What is card testing?

Card testing refers to the illicit practice of attempting to make unauthorized transactions using stolen or fraudulent credit and debit card information. This criminal activity involves criminals testing the validity of stolen card details by making small transactions, often online or at various retail establishments. Unfortunately, churches are in fact the most targeted industry for such criminal activities.

Churches may be targeted for several reasons.

Firstly, they often process a significant number of small transactions, particularly through online donation platforms. Criminals may see churches as attractive targets due to the potential for a large number of small transactions and the perception that security measures may be less stringent.

Additionally, the trusting and open nature of church communities may make them more susceptible to exploitation. It is essential for churches to implement robust security measures to protect their financial transactions and sensitive information, safeguarding both the institution and its members from the impact of card testing and other fraudulent activities.

What can you do to protect your church?

1. My Well Ministry offers fraud prevention tools that help protect churches from card testing. My Well’s Gateway iframe tokenizer in Rock is behind Cloudflare’s Bot Managements. When Cloudflare detects that a bot is submitting card data, an empty token is returned from the iframe, and the transaction is immediately flagged and will not be processed. When manual card testing occurs, we provide a fraud management tool used to prevent and detect suspicious transactions.

These fraud prevention tools check for address verification, limit the minimum gift allowed, check Bin Velocity, and many other rules. My Well has a base of recommended rules but allows you to customize these to fit your church’s needs. Upon setting up your My Well account, our team will have a meeting to configure these rules for you. If you currently have an account and would like to check on your rules or update them you can contact a My Well support specialist.

If your fraud prevention rules are triggered, the My Well Team is notified and will then inform you of which rules were triggered. Our team will monitor the situation and offer suggestions on additional rules or steps your church can take during card testing. 2. Set up a firewall service like Cloudflare. We recommend churches use Cloudflare Pro to protect their Rock instance. The Cloudflare Pro plan starts at as little as $25/mo and includes a handful of great security tools. Some of these things include detecting and mitigating DDoS attacks, including CAPTCHA challenges for specific pages, and a WAF to check incoming web requests and filter undesired traffic based on rule sets. 3. Enable CAPTCHA on Rock blocks. Rock’s native giving blocks offer CAPTCHA support. CAPTCHA, which stands for Completely Automated Public Turing test to tell Computers and Humans Apart, is a security measure designed to differentiate between human users and automated bots. CAPTCHAs typically involve presenting users with a challenge that is easy for humans to solve but difficult for automated scripts or bots. 4. Enable rate limiting on certain Rock pages. Rock pages have settings for rate limiting. Rate limiting on web pages is a security measure implemented to control and restrict the number of requests or actions that a user or client can make within a specified time frame. The purpose of rate limiting is to protect web servers and applications from abuse, unauthorized access, and potential denial-of-service attacks. 1. To enable rate limiting in Rock, go to Rock page settings and click Advanced Settings. Then check the box labeled ‘Rate Limiting Enable’. This will display two additional settings you can use to help prevent bots. 2. We suggest using this setting on your Giving pages and Account Registration pages. 5. Web Agility Plug-In. The Triumph team has developed a plug-in for Rock that can help block traffic from problematic subnets. Click here to read more about this plug-in. 6. Put giving behind a log-in wall. While this may not be the best solution for all churches, it can be a great deterrent for card testers and bots. When you ask your congregants to log-in for giving, you are not only securing your transaction data and helping to deter card testers, but you are also collecting better data about your congregants.

What can you do if you are actively being card tested or experiencing bot traffic?

1. Block the specific IP address or IP address range. Many web servers have built-in firewall capabilities. You can configure the server's firewall to block specific IP addresses or ranges. If your website is hosted on a cloud platform, such as AWS, Azure, or Google Cloud, these services often provide security groups or network security features that allow you to configure IP restrictions.
   1. Remember to exercise caution when blocking IP addresses, especially when dealing with IP address ranges. Blocking an IP address or range may inadvertently impact legitimate users if they are sharing the same network or IP space.
2. Increase rate limiting on pages being attacked. Isolate the pages that are being used and increase the rate limits to mitigate the activity.
3. Work with My Well to modify fraud prevention rules. You can work with ******your My Well support specialist to modify these rules and help combat card testing.

By adopting a multi-faceted approach that combines My Well’s robust fraud prevention tools, Cloudflare Services, and utilizing certain Rock tools, churches can significantly reduce the risk of falling victim to card testing and better protect their financial transactions and sensitive information. Regularly updating and adapting security measures is crucial to staying ahead of evolving cyber threats and ensuring the continued safety of church members and their contributions.