[{"data":1,"prerenderedAt":382},["ShallowReactive",2],{"docsv3-nav":3,"\u002Fdocs\u002Fv3\u002Fguides\u002Fcard-testing-prevention":198},[4],{"title":5,"path":6,"stem":7,"children":8,"page":188},"V3","\u002Fdocs\u002Fv3","1.docs\u002Fv3",[9,13,17,21,38,87,189],{"title":10,"path":11,"stem":12},"Introduction","\u002Fdocs\u002Fv3\u002Fintroduction","1.docs\u002Fv3\u002F1.Introduction",{"title":14,"path":15,"stem":16},"Quick start","\u002Fdocs\u002Fv3\u002Fquick-start","1.docs\u002Fv3\u002F2.Quick start",{"title":18,"path":19,"stem":20},"Challenge flow","\u002Fdocs\u002Fv3\u002Fchallenge-flow","1.docs\u002Fv3\u002F3.Challenge flow",{"title":22,"path":23,"stem":24,"children":25},"Fundamentals","\u002Fdocs\u002Fv3\u002Ffundamentals","1.docs\u002Fv3\u002F4.fundamentals",[26,30,34],{"title":27,"path":28,"stem":29},"Signup protection","\u002Fdocs\u002Fv3\u002Ffundamentals\u002Fsignup-protection","1.docs\u002Fv3\u002F4.fundamentals\u002F00.Signup protection",{"title":31,"path":32,"stem":33},"Login protection","\u002Fdocs\u002Fv3\u002Ffundamentals\u002Flogin-protection","1.docs\u002Fv3\u002F4.fundamentals\u002F01.Login protection",{"title":35,"path":36,"stem":37},"Access protection","\u002Fdocs\u002Fv3\u002Ffundamentals\u002Faccess-protection","1.docs\u002Fv3\u002F4.fundamentals\u002F02.Access protection",{"title":39,"path":40,"stem":41,"children":42},"Guides","\u002Fdocs\u002Fv3\u002Fguides","1.docs\u002Fv3\u002F5.guides",[43,47,51,55,59,63,67,71,75,79,83],{"title":44,"path":45,"stem":46},"Account sharing prevention","\u002Fdocs\u002Fv3\u002Fguides\u002Faccount-sharing-prevention","1.docs\u002Fv3\u002F5.guides\u002F1.Account sharing prevention",{"title":48,"path":49,"stem":50},"Web scraping prevention","\u002Fdocs\u002Fv3\u002Fguides\u002Fweb-scraping-prevention","1.docs\u002Fv3\u002F5.guides\u002F13.Web scraping prevention",{"title":52,"path":53,"stem":54},"Ban enforcement","\u002Fdocs\u002Fv3\u002Fguides\u002Fban-enforcement","1.docs\u002Fv3\u002F5.guides\u002F14.Ban enforcement",{"title":56,"path":57,"stem":58},"Chargeback dispute","\u002Fdocs\u002Fv3\u002Fguides\u002Fchargeback-dispute","1.docs\u002Fv3\u002F5.guides\u002F15.Chargeback dispute",{"title":60,"path":61,"stem":62},"Multi-accounting prevention","\u002Fdocs\u002Fv3\u002Fguides\u002Fmulti-accounting-prevention","1.docs\u002Fv3\u002F5.guides\u002F16.Multi-accounting prevention",{"title":64,"path":65,"stem":66},"Account takeover prevention","\u002Fdocs\u002Fv3\u002Fguides\u002Faccount-takeover-prevention","1.docs\u002Fv3\u002F5.guides\u002F2.Account takeover prevention",{"title":68,"path":69,"stem":70},"Risky transaction prevention","\u002Fdocs\u002Fv3\u002Fguides\u002Frisky-transaction-prevention","1.docs\u002Fv3\u002F5.guides\u002F20.Risky transaction prevention",{"title":72,"path":73,"stem":74},"Fake account detection","\u002Fdocs\u002Fv3\u002Fguides\u002Ffake-account-detection","1.docs\u002Fv3\u002F5.guides\u002F3.Fake account detection",{"title":76,"path":77,"stem":78},"Bot detection","\u002Fdocs\u002Fv3\u002Fguides\u002Fbot-detection","1.docs\u002Fv3\u002F5.guides\u002F4.Bot detection",{"title":80,"path":81,"stem":82},"Card testing prevention","\u002Fdocs\u002Fv3\u002Fguides\u002Fcard-testing-prevention","1.docs\u002Fv3\u002F5.guides\u002F5.Card testing prevention",{"title":84,"path":85,"stem":86},"Incentive abuse prevention","\u002Fdocs\u002Fv3\u002Fguides\u002Fincentive-abuse-prevention","1.docs\u002Fv3\u002F5.guides\u002F9.Incentive abuse prevention",{"title":88,"path":89,"stem":90,"children":91,"page":188},"Concepts","\u002Fdocs\u002Fv3\u002Fconcepts","1.docs\u002Fv3\u002F6.concepts",[92,96,100,104,108,112,116,120,124,128,132,136,140,144,148,152,156,160,164,168,172,176,180,184],{"title":93,"path":94,"stem":95},"Evaluations","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fevaluations","1.docs\u002Fv3\u002F6.concepts\u002F01.evaluations",{"title":97,"path":98,"stem":99},"Actions","\u002Fdocs\u002Fv3\u002Fconcepts\u002Factions","1.docs\u002Fv3\u002F6.concepts\u002F02.actions",{"title":101,"path":102,"stem":103},"Signals","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fsignals","1.docs\u002Fv3\u002F6.concepts\u002F03.signals",{"title":105,"path":106,"stem":107},"Checks","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fchecks","1.docs\u002Fv3\u002F6.concepts\u002F04.checks",{"title":109,"path":110,"stem":111},"Risks","\u002Fdocs\u002Fv3\u002Fconcepts\u002Frisks","1.docs\u002Fv3\u002F6.concepts\u002F05.risks",{"title":113,"path":114,"stem":115},"Verdicts","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fverdicts","1.docs\u002Fv3\u002F6.concepts\u002F06.verdicts",{"title":117,"path":118,"stem":119},"Policies","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fpolicies","1.docs\u002Fv3\u002F6.concepts\u002F07.policies",{"title":121,"path":122,"stem":123},"Challenges","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fchallenges","1.docs\u002Fv3\u002F6.concepts\u002F08.challenges",{"title":125,"path":126,"stem":127},"Concurrency","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fconcurrency","1.docs\u002Fv3\u002F6.concepts\u002F09.concurrency",{"title":129,"path":130,"stem":131},"Impossible travel","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fimpossible-travel","1.docs\u002Fv3\u002F6.concepts\u002F10.impossible-travel",{"title":133,"path":134,"stem":135},"Bots","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fbots","1.docs\u002Fv3\u002F6.concepts\u002F11.bots",{"title":137,"path":138,"stem":139},"Devices","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fdevices","1.docs\u002Fv3\u002F6.concepts\u002F12.devices",{"title":141,"path":142,"stem":143},"Fingerprints","\u002Fdocs\u002Fv3\u002Fconcepts\u002Ffingerprints","1.docs\u002Fv3\u002F6.concepts\u002F13.fingerprints",{"title":145,"path":146,"stem":147},"People","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fpeople","1.docs\u002Fv3\u002F6.concepts\u002F14.people",{"title":149,"path":150,"stem":151},"Lists","\u002Fdocs\u002Fv3\u002Fconcepts\u002Flists","1.docs\u002Fv3\u002F6.concepts\u002F15.lists",{"title":153,"path":154,"stem":155},"Account takeover","\u002Fdocs\u002Fv3\u002Fconcepts\u002Faccount-takeover","1.docs\u002Fv3\u002F6.concepts\u002F16.account-takeover",{"title":157,"path":158,"stem":159},"Account sharing","\u002Fdocs\u002Fv3\u002Fconcepts\u002Faccount-sharing","1.docs\u002Fv3\u002F6.concepts\u002F17.account-sharing",{"title":161,"path":162,"stem":163},"Fake account","\u002Fdocs\u002Fv3\u002Fconcepts\u002Ffake-account","1.docs\u002Fv3\u002F6.concepts\u002F18.fake-account",{"title":165,"path":166,"stem":167},"Scraping","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fscraping","1.docs\u002Fv3\u002F6.concepts\u002F19.scraping",{"title":169,"path":170,"stem":171},"Linked accounts","\u002Fdocs\u002Fv3\u002Fconcepts\u002Flinked-accounts","1.docs\u002Fv3\u002F6.concepts\u002F20.linked-accounts",{"title":173,"path":174,"stem":175},"New IP","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fip","1.docs\u002Fv3\u002F6.concepts\u002F21.ip",{"title":177,"path":178,"stem":179},"Anonymizing network","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fanonymizing-network","1.docs\u002Fv3\u002F6.concepts\u002F22.anonymizing-network",{"title":181,"path":182,"stem":183},"Email quality","\u002Fdocs\u002Fv3\u002Fconcepts\u002Femail","1.docs\u002Fv3\u002F6.concepts\u002F23.email",{"title":185,"path":186,"stem":187},"Velocity","\u002Fdocs\u002Fv3\u002Fconcepts\u002Fvelocity","1.docs\u002Fv3\u002F6.concepts\u002F24.velocity",false,{"title":190,"path":191,"stem":192,"children":193,"page":188},"Advanced","\u002Fdocs\u002Fv3\u002Fadvanced","1.docs\u002Fv3\u002F7.Advanced",[194],{"title":195,"path":196,"stem":197},"Proxy setup","\u002Fdocs\u002Fv3\u002Fadvanced\u002Fproxy-setup","1.docs\u002Fv3\u002F7.Advanced\u002F1.Proxy-setup",{"id":199,"title":80,"body":200,"description":210,"extension":376,"meta":377,"navigation":378,"path":81,"rawbody":379,"seo":380,"stem":82,"__hash__":381},"docsv3\u002F1.docs\u002Fv3\u002F5.guides\u002F5.Card testing prevention.md",{"type":201,"value":202,"toc":369},"minimark",[203,207,211,216,234,238,248,329,332,343,347],[204,205,80],"h1",{"id":206},"card-testing-prevention",[208,209,210],"p",{},"Card testing is a bot running stolen card numbers through your checkout in rapid small charges to find which ones approve.",[212,213,215],"h2",{"id":214},"step-1-evaluate-the-payment-action","Step 1: Evaluate the payment action",[208,217,218,219,223,224,226,227,229,230,233],{},"Card testing happens at the charge, so protect the ",[220,221,222],"code",{},"payment"," action. ",[220,225,222],{}," is a custom action: you evaluate it like any other, you just name it ",[220,228,222],{},". Evaluate it when the user submits a charge and confirm the verdict on your server before you run the payment. If you haven't wired Rupt yet, start with the ",[231,232,14],"a",{"href":15},".",[212,235,237],{"id":236},"step-2-add-the-policies","Step 2: Add the policies",[208,239,240,241,247],{},"A policy has a trigger (the event it runs on) and a verdict. Add these in your ",[231,242,246],{"href":243,"rel":244},"https:\u002F\u002Fapp.rupt.dev\u002Fpolicies",[245],"nofollow","policies dashboard",":",[249,250,251,270],"table",{},[252,253,254],"thead",{},[255,256,257,261,264,267],"tr",{},[258,259,260],"th",{},"Policy",[258,262,263],{},"Trigger",[258,265,266],{},"Conditions",[258,268,269],{},"Verdict",[271,272,273,303],"tbody",{},[255,274,275,279,283,300],{},[276,277,278],"td",{},"Verify a risky checkout",[276,280,281],{},[220,282,222],{},[276,284,285,288,289,292,293,296,297,299],{},[220,286,287],{},"is_new_ip",", ",[220,290,291],{},"is_new_fingerprint",", or ",[220,294,295],{},"event_count"," of ",[220,298,222],{}," over the last 10 min above 5",[276,301,302],{},"Challenge",[255,304,305,308,312,326],{},[276,306,307],{},"Block card testing",[276,309,310],{},[220,311,222],{},[276,313,314,288,317,320,321,296,323,325],{},[220,315,316],{},"is_simulator",[220,318,319],{},"is_emulator",", a headless browser, the card on your card block list, or ",[220,322,295],{},[220,324,222],{}," over the last 10 min above 10",[276,327,328],{},"Deny",[208,330,331],{},"Protect the real cardholder while stopping the tester. An unfamiliar IP or device might just be your customer on a new phone, so verify them with a challenge before the charge goes through. A simulator, emulator, headless browser, or a card you've already flagged has no business at checkout, so deny it. Card testing also gives itself away by pace: a handful of attempts in ten minutes earns a challenge, a flood gets blocked.",[208,333,334,335,338,339,342],{},"When you catch a tester, add the card to your card block list (a ",[231,336,337],{"href":150},"list"," of type ",[220,340,341],{},"card",") so the next attempt with it is denied on sight.",[212,344,346],{"id":345},"related","Related",[348,349,350,359,364],"ul",{},[351,352,353,355,356,358],"li",{},[231,354,185],{"href":186},": the ",[220,357,295],{}," spike behind the rate checks.",[351,360,361,363],{},[231,362,177],{"href":178},": the IP and device checks behind this policy.",[351,365,366,368],{},[231,367,149],{"href":150},": the card block list.",{"title":370,"searchDepth":371,"depth":371,"links":372},"",2,[373,374,375],{"id":214,"depth":371,"text":215},{"id":236,"depth":371,"text":237},{"id":345,"depth":371,"text":346},"md",{},true,"---\ntitle: Card testing prevention\n---\n\n# Card testing prevention\n\nCard testing is a bot running stolen card numbers through your checkout in rapid small charges to find which ones approve.\n\n## Step 1: Evaluate the payment action\n\nCard testing happens at the charge, so protect the `payment` action. `payment` is a custom action: you evaluate it like any other, you just name it `payment`. Evaluate it when the user submits a charge and confirm the verdict on your server before you run the payment. If you haven't wired Rupt yet, start with the [Quick start](\u002Fdocs\u002Fv3\u002Fquick-start).\n\n## Step 2: Add the policies\n\nA policy has a trigger (the event it runs on) and a verdict. Add these in your [policies dashboard](https:\u002F\u002Fapp.rupt.dev\u002Fpolicies):\n\n| Policy                  | Trigger   | Conditions                                                                                               | Verdict   |\n| ----------------------- | --------- | -------------------------------------------------------------------------------------------------------- | --------- |\n| Verify a risky checkout | `payment` | `is_new_ip`, `is_new_fingerprint`, or `event_count` of `payment` over the last 10 min above 5            | Challenge |\n| Block card testing      | `payment` | `is_simulator`, `is_emulator`, a headless browser, the card on your card block list, or `event_count` of `payment` over the last 10 min above 10 | Deny      |\n\nProtect the real cardholder while stopping the tester. An unfamiliar IP or device might just be your customer on a new phone, so verify them with a challenge before the charge goes through. A simulator, emulator, headless browser, or a card you've already flagged has no business at checkout, so deny it. Card testing also gives itself away by pace: a handful of attempts in ten minutes earns a challenge, a flood gets blocked.\n\nWhen you catch a tester, add the card to your card block list (a [list](\u002Fdocs\u002Fv3\u002Fconcepts\u002Flists) of type `card`) so the next attempt with it is denied on sight.\n\n## Related\n\n- [Velocity](\u002Fdocs\u002Fv3\u002Fconcepts\u002Fvelocity): the `event_count` spike behind the rate checks.\n- [Anonymizing network](\u002Fdocs\u002Fv3\u002Fconcepts\u002Fanonymizing-network): the IP and device checks behind this policy.\n- [Lists](\u002Fdocs\u002Fv3\u002Fconcepts\u002Flists): the card block list.\n",{"title":80,"description":210},"3oPiKFfk2SNaFCB46SV4k-Wlz1BhImD04fbcrNbYu0Q",1780344893208]