaction costs, reducing valid authorization performance and potentially exposing merchants to additional fraud.
A fraudulent card testing attack begins with fraud actors acquiring stolen partial or full card credentials. The fraud actor will then use various digital tools, including bots or scripts, that can rapidly submit hundreds of thousands of card-not-present (CNP) transaction authorization requests on an e-commerce site. If left undetected, this can result in thousands of dollars of fees for declined transactions.
The fraud actor’s main objective is quickly identifying a valid card and/or revealing a card’s missing security elements. With valid card credentials, they can then proceed to make fraudulent large ticket purchases on the targeted merchant’s website or at other online merchants.
Key indicators of fraudulent card testing include an unusually high card authorization volume for low dollar amounts in rapid succession, high identical authorization request volume, a sharp increase in declines and specific decline codes and finally a big increase in issuing bank/payment brand authorization mismatches.
"No single factor can prevent card testing fraud, however, a multilayered approach can help merchants prevent card testing fraud attacks."
Una Ryan Kearns
VICE PRESIDENT OF FRAUD, J.P. MORGAN
Merchants that have identified ongoing card testing activity can use internal data analytics to change defined rule logic in their fraud solution to combat the attack. If the majority of declines are coming from the same card number, then it is probable that the fraud actor has the correct card number and is testing to identify the security elements. In this case, the merchant should immediately block the card.
Similarly, if the card testing attack shares the same email, phone, IP address and device ID, then these customer attributes should be blocked. When blocking an IP address or device tag, it is vital to verify that this action will not impact false positives.
01 Establish and maintain effective internal transaction data monitoring and control.
Monitoring and controls can help merchants detect key indicators of a card testing attack. These indicators include unusually high authorization request volume with the same attributes, low ticket values, a sudden spike in authorization declines that generate specific decline codes and attempts on the same issuing bank with multiple card brands.
02 Increase the number of required matching security elements.
Requiring address verification service, card verification value, expiration date and card authentication verification value data elements in online authorization requests can make it far more difficult for fraud actors to succeed in identifying and using valid card credentials.
03 Deploy and monitor transaction velocity and script attack rules.
The fraud actor will use bots or scripts that can run thousands of authorizations at a time. Velocity rules that include counting of customer attributes (e.g., email, device, IP, payment, address and phone) in a defined period may be implemented in a fraud solution to prevent a card testing attack.
04 Implement device fingerprinting to detect returning customers.
Merchants can use a device recognition solution to establish a unique identifier for every work machine or mobile device that is accessing their website. This enables merchants to develop and keep track of devices that are associated with fraudulent patterns and block further access.
05 Integrate security tools like Captcha into the payment experience.
The key is to utilize specific variables that are present in automation. If there is a specific fraud pattern (e.g., specific VPNs, ISPs, BINs and names), have the captchas populate based off these parameters. Leveraging reCaptcha on all mainstream VPN providers helps minimize the ability for these fraud actors to bypass the system.
06 Deploy 3-D Secure protocols to authenticate card payments.
3-D Secure (3DS) offers an additional layer of security that can significantly reduce fraud for card-not-present transactions and also reduce fraudulent chargebacks. In addition, 3DS transaction authentication can further reduce risk by shifting fraudulent chargeback liability to the issuing bank.
Una Ryan is Vice President of Fraud in J.P. Morgan Merchant Services Data & Analytics group. Una has more than 10 years of international fraud mitigation experience that spans merchant, fintech and acquiring segments. Her areas of expertise include PSD2 fraud regulations, consultancy in fraud detection and rule management, chargebacks/disputes and card-not-present fraud insights.
J.P. Morgan’s Safetech Fraud Tools seamlessly integrates J.P. Morgan transaction processing expertise with Kount’s scalable fraud detection platform. This powerful fraud mitigation solution features multi-layer device fingerprinting, proxy piercing, dynamic order linking, dynamic risk scoring, custom rules management and auto-decisioning.
Safetech's Identity Trust Global Network and machine learning algorithms can immediately alert merchants of signs of card testing attacks. Best of all, Safetech can be implemented quickly and rapidly provide e-commerce fraud protection.
To learn more, please contact your J.P. Morgan representative.
Payments
J.P. Morgan at NACHA Smarter Faster Payments 2024
Apr 22, 2024
Every payment is an opportunity for growth, optimization and innovation. Join us for NACHA Smarter Faster Payments 2024 where we will speak in a number of sessions around several key topics including fraud mitigation, the power of AI and data in payments and more.
Payments
Unlock customer insights—your key to business growth
Apr 19, 2024
Having better data means making better business decisions. See how our Customer Insights solution can help give you the customized data insights you need quickly and easily.
Payments
J.P. Morgan Payments launches new System Integrator Program
Apr 09, 2024
New program for professional service companies aims to help joint clients advance payments strategy and implementation.
Payments
Kyriba expands its TMS offering with JPM Coin and Global Payments API
Apr 08, 2024
For the first time, Kyriba clients can operate Blockchain Deposit Accounts (BDAs) within their existing Treasury Management Systems (TMS), allowing treasurers to manage cashflow and send payments with the speed of blockchain.
Payments
Streamline your payments with the help of Prepaid Card
Apr 01, 2024
Simple. Cost effective. Digital or physical. Give your business a choice in your overall payment program—and give your customers, clients, and employees the flexibility they want—with Prepaid Card by J.P. Morgan Payments.
Payments
Understanding purchasing cards
Mar 28, 2024
Typically used for B2B purchases, purchasing cards can provide enhanced visibility, control, fraud protection and other benefits.
Payments
“Trends in Healthcare Payments” annual report
Mar 26, 2024
Every year, J.P. Morgan Healthcare Payments releases this data-driven report to highlight the latest payments trends impacting the healthcare industry.
Payments
Understanding virtual credit cards
Mar 22, 2024
Virtual cards are an efficient and secure way to issue payments—without the need for a plastic card.
You're now leaving J.P. Morgan
J.P. Morgan’s website and/or mobile terms, privacy and security policies don’t apply to the site or app you're about to visit. Please review its terms, privacy and security policies to see how they apply to you. J.P. Morgan isn’t responsible for (and doesn’t provide) any products, services or content at this third-party site or app, except for products and services that explicitly carry the J.P. Morgan name.