Carding Attack & Fraud Prevention Guide

This guide outlines best practices for preventing carding attacks and reducing fraudulent transactions.

Important: No single control can fully prevent fraud. The most effective approach is a layered strategy combining application-level protections, gateway features, and third-party tools.

🔒 Quick Start (Minimum Recommended Protections)

If you implement nothing else, start here:

  • Enable CAPTCHA or 2FA on your checkout
  • Require CVV and full billing address for all transactions
  • Enable velocity limits (IP and card-based)
  • Turn on Authorization Verification Hash
  • Block or restrict high-risk countries (if applicable)
  • Use Smart Screens v2 for card data collection

🚨 If You Are Under an Active Carding Attack

Take the following steps immediately:

  • Enable CAPTCHA or 2FA on all payment forms
  • Reduce velocity thresholds (limit rapid retries)
  • Require all billing fields (address + CVV)
  • Temporarily block high-risk countries or regions
  • Review recent transactions for suspicious patterns
  • Contact PlugnPay support for additional guidance

Responsibility Overview

Understanding who manages each layer of protection:

  • Merchant (You): Website security, checkout controls, fraud rules

  • PlugnPay Gateway: Transaction processing and supplemental filtering

  • Third-Party Tools: Advanced detection (AI scoring, device fingerprinting, etc.)

PlugnPay Direct Recommendations

1. Maintain Up-to-Date Systems

What it does: Keeps your infrastructure secure

Why it matters: Outdated systems are a common attack vector

How to implement:

  • Regularly update your server, website, cart, and plugins
  • Enable built-in fraud tools provided by your platform

2. Keep Payment Modules Current

What it does: Ensures latest security enhancements are applied

Why it matters: Updates often include fraud mitigation improvements

How to implement:

  • Regularly check for updates to PlugnPay modules/plugins
  • Apply updates as part of routine maintenance

3. Implement CAPTCHA or 2FA

What it does: Blocks automated bot submissions

Why it matters: Carding attacks rely heavily on automation

How to implement:

  • Use CAPTCHA (e.g., hCAPTCHA) or 2FA (authenticator apps, SMS, email)

Note: Avoid Google reCAPTCHA where possible; stronger alternatives such as hCAPTCHA are recommended.

4. Deploy a Site-Wide Anti-Fraud Solution

What it does: Detects and blocks suspicious users before checkout

Why it matters: Stops fraud attempts before they reach payment processing

How to implement:

  • Integrate third-party fraud prevention tools
  • Use plugins compatible with your platform

5. Enable Authorization Verification Hash

What it does: Prevents direct-to-gateway transaction bypass attempts

Why it matters: Attackers may attempt to submit transactions outside your site

How to implement:

  • Enable in your PlugnPay account and cart/application settings
  • Refer to the Verification Hash documentation in Security Administration

6. Configure Fraud Filters (FraudTrak / FraudTrak2)

What it does: Applies rules to filter or block risky transactions

Why it matters: Reduces fraudulent attempts before authorization

How to implement:

  • Require full billing address and CVV
  • Enable IP-to-country matching
  • Block high-risk billing regions

Note: These settings are available in FraudTrak/FraudTrak2.

7. Use Smart Screens v2 for Card Data Collection

What it does: Offloads card data collection to PlugnPay-hosted pages

Why it matters: Reduces PCI DSS scope and improves security

How to implement:

  • Replace direct card collection (Remote API) with Smart Screens v2
  • Use tokens or order IDs for follow-up actions (voids, returns, settlements)

Additional Anti-Fraud Controls

Transaction-Level Controls

CVV Enforcement

What it does: Requires card security code

Why it matters: Prevents use of stolen card numbers without CVV

How to implement:

  • Require CVV for all transactions via FraudTrak/FraudTrak2

Address Verification System (AVS)

What it does: Matches billing address with issuer records

Why it matters: Helps detect unauthorized card use

How to implement:

  • Collect full billing address for all transactions
  • Enable AVS where appropriate

Best Practice: Even if AVS is not enforced, always collect address data for additional fraud analysis.

3D Secure (3DS)

What it does: Adds cardholder authentication step

Why it matters: Reduces fraud and may shift liability

How to implement:

  • Enable through your payment processor (if supported)

Behavioral Controls

Velocity Controls

What it does: Limits rapid transaction attempts

Why it matters: Stops automated card testing

How to implement:

  • Restrict attempts per IP, card, or account

Note: Some controls exist in FraudTrak, but site-level enforcement is strongly recommended.

Device Fingerprinting

What it does: Identifies devices used for transactions

Why it matters: Detects repeat fraud across accounts

How to implement:

  • Use third-party tools to track device behavior

Real-Time Transaction Monitoring

What it does: Detects anomalies as they occur

Why it matters: Identifies fraud patterns early

How to implement:

  • Use monitoring tools with rule-based or AI detection

Note: Gateway-level protections exist but should be considered supplemental.

IP Reputation & Proxy Detection

What it does: Blocks suspicious network sources

Why it matters: Fraudsters often use VPNs, proxies, or Tor

How to implement:

  • Block known malicious IPs
  • Use proxy detection tools

Limitation: Full VPN/Tor blocking may require third-party solutions.

Geographic Controls

Geo-Blocking / Regional Restrictions

What it does: Restricts transactions by location

Why it matters: Some regions have higher fraud rates

How to implement:

  • Block or flag high-risk countries

BIN / Card Range Filtering

What it does: Filters cards by issuing region or bank

Why it matters: Helps identify high-risk card sources

How to implement:

  • Configure rules in FraudTrak2 or similar tools

Operational Controls

Manual Review Workflows

What it does: Flags transactions for human approval

Why it matters: Adds a safeguard for high-risk activity

How to implement:

  • Review transactions based on thresholds or risk indicators
  • Use manual batching if needed

Tokenization

What it does: Replaces card data with secure tokens

Why it matters: Reduces risk of data exposure

How to implement:

  • Use Smart Screens v2 and token-based operations

Fraud Scoring Services

What it does: Assigns risk scores to transactions

Why it matters: Automates fraud detection decisions

How to implement:

  • Integrate a third-party service

Note: Evaluate providers carefully to determine the best fit for your business.

Final Notes

Fraud prevention is an ongoing process—not a one-time setup. Attack methods evolve, and defenses must adapt accordingly.

Merchants are strongly encouraged to:

  • Regularly review fraud settings
  • Monitor transaction activity
  • Continuously refine controls based on observed threats

A well-implemented, layered approach will significantly reduce both fraud exposure and operational risk.