How To Protect Your Checkout Page From Credit Card Testing Fraud (Using CloudFlare)

Credit card ‘testing’ fraud has become a major issue for store owners over the last couple of years. Its prevalence is rapidly increasing and it’s getting harder and harder to avoid being a victim.

But, if you’re using Cloudflare to protect and proxy your site traffic, you do have some real options to slow down these types of orders, maybe even eliminate them completely if you want to get really aggressive about them.

For this article we’ll assume you’re using WooCommerce but the concepts apply to any store where the checkout / cart url is distinct.

In the case of WooCommerce, the checkout/cart page is usually located at https://yourstoredomain.com/checkout.

With CloudFlare proxying your site traffic, it’s easy to control access to that page.

Here’s how you can do this:

• Navigate to your domain in Cloudflare and click on the SECURITY menu option (on the left hand side)
• Click on the WAF option (underneath the SECURITY menu option)
• On the right you should see a tab named RATE LIMITING RULES – click on it.
• On the right you should see a blue button CREATE RATE LIMITING RULE – click it.

Fill out the resulting form similar to that shown below:

What that does is it blocks access to any url on your site that contains the word “checkout” if the same ip attempts to access the page more than twice every 10 seconds.

You can, of course, change it to once every 10 seconds if you want to get a bit more aggressive.

Paid Cloudflare Accounts

If you have a paid Cloudflare account for your domain, you have some more flexibility in the rules. If you do, you can throw up a challenge instead of completely blocking the user.

This allows legitimate users through and would prevent you from losing a valid order.

Here is what the rate limiting rule might look like then:

In this case you’re throwing up a challenge if the same ip requests the checkout page 10 times within a 1 minute period.

This is a better rule because it is more likely that a fraudster will load the checkout page 10 times within a 1 minute period than twice within a 10 second period.

So, if you can afford the $20.00 for a PRO Cloudflare account, you should definitely signup to take advantage of this better rule.

Use Inventory Stock Even For Virtual & Downloadable Products

If you’re selling virtual products or downloadable products and have a small number of them, you can further protect yourself by using stock levels.

Many stores, including WooCommerce, will have an option to prevent purchases of products that are not in stock.

So, if you set a stock level for all your services to, say, 10, then a fraudster can only make 10 attempts at successful orders before they’re locked out.

Of course, this means you now have to keep updating the stock levels as you sell your virtual products.

If you have physical products with a lot of inventory, you can still set the stock level lower than what you physically have to achieve the same protection. Yes, it will be a complete PITA to manage so only you can calculate the tradeoff between that extra effort vs the cost of refunds for a few hundred or a few thousand fraudulent orders.

This technique will not prevent bots or fraudsters from sending through checkout attempts – it just prevents you from having to refund fraudulent orders and the resulting hefty fees that can result from those.

If your payment processor charges you for every order attempt instead of every successful order then you should consider changing processors. Otherwise, you’ll still be paying a lot for the unsuccessful attempts.

Turn On Your Processor Fraud Protection Features

If your payment processor has fraud protection features, you should dial it up higher. If it’s not turned on at all, well, you definitely want to turn it on right away – something is still better than nothing!

Protect Your Store Now

It is very important that you take these (or similar steps) to protect your store BEFORE you wake up one day and find 10,000 failed orders. Or worse, 1000 successful orders that are all fraudulent and you’re now faced with refund fees on all of them!

If you haven’t experienced this yet, it’s only a matter of time before you’re hit.