Foxy Forum Status

We're no longer responding to questions via our forum, but we will keep it up for historical reasons. If you can't find the answer you're looking for, please visit our knowledge base or contact us. If there's enough interest in the future, we may bring the forum back.

Paypal Payflow Carding Prevention

I just received and email from paypal about a new Carding prevention module (policy?) that will be starting soon.

I'm a little confused by this and it might not apply to my website. Just wanted to check to see if there is anything I need to do, or can change.

I don't receive very many declined transactions and 90% of them are actual customers that just entered information wrong.

Here is some of the email from Paypal,

"Sometime in late June; we’ll begin to monitor for a high-level of declines and invalid information such as expiration date or invalid Card Security Code (CSC) and if the number of declines exceeds the threshold set by PayPal, the carding module will be triggered.

Once the carding module is triggered, the following will occur:

1. An email will be sent to all ADMIN users on the account informing them of the attack. Please see reminder below.
2. The account will be blocked, and all transactions will be rejected.
3. A Result Code of 170, with the message of “Fraudulent activity detected: Carding”; RESULT=170, RESPMSG=Fraudulent activity detected: Carding, will be returned on ALL transactions while the account is being blocked."

  • brettbrett FoxyCart Team
    Hi @Only944

    If you could, please forward that email to, just so we can see it. On the one hand, it's good that PayPal's doing this, as we've seen some gateways that don't (and end up charging the merchants truly stupid amounts of money for auth fees). On the other, shutting down the account entirely seems harsh.

    Better news, though: We have some carding prevention functionality internally:
    If you're on Foxy v2.0 (and are using the default template), set the Google reCAPTCHA to "enabled automatically" for an additional layer of protection as well. (We've just improved that to better handle carding attempts from botnets where IP restrictions alone are insufficient.) If you aren't using the default template and you'd like for us to check to make sure your customizations haven't presented a problem for the reCAPTCHA functionality, drop us a note and we can check for you.

    With our first layer of defense, you should be fine.
Sign In or Register to comment.