Anti-carding system

Introduction

Worldline Sips is a secure multi-channel e-commerce payment solution that complies with the PCI DSS standard. It allows you to accept and manage payment transactions by taking into account business rules related to your activity (payment on despatch, deferred payment, recurring payment, payment in instalments, etc.).

The purpose of this document is to describe the anti-carding system provided by Worldline Sips.

Who does this document target?

This document is intended for merchants using the anti-carding system.

To get an overview of the Worldline Sips solution, we advise you to consult the following documents:

Functional presentation
Functionality set-up guide

Contacting the support

For any technical question or request for assistance, our services are available:

by telephone at: +33 (0) 811 10 70 33
by e-mail: sips@worldline.com

In order to facilitate the processing of your requests, please provide your merchantId (15-digit number).

Overview

Carding is a fraudulent method of mass verification of the validity of card numbers that have been stolen or generated. Online payment platforms are the main targets of carders because they enable the generation of a large number of transactions on the card numbers to be checked. These are small-amount transactions so as not to raise suspicions. Protecting the system against carding attacks is therefore one of the priorities of web merchants

The Worldline Sips anti-carding system consists in:

detecting the carding attack
alerting you and protecting your payment system in case of an attack
helping your site to separate normal transactions from carded transactions
and restoring normal activity

Functional description

Carding detection

Detection criteria

Webshops have the "Anti-carding system" fonctionnality to activate anti-carding surveillance.

Tip: If you want to verify if you have this fonctionnality or activate it, please address your preferred WL Sips contact.

This surveillance consists in carrying out the following verifications for every transaction in the webshop:

Surveillance of the percentage of declined transactions per rolling hour: if the proportion of declined transactions in relation to the total number of transactions exceeds the authorised threshold in a rolling hour, this suggests that card numbers are being verified fraudulently and the webshop is considered to have been carded. This verification is thus carried out systematically for each transaction and cannot be deactivated. However, the threshold (critical proportion of failures) that triggers the alert can be configured.
Surveillance of the percentage of small-amount transactions: if the proportion of small-amount transactions in relation to the total number of transactions made exceeds the authorised threshold in a rolling hour, the webshop is considered to have been carded.

IMPORTANT: If you want modify the alert thresholds of your anti-carding system, you must contact your WL Sips contact.

In order to avoid false positives, these two verifications are only triggered after a minimum volume of transactions have been carried out in a day.

For more details, we invite you to contact your WL Sips contact.

Eligible interfaces

The anti-carding surveillance works on:

Sips Paypage
Sips Walletpage
Sips Office cardOrder service
Sips Office cardValidateAuthenticationAndOrder service

Surveillance is not trigerred in the following cases:

transactions with successful 3-D Secure verification (SUCCESS and ATTEMPT statuses)
OneClick transactions
token transactions
non-card transactions
transactions created through the duplicate and recycle operation

Anti-carding defence and alert

Defence system triggering

The defence system is triggered automatically as soon as the surveillance detects a carding attack on a webshop. It consists in:

Carrying out strict anti-fraud checks to reduce the chance of accepting fraudulent transactions generated by carding. The strict checks include:
- Checking that the card country matches your country. All transactions with a card where the country is different from yours are declined.
- Checking that the country of the customer's IP address matches your country. All transactions from an IP address where the country is different from yours are declined.
Blocking the sending of the automatic evening remittance to give you time to identify fraudulent transactions so as not to debit the cards that have been carded. This involves all webshop transactions of the day.

Alert sending

When the defence system is triggered, alert e-mails are sent to the distributor's contacts and to the Worldline Sips customer service in order to prevent a carding attack from happening. It is the distributor's responsibility to warn you.

The list of contacts can be configured at the distributor's level.

The alert e-mail contains:

the name of the webshop involved
the defence system trigger time
the reason for the alert being triggered
the checks triggered for defence
etc.

A sample alert e-mail is available as an appendix.

Evaluation, securing and purge

Evaluation

When an alert occurs, it is important to respond quickly to know if it is a real attack or a false alarm.

To do this, the Worldline Sips transactions must be compared with the transactions in your order-taking system. The false transactions generated by carding are not presented in your order-taking system. Worldline Sips transactions are searchable via Sips Office Extranet and Merchant Extranet.

If there is a corresponding order for all Worldline Sips transactions, then this is a false alert. You should then move on directly to the 'Restoring normal activity' stage.

If needed, the distributor can contact the Worldline Sips customer service.

Securing

In the event of a real attack, it is important that you quickly carry out securing measures to protect your site. Depending on the type of attack, these measures may consist in:

changing the certificate or the secret key
changing or editing the fraud rules
editing/updating the website
etc.

Purge

Following the securing of the site, you must purge your operations

There are three types of unusual transactions:

False transactions generated by carding and unduly accepted by Worldline Sips. These transactions are present and accepted in the Worldline Sips system, but are not present in your order-taking system. You must cancel (or you must not validate, depending on the transaction capture mode) these transactions via Sips Office Extranet, Merchant Extranet or the operations via web service. You can also communicate with the Worldline Sips customer service and request manual intervention in the event of a significant volume.
False transactions generated by carding and refused by Worldline Sips. These transactions are present and refused by the Worldline Sips system, but are not present in your order-taking system. There is no need for specific processing on these transactions, they are stored in the database for future analysis.
Real transactions refused by Worldline Sips, due to strict checks triggered following the detection of carding. There is currently no specific processing for these transactions.

Restoring normal activity

Restoring normal activity consists in:

changing the webshop status from "carded" to "normal"
deactivating the strict defence checks
unblocking remittance if it has been blocked

Please contact your Worldline Sips customer service to restore the activity.

Following the change in the webshop status, standard surveillance is restarted.

Some events such as sales or knock-down price operations can cause webshops to experience a large number of small-amount transactions. In this case, these legitimate transactions may be interpreted as a carding attempt. It is therefore necessary to temporarily deactivate the anti-carding protection during the event period. If you would like to do so, you must request it from customer support before the promotion starts.

Configuring the anti-carding

Configuring the anti-carding is divided into three parts:

general configuration
detection profile
blocking the remittance

General configuration

The distributor must provide the name, the e-mail address and the telephone number of a contact person for the distributor. This contact person will be notified in the event of an alert.

Detection profile

For the checking of declined transactions, the distributor must provide:

the number of transactions above which the system starts to check the refusal rate. Below this threshold, the percentage calculation is considered insignificant. This number of transactions is counted over the day starting from midnight
and the percentage of declined transactions (authorisation failed) triggering the alert. If the threshold is reached, the alert and the carding defence are triggered.

If the distributor wants to check small-amount transactions (this check is optional), they must provide:

the number of transactions above which the system starts to check the rate of small-amount transactions. Below this threshold, the percentage calculation is considered insignificant. This number of transactions is counted over the day starting from midnight
the small-amount threshold. Transactions where the value is less than or equal to this threshold are considered small-amount transactions
and the percentage of small-amount transactions triggering the alert. If this threshold is reached, the alert and the carding defence are triggered.

Blocking the remittance

The distributor must indicate whether they want to block the sending of the remittance in case some carding was detected.

Appendices

Appendix 1: sample alert e-mail

WL SIPS DOCS