Fraud of any kind can cause headaches for both customers and merchants, with huge implications, and both their finances and reputation at stake.

From large scale data breaches right down to petty card theft, retailers suffering from fraudulent transactions can find themselves out of pocket in multiple ways.

Refunding charge-backs, suffering from loss of goods, hefty fines and the overall damage to a seller’s reputation can all pose serious risks to the firm’s future trading, with businesses large and small all in the firing line.

One of the biggest causes of cyber fraud is known as carding, where stolen card information is used to place multiple transactions on commerce websites.

What Is Carding?

Carding is where stolen card details are tested by fraudsters to determine whether or not they’re still active, have been deactivated or reported as being stolen.

These card details could be acquired by scammers from hackers who have infiltrated financial databases, phished from emails or even skimmed from an ATM.

The aim then is to carry out transactions on ecommerce websites, pay for services or generally misuse the card information for financial gain.

If the details are accepted by a payment portal and the transaction passes through without triggering any fraudulent order warnings then it can be very difficult for the cardholder to reclaim those funds. There is also a risk that the website owner will be financially responsible for any losses.

Each year, it’s estimated that around 20% of small businesses find themselves falling victim to credit card fraud. Many struggle to deal with the ramifications, leading to them shutting up shop within six months.

Here are 7 steps you can take to reduce the risk of carding…

1. Use a PCI compliant payment provider

All websites and online merchants that accept card payments must be PCI (Payment Card Industry) compliant. Backed by some of the major players including American Express, MasterCard and Visa, merchants must now ensure their websites and servers are adhering to these set of standards at all times.

Even if you don’t store credit card information on your server you still need to adhere to PCI as the data is still transmitted over the internet. WorldPay, Adyen and SagePay are all commonly used and can help protect you and your customers from falling foul of the rules.

2. Implement CVV & AVS

Your payment provider should enable you to implement the Address Verification System (AVS). This verifies billing address details inputted at the checkout with those on file at the credit card company or bank.

The Card Verification Value (CVV) is the three or four digit number, usually located on the back panel of a credit or debit card. This is one of the most important methods of reducing online credit card fraud as it’s virtually impossible for hackers to acquire these details without physically accessing the card.

3. Use a Geolocation or IP lookup

This functionality will check the location of the user’s IP address against the billing address inputted at the checkout. If there’s an anomaly between the two then it is an indication that something is awry.

Whilst it doesn’t immediately mean that the transaction is fraudulent, your payment provider should flag this up for you to double check. You can investigate further before making a decision on whether to go ahead with or cancel the transaction.

4. Install an SSL, and make sure it’s up to date

SSL certificates ensure that data is transferred through a secured connection from a server to a browser. It’s becoming increasingly expected of websites to implement an SSL, particularly to adhere with PCI compliance requirements.

A secure connection keeps your company’s details and your customer’s information from being compromised by hackers. Displaying the all-important SSL padlock in your address bar provides users with an extra confidence boost.

5. Update your platforms

As well as it being best practice, in general, to keep your website and its add-ons & extensions up to date, it’s also a good idea to make sure your anti-virus, operating software and any other software you run on your company’s computers are maintained.

Keeping up to date with the latest Magento patches and security updates will ensure that you’re protected against vulnerabilities or lapses in security which can cause major issues if left unattended.

6. Set up alerts & schedule sanity checks

Your payment provider should enable you to be alerted when a transaction has not sufficiently satisfied the criteria to pass through successfully.

This could be anything from an email to a flag on your orders page, prompting you to check out the details more closely.  SagePay does a great job of this with its red, amber and green traffic light system.

You should also schedule in some sanity checks a few times a week, just to check for any anomalies or rogue orders which may have slipped the net.

7. Insist on stronger passwords

One of the scourges of having various accounts over multiple websites is the need to keep track of all your passwords and make sure that they’re more secure than just ‘Password01’.

As hackers can deduce smaller alpha-numeric strings incredibly quickly, it’s important to insist that customers creating accounts on your website are required to have a strong password. This should be a mix of upper and lower case characters, special characters and numbers to make it harder to crack. While it may frustrate some, it’s important to highlight that it’s for their own good.


Unfortunately, despite everyone’s best efforts to make the web a more secure place to shop there will always be individuals who look to take advantage of lapses in security.

Following the above steps will give you at least a head start over them by making sure that you’re adhering to best practice. Doing all you can to prevent data from falling into the wrong hands and reducing the risk of compromised details being used on your site.

Check out our other Magento security tips to protect your ecommerce website.


Get in touch

We know commerce, let us help you improve customer experience, increase conversion rates, and make that digital change.