On this page
No Headings
Last updated: May 27, 2026
When you add noreply@paypal.com to your address book or whitelist, PayPal's carding module sends you account status updates and notifications.
The Payflow Carding Prevention feature is noticing many credit card declines on your account: login id and due to this activity, we have suspended the ability for you to process new transactions under this account.
You should now be seeing your transactions being rejected with a Result Code of 170 and a Response message explaining the possible issue. Example: RESULT=170&RESPMSG=Fraudulent activity detected: Carding.
Once you have taken steps to prevent high-velocity attacks on your website, you can log into PayPal Manager to remove the block; however, before you do please review the Special Considerations below:
Within a few minutes, transactions will begin to be processed as normal.
Important Note: If you do not take the appropriate action to prevent high-velocity attacks (carding), your account will be blocked again.
For more information, please see https://www.paypal.com/us/smarthelp/article/ts2243.
Special Consideration:
If your account is using an application that is not subject to carding, such as card-present (in-person) transactions, or batch type processing, then the likelihood of this service being triggered is remote.
However, if your business model generates a high number of valid declines or invalid transactions within a brief period, you have the option to Whitelist; take full financial responsibility for your account from future blocking. However, there are still certain instances where individual transactions could be blocked.
By using the instructions above, you can whitelist your account by selecting Whitelist instead of Not Blocked but you will need to agree to the following terms and understand that no future credits will be issued to your account for any type of fraudulent transactions, and you risk the possibility of your acquirer canceling your account.
By opting out of the Payflow Carding Prevention Service for the account: [merchant login id] , I [full name] , understand and agree that I will be held fully responsible for all fees associated with any fraudulent activity on my account from either my bank or PayPal. In accordance with the Payflow Gateway Services Agreement, all fees are due immediately and are non-refundable.
Please review the best business practices below to secure your account to help deter the future suspension of your transaction processing.
Best Business Practices:
Payflow gives you the ability to secure your account and your transactions. Make sure your account is protected by utilizing the tools available and following best practices. Here are a few easy things you can do to prevent unauthorized access to your account and reduce the risk of fraudulent activity:
Manage who has access to your account.
Never share login name and password.
Periodically change passwords based on your internal controls. PayPal recommends changing your password every 30 days. For Payflow Pro merchants, this also includes your API password.
Change your password immediately if there is any indication your account credentials have been compromised. For Payflow Pro Merchants, you may need to update your website with the new password if you use the same password to login to Manager.
Set up separate users on your account and set the roles to give the additional users access to specific functions to perform their job.
Limit the number of users with Administrative permissions to your account. Members of the Admin group have complete control over your account and can perform all transactions via an API.
Create a separate user (with the appropriate permission) for your transaction processing and API credentials. This can be used to provide limited access to a 3rd party solution that may require API credentials for your account. For example, if you do not need to perform credits via your website, create a Payflow user with the role of API _ LIMITED _ TRANSACTIONS.
Keep your Users contact information up-to-date and suspend or make Inactive any accounts no longer in use.
Set up IP restrictions for Manager access and transaction processing. Prior to setting up IP restrictions check to make sure you do not have internal IP behind a proxy/router or that your hosting company does not use dynamic IP addresses. If you use a static IP or range of IPs, consider the following:
Consider additional account protections such as:
Referer not-contains "/checkout/" and URL contains "/paypal/transparent/requestSecureToken/".Magento customers: If you are using a Magento solution, please review this support bulletin: https://docs.magento.com/user-guide/payment/paypal-payflow-pro.html.
Any CAPTCHA should be placed on the actual payments page, not the checkout page, as the hackers can bypass the checkout page and go directly to the payments page, "/paypal/transparent/requestSecureToken/".
If you are unable to make the required changes above, then review the information in the additional account protections section above regarding a Web Application Firewall by Imperva. This has proven to stop the BOTs from attacking within the Magento cart.
If you have any questions on utilizing any of the best practice measures described above, please contact us at payflow-support@paypal.com or 1-888-883-9770.