Skip to main content

Protect Your Donation Pages from Card Testing Fraud

Understand how card testing fraud works and the practical steps you can take to protect your organisation during high-risk periods such as Christmas.

Cristina Gruita avatar
Written by Cristina Gruita
Updated over a month ago

Understand Card Testing Fraud

Fraudsters often target websites with online payment forms in the run-up to Christmas.

Card testing, also known as card cracking, card dipping, or force testing, is a method used to check whether stolen or purchased card details are valid.

This typically involves:

  1. Using bots or scripts to submit thousands of low-value transactions.

  2. Testing card numbers, expiry dates, and CVC values using brute-force methods.

If successful, fraudsters then use or sell the validated card details elsewhere.

You may notice unusual names or address details appearing on transactions when card testing succeeds.

Understand the Impact on Your Organisation

Card testing fraud has several negative consequences.

  1. You may incur chargebacks and chargeback fees.

  2. Staff time is diverted to handling disputes and investigations.

  3. Genuine supporters may be affected if cards are compromised.

Monitor Online Donation Activity

Donorfy provides tools to help you keep track of online transaction activity.

  1. Go to Financial, then click Online Donations.

  2. Review the available tabs regularly.

History Tab

Use this tab to:

  1. View donor names.

  2. Check transaction amounts from the last 30 days.

Errors & Info Tab

Use this tab to:

  1. Review failed card attempts.

  2. Identify unusual spikes in failed transactions.

Repeated low-value failed transactions are a common indicator of card testing.

Ensure Payment Pages Are Secure

Keeping your payment pages up to date is essential.

  1. Campaign Pages are already upgraded to support SCA compliance.

  2. Upgrade any Web Widgets created before 12 September 2019.

  3. Confirm that all newly created Web Widgets include SCA compliance by default.

Older widgets are more vulnerable if they are not upgraded.

Refresh Forms and Page Identifiers

Regularly refreshing payment endpoints can disrupt fraudulent activity.

  1. Change the Web Widget ID.

  2. Request a reset of your Campaign page.

  3. Copy an existing Form, update the URL on your website, then delete the old Form.

These steps invalidate links that may have been targeted by bots.

Adjust reCAPTCHA and Stripe Settings

You can strengthen protection by tightening your payment security settings.

  1. Increase reCAPTCHA sensitivity, for example to 0.6.

  2. Go to Settings, then click Stripe Connect to apply changes.

Higher reCAPTCHA thresholds reduce automated traffic while still allowing genuine donors to complete payments.

Use Stripe Fraud Prevention Tools

Stripe provides additional tools to help prevent card testing.

  1. Activate Stripe Radar to block transactions with null CVC values.

  2. Review flagged transactions within the Stripe dashboard.

See: Stripe's website page about Radar

Stripe Radar carries a small per-transaction cost, which may be waived depending on your pricing plan.

Increase Minimum Transaction Amounts

Raising the minimum donation amount can significantly reduce card testing attempts.

  1. Open your Stripe Dashboard.

  2. Increase the minimum transaction amount, for example from 30p to Β£5.

Related Articles
Creating a Stripe Payment Card Donations Web Widget
Change Your Linked Stripe Account
Manage Transactions Marked as High Fraud Risk by Stripe
Use reCAPTCHA with Stripe Web Widgets
Increase in Card Testing - Online Fraud
Did this answer your question?