Whether you have a brick-and-mortar location or you run an online business, securing both your and your customers’ sensitive data should always be a priority. While taking measures like using anti-virus software, tools to detect malware, and educating yourself and employees on the most common threats are all great places to start, data breaches aren’t your only threat.
There’s also something called velocity threats that could do some serious damage to your merchant account, and business overall.
What are velocity attacks?
A velocity attack is when a nefarious individual keeps submitting a credit or debit card in order to make unauthorized charges. They’ll keep submitting the card number until it’s verified. They usually obtain card numbers that have been stolen from a point-of-a-sale terminal.
Depending on the software that’s being used to launch a velocity attack, it could generate random number sequences which would create charges every time that a sequence relates to a valid credit card number – usually when the merchant is asleep. As a result, the merchant would start their business day with charges that have not been authorized. And, as if that weren’t bad enough, this could keep repeating until the card amount has been maxed-out or someone has noticed these unauthorized transactions.
The impact of velocity attacks.
After a velocity attack has occurred there’s a lot of cleaning up to do. In fact, it could take you several days or even weeks to determine which transactions were authorized and which ones were not. In other words, you’re going to be spending a lot of time on the phone with customers, your bank, and your payment processor if you want to straighten this mess out.
Even more problematic, your customers may lose confidence in your business, which could result in them jumping ship and supporting a competitor. And, since you’ll have to reverse these charges, you’ll also have to deal with chargebacks and a loss in revenue.
How to avoid velocity attacks on your merchant account.
Being proactive is the best way to reduce, and ultimately avoid velocity attacks.
The first place to start is by running a velocity check. This is simply software that keeps a lookout for repeating patterns and will monitor the number of times that a specific data element occurs within a specified timeframe. These data elements are usually;
- User ID/email address
- IP address
- Billing address
- Shipping address
- Phone number
- Device ID/signature
- Credit card number/payment method
- Browser cookie
Keep in mind that a customer name isn’t an effective data element during a velocity check since it’s possible that more than one person has the same name.
Most fraud prevention services, like Sift Science or Fiserv, offer velocity checks.
You should also invest in a velocity filter from companies like BluePay, which is a tool that tests multiple card numbers against your merchant account. The filter will then automatically reject transactions made within a one-hour window. This is based on the parameters that you’ve set, such as;
- The maximum dollar amount for all sales that occur within a 60-minute window.
- The total sales amount you have per hour.
- The amount of transactions, regardless of dollar amount, that you process every dollar.
- Suspicious IP addresses.
Besides purchasing software and tools, don’t forget to take additional measures like setting up your account so that you;
- Restrict the volume of refunds that available per hour.
- Set limits for maximum sales transaction values based on your average sales each hour.
- Set limits on transaction volumes, which is the total number of transactions completed per hour.
You should also monitor and block IP addresses that have a higher-than-average number of visits and transactions, as well as use security methods like tokenization and point-to-point encryption.
The bottom line.
As a merchant, it’s your responsibility to mitigate the risks involved with processing payments – especially credit card fraud. While we often focus on other threats, velocity attacks are a common form of credit card fraud that’s often overlooked. However, they can be a costly attack that can end up costing you a ton of time and money.
To prevent velocity attacks from taking place, make sure that you invest in fraud management tools and software. Just as important, make sure that you pay attention to any transactions that are excessive; or come from the same IP, email, billing or shipping address.
