Carding module email
Last updated: Aug 15th, 5:51am
When you add noreply@paypal.com
to your address book or whitelist, PayPal's carding module sends you account status updates and notifications.
Example email
The Payflow Carding Prevention feature is noticing many credit card declines on your account: login id and due to this activity, we have suspended the ability for you to process new transactions under this account.
You should now be seeing your transactions being rejected with a Result Code of 170 and a Response message explaining the possible issue. Example: RESULT=170&RESPMSG=Fraudulent activity detected: Carding.
Once you have taken steps to prevent high-velocity attacks on your website, you can log into PayPal Manager to remove the block; however, before you do please review the Special Considerations below:
- Log in to PayPal Manager at https://manager.paypal.com.
- Click on Account Administration.
- Under Manage Security , click on Carding Prevention.
- Under Carding Prevention Status , select Not Blocked.
Within a few minutes, transactions will begin to be processed as normal.
Important Note: If you do not take the appropriate action to prevent high-velocity attacks (carding), your account will be blocked again.
For more information, please see https://www.paypal.com/us/smarthelp/article/ts2243.
Special Consideration:
If your account is using an application that is not subject to carding, such as card-present (in-person) transactions, or batch type processing, then the likelihood of this service being triggered is remote.
However, if your business model generates a high number of valid declines or invalid transactions within a brief period, you have the option to Whitelist; take full financial responsibility for your account from future blocking. However, there are still certain instances where individual transactions could be blocked.
By using the instructions above, you can whitelist your account by selecting Whitelist instead of Not Blocked but you will need to agree to the following terms and understand that no future credits will be issued to your account for any type of fraudulent transactions, and you risk the possibility of your acquirer canceling your account.
Please review the best business practices below to secure your account to help deter the future suspension of your transaction processing.
Best Business Practices:
Payflow gives you the ability to secure your account and your transactions. Make sure your account is protected by utilizing the tools available and following best practices. Here are a few easy things you can do to prevent unauthorized access to your account and reduce the risk of fraudulent activity:
Manage who has access to your account.
Never share login name and password.
Periodically change passwords based on your internal controls. PayPal recommends changing your password every 30 days. For Payflow Pro merchants, this also includes your API password.
Change your password immediately if there is any indication your account credentials have been compromised. For Payflow Pro Merchants, you may need to update your website with the new password if you use the same password to login to Manager.
Set up separate users on your account and set the roles to give the additional users access to specific functions to perform their job.
Limit the number of users with Administrative permissions to your account. Members of the Admin group have complete control over your account and can perform all transactions via an API.
Create a separate user (with the appropriate permission) for your transaction processing and API credentials. This can be used to provide limited access to a 3rd party solution that may require API credentials for your account. For example, if you do not need to perform credits via your website, create a Payflow user with the role of API _ LIMITED _ TRANSACTIONS.
Keep your Users contact information up-to-date and suspend or make Inactive any accounts no longer in use.
Set up IP restrictions for Manager access and transaction processing. Prior to setting up IP restrictions check to make sure you do not have internal IP behind a proxy/router or that your hosting company does not use dynamic IP addresses. If you use a static IP or range of IPs, consider the following:
- Setting up IP restrictions so that only your IP/IP range can access Manager.
- Setting up IP restrictions so that only your IP/IP range can send transactions to Payflow.
- Set your Transaction Security Settings to restrict high-risk transaction types if you do not need them for your business model, such as:
- Do not allow non-reference credit transactions; prevent credit transactions to credit cards that were never charged originally.
- Do not allow credits to exceed the original transaction amount.
- Limit the dollar amount of credits by setting a maximum allowed amount for credit transactions.
Consider additional account protections such as:
- Implementing a rate-limiting solution on your website, such as a CAPTCHA; for example, Google reCAPTCHA. The CAPTCHA code should be implemented on the page that sends the credit card data for processing to prevent takeover of the page.
- Make sure CVV2 (CSC) is always a required field.
- Actively manage your Payflow account by logging in and reviewing activity on a regular basis to verify the number of transactions and types of transactions is in line with your normal business volume.
- Encrypt your login and transaction credentials on your web server or within your application.
- Create velocity checks to monitor the number of transactions you receive by minute, hour, etc. and the IP addresses of your customers. There are third-party companies, such as Cloudflare, that provide this type of service or discuss this option with your hosting company.
- Use a Web Application Firewall (WAF) like that provided by Imperva and implement filters to help with BOT takeovers. For example, Magento users can implement a WAF rule using the following which will prevent BOTs from overriding the Magento cart flow and accessing the Payflow checkout page directly:
Referer not-contains "/checkout/"
andURL contains "/paypal/transparent/requestSecureToken/"
. - Send more information about the cardholder to help PayPal make decisions around the probability of fraud. Items such as full billing and shipping address, including name, customer (browser) IP address should be required and sent in your request as they are especially important data points to help with false positives.
- Utilize our Payflow Fraud Protection Services to ensure velocity checks are in place for your processing along with many other filters to help assist in preventing fraud.
- Ensure your network is secure by performing regular network scans on your own servers or that include your web host if you use a 3rd party hosting company.
- Verify the servers your Payflow credentials reside on are up to date with all security patches and have proper firewalls and procedures in place to monitor activity on your server.
- Review logs for any suspicious activity or modifications.
- Keep your website or application up to date with the vendors patches and review their site on occasion for any important announcements regarding vulnerabilities.
Magento customers: If you are using a Magento solution, please review this support bulletin: https://docs.magento.com/user-guide/payment/paypal-payflow-pro.html.
Any CAPTCHA should be placed on the actual payments page, not the checkout page, as the hackers can bypass the checkout page and go directly to the payments page, "/paypal/transparent/requestSecureToken/".
If you are unable to make the required changes above, then review the information in the additional account protections section above regarding a Web Application Firewall by Imperva. This has proven to stop the BOTs from attacking within the Magento cart.
If you have any questions on utilizing any of the best practice measures described above, please contact us at payflow-support@paypal.com or 1-888-883-9770.