Introduction

WL Sips is a secure multi-channel e-commerce payment solution that complies with the PCI DSS standard. It allows you to accept and manage payment transactions by taking into account business rules related to your activity (payment on despatch, deferred payment, recurring payment, payment in instalments, etc.).

The purpose of this document is to describe the anti-carding system provided by WL Sips and to explain how to implement and configure it.

Who does this document target?

This document is intended for merchants wishing to enjoy the anti-carding system.

To get an overview of the WL Sips solution, we advise you to consult the following documents:

  • Functional presentation
  • Functionality set-up guide

Contacting the support

For any technical question or request for assistance, our services are available:

  • by telephone at: +33 (0) 811 10 70 33
  • by e-mail: sips@worldline.com

In order to facilitate the processing of your requests, please provide your merchantId (15-digit number).

Overview

Carding is a fraudulent method of mass verification of the validity of card numbers that have been stolen or generated. Online payment platforms are the main targets of carders because they enable the generation of a large number of transactions on the card numbers to be checked. These are small-amount transactions so as not to raise suspicions. Protecting the system against carding attacks is therefore one of the priorities of web merchants

The WL Sips anti-carding system consists in:

  • detecting the carding attack
  • alerting you and protecting your payment system in case of an attack
  • helping your site to separate normal transactions from carded transactions
  • and restoring normal activity

Functional description

Carding detection

Detection criteria

Webshops can subscribe to the "Anti-carding system" option to activate anti-carding surveillance. This surveillance consists in carrying out the following verifications for every transaction in the webshop:

  • Surveillance of the percentage of declined transactions per rolling hour: if the proportion of declined transactions in relation to the total number of transactions exceeds the authorised threshold in a rolling hour, this suggests that card numbers are being verified fraudulently and the webshop is considered to have been carded. This verification is thus carried out systematically for each transaction and cannot be deactivated. However, the threshold (critical proportion of failures) that triggers the alert can be configured.
  • Surveillance of the percentage of small-amount transactions: if the proportion of small-amount transactions in relation to the total number of transactions made exceeds the authorised threshold in a rolling hour, the webshop is considered to have been carded. This rule is optional; you can choose whether or not to activate it and can change the authorised threshold.

In order to avoid false positives, these two verifications are only triggered after a minimum volume of transactions have been carried out in a day.

Eligible interfaces

The anti-carding surveillance works on:

  • Sips Paypage
  • Sips Walletpage
  • Sips Office cardOrder service
  • Sips Office cardValidateAuthenticationAndOrder service

Surveillance is not trigerred in the following cases:

  • transactions with successful 3-D Secure verification (SUCCESS and ATTEMPT statuses)
  • OneClick transactions
  • token transactions
  • non-card transactions
  • transactions created through the duplicate and recycle operation

Anti-carding defence and alert

Defence system triggering

The defence system is triggered automatically as soon as the surveillance detects a carding attack on a webshop. It consists in:

  • Carrying out strict anti-fraud checks to reduce the chance of accepting fraudulent transactions generated by carding. The strict checks include:
    • Checking that the card country matches your country. All transactions with a card where the country is different from yours are declined.
    • Checking that the country of the customer's IP address matches your country. All transactions from an IP address where the country is different from yours are declined.
  • Blocking the sending of the automatic evening remittance to give you time to identify fraudulent transactions so as not to debit the cards that have been carded. Blocking automatic remittance is an option. This involves all webshop transactions of the day. If the distributor does not wish to penalise the debit time, they should not activate this option. In this case, the remittance is sent as usual with the risk of remitting fraudulent transactions.

Alert sending

When the defence system is triggered, alert e-mails are sent to the distributor's contacts and to the WL Sips customer service in order to prevent a carding attack from happening. It is the distributor's responsibility to warn you.

The list of contacts can be configured at the distributor's level.

The alert e-mail contains:

  • the name of the webshop involved
  • the defence system trigger time
  • the reason for the alert being triggered
  • the checks triggered for defence
  • etc.

A sample alert e-mail is available as an appendix .

Evaluation, securing and purge

Evaluation

When an alert occurs, it is important to respond quickly to know if it is a real attack or a false alarm.

To do this, the WL Sips transactions must be compared with the transactions in your order-taking system. The false transactions generated by carding are not presented in your order-taking system. WL Sips transactions are searchable via Sips Office Extranet and MEX .

If there is a corresponding order for all WL Sips transactions, then this is a false alert. You should then move on directly to the 'Restoring normal activity' stage.

If needed, the distributor can contact the WL Sips customer service.

Securing

In the event of a real attack, it is important that you quickly carry out securing measures to protect your site. Depending on the type of attack, these measures may consist in:

  • changing the certificate or the secret key
  • changing or editing the fraud rules
  • editing/updating the website
  • etc.

Purge

Following the securing of the site, you must purge your operations

There are three types of unusual transactions:

  • False transctions generated by carding and unduly accepted by WL Sips . These transactions are present and accepted in the WL Sips system, but are not present in your order-taking system. You must cancel (or you must not validate, depending on the transaction capture mode) these transactions via Sips Office Extranet , MEX or the operations via web service. You can also communicate with the WL Sips customer service and request manual intervention in the event of a significant volume.
  • False transactions generated by carding and refused by WL Sips . These transactions are present and refused by the WL Sips system, but are not present in your order-taking system. There is no need for specific processing on these transactions, they are stored in the database for future analysis.
  • Real transactions refused by WL Sips , due to strict checks triggered following the detection of carding. There is currently no specific processing for these transactions.

Restoring normal activity

Restoring normal activity consists in:

  • changing the webshop status from "carded" to "normal"
  • deactivating the strict defence checks
  • unblocking remittance if it has been blocked

Please contact your WL Sips customer service to restore the activity.

Following the change in the webshop status, standard surveillance is restarted.

Some events such as sales or knock-down price operations can cause webshops to experience a large number of small-amount transactions. In this case, these legitimate transactions may be interpreted as a carding attempt. It is therefore necessary to temporarily deactivate the anti-carding protection during the event period. If you would like to do so, you must request it from customer support before the promotion starts.

Configuring the anti-carding

Configuring the anti-carding is divided into three parts:

  • general configuration
  • detection profile
  • blocking the remittance

General configuration

The distributor must provide the name, the e-mail address and the telephone number of a contact person for the distributor. This contact person will be notified in the event of an alert.

Detection profile

For the checking of declined transactions, the distributor must provide:

  • the number of transactions above which the system starts to check the refusal rate. Below this threshold, the percentage calculation is considered insignificant. This number of transactions is counted over the day starting from midnight
  • and the percentage of declined transactions (authorisation failed) triggering the alert. If the threshold is reached, the alert and the carding defence are triggered.

If the distributor wants to check small-amount transactions (this check is optional), they must provide:

  • the number of transactions above which the system starts to check the rate of small-amount transactions. Below this threshold, the percentage calculation is considered insignificant. This number of transactions is counted over the day starting from midnight
  • the small-amount threshold. Transactions where the value is less than or equal to this threshold are considered small-amount transactions
  • and the percentage of small-amount transactions triggering the alert. If this threshold is reached, the alert and the carding defence are triggered.

Blocking the remittance

The distributor must indicate whether they want to block the sending of the remittance in case some carding was detected.

Appendices

Appendix 1: sample alert e-mail