A new Fraud Prevention measure has been built-in for all payment pages containing credit card forms (checkout rentals and "Ae" payment pages) in order to mitigate "Carding" attacks:
This is when a fraud source attempts to use your website credit card input form to test thousands of stolen credit card numbers. Although typically not aimed at injuring your site itself, these attacks can cause your payment processor to lock your account, cause difficulty or failure for others to use the form page, and can create invalid card transactions which you may be charged a fee from your processor.
- "Throttling" performs a "velocity check" when a customer account submits a credit card form and blocks them from submitting one again on an escalating time basis, when the number of submits exceeds the maximum number allowed within a time frame, such as 3 per minute.
- Customer ID and/or Email are checked for performing the actions.
This configuration applies to ALL credit card forms, and there is additional protection for the AeRntFinalize page specifically.
- All credit card forms: These Configuration - Settings affect the following pages with credit card forms:
- Edition.CardProcessing.Throttling.Delay : Defaults to 60 (seconds). This is the time increment in which throttling is checked for a given customer. The value of seconds here is the range of time in which Throttling.Limitgets checked.
- Edition.CardProcessing.Throttling.Limit : Defaults to 3 (submissions). This is the number of submissions made by a customer account that will trigger throttling within the time frame defined by Throttling.Delay.
- AeRntFinalize page These Configuration - Settings affect the AeRntFinalize page:
- Edition.Rentals.Throttling.Delay : Defaults to 60 (seconds). This is the time increment in which throttling is checked for a given customer. The value of seconds here is the range of time in which Throttling.Limitgets checked.
- Edition.Rentals.Throttling.Limit : Defaults to 1 (submissions). This is the number of submissions made by a customer account that will trigger throttling within the time frame defined by Throttling.Delay. On the AeRntFinalize page, we throttle attempts to rapidly submit a new rental contract from the same account. The throttling here is different from the general throttling above, see Example 2 below.
- Example 1 (general credit card throttling): email@example.com attempts to process four credit cards on the AeApgFinalize page within 20 seconds. Because Edition.CardProcessing.Throttling.Limit is "3" and Edition.CardProcessing.Throttling.Delayis "60", he gets throttled. He starts receiving a notification warning him that he needs to wait before making new payments. John continues trying to place new payments and his throttling time extends longer and longer (+60 seconds each time he tries). John is throttled and can no longer enter new credit cards until his throttling time runs out.
NOTES and UPDATES:
- Due to "real-world" testing, we recommend a default setting for the throttling limits to be 4 ( Edition.CardProcessing.Throttling.Limit and Edition.Rentals.Throttling.Limit ) Please check your Configuration - Settings and update appropriately.
- For stores performing "rental events", you may want to raise the throttling limits temporarily to avoid unintentional throttling due to the increased rental page activity above normal daily considerations. We recommend a value of 10 for the Edition.Rentals.Throttling.Limit setting. Once the event is over, we highly recommend resetting the value to 4, which will provide a higher security level for daily activity levels. Don't forget to click Refresh Store after making settings changes!
- For emergency use only: If your store witnesses unintentional throttling for a client (such as during a rental event), causing loss of rental page functionality in general, raise the limit per the above Note, click Refresh Store, then perform the following:
- Configuration - Run SQL - enter the following and SUBMIT:
TRUNCATE TABLE THROTTLING
This will stop current throttling events.