Skip ahead to the quick setup checklist →
Protect your WooCommerce store from card testing attacks, carding bots, and fraudulent transactions when using Clover for WooCommerce as your payment gateway.
Understanding Card Testing Attacks
Card testing (also called “carding”) is when fraudsters use automated bots to validate stolen credit card numbers on your checkout page. They typically:
- Run thousands of small transactions ($0.50–$5.00) to test which cards are valid
- Use valid cards to make larger fraudulent purchases elsewhere
- Generate significant gateway fees and potential Visa/Mastercard penalties for your business
The impact is real: Merchants have reported 12,000+ failed carding attempts in a short period, resulting in substantial Clover fees and card network penalties. This can be prevented, however.
Step 1: Enable reCAPTCHA in Clover Dashboard
reCAPTCHA is your most important protection against automated bot attacks. Clover’s iframe payment form (used by Clover for WooCommerce) supports reCAPTCHA natively—you just need to enable it in your Clover Dashboard.
How to Enable reCAPTCHA
- Log in to your Clover Merchant Dashboard
- From the left navigation menu, click Account & Setup
- In the Ecommerce section, click Ecommerce API Tokens
- Scroll down to find the reCAPTCHA Settings section
- Check the box labeled “Use reCAPTCHA for all transactions made through iFrame embedded page”
- Click Save (or Back to Account & Setup)
Once enabled in the Clover Dashboard, Google reCAPTCHA will automatically protect your checkout.
What reCAPTCHA Does
reCAPTCHA analyzes user behavior to determine if the visitor is human or a bot. Most legitimate customers will pass the check invisibly. Suspicious visitors may be asked to complete a challenge (like identifying images) before proceeding.
Step 2: Configure AVS Settings in the Plugin
The Clover for WooCommerce plugin includes settings that control what information is collected at checkout for Address Verification System (AVS) checks.
Plugin AVS Settings
Go to WooCommerce → Settings → Payments → Clover Credit Card and scroll to the bottom to find:
- Address Verification Service (AVS): “Show the Street Address payment field” — When enabled, customers must enter their billing street address, which Clover verifies against the card issuer’s records.
- AVS Card Holder Name Present: “Show the Card Holder Name payment field” — When enabled, customers must enter the cardholder name exactly as it appears on the card.
Recommendation: Enable both settings to collect maximum information for fraud verification.
Configure AVS Rules in Clover Dashboard
After enabling the fields in the plugin, configure how Clover handles AVS mismatches:
- In your Clover Merchant Dashboard, go to Account & Setup
- In the Ecommerce section, click Fraud Tools
- Next to Address Verification System (AVS), click Edit
- Configure your settings:
- Postal code verification: We recommend enabling this to decline transactions where the postal code doesn’t match
- Street address verification: Optional—note that formatting differences can cause false positives
- Click Save
What AVS Does
When a customer enters their billing address, Clover sends it to the card issuer for verification. The issuer responds with a match/no-match result. Based on your Fraud Tools settings, Clover can automatically decline transactions with mismatched addresses.
AVS Limitations
- AVS is primarily effective for US, Canadian, and UK cards
- Many international cards don’t support AVS
- Formatting differences (e.g., “123 Main St” vs “123 Main Street”) can cause false mismatches on street address checks
Step 3: Enable CVV Verification
CVV (Card Verification Value) is the 3 or 4 digit security code on the card. The Clover for WooCommerce plugin always collects CVV—this is required for all transactions.
Configure CVV Rules in Clover Dashboard
- In Account & Setup → Ecommerce → Fraud Tools
- Next to Card Verification Value (CVV), click Edit
- Enable CVV checking and configure to decline transactions with invalid CVV
- Click Save
What CVV Verification Does
The CVV is not stored on the magnetic stripe or in most databases, so stolen card numbers often don’t include valid CVVs. Requiring CVV and declining invalid attempts blocks many fraudulent transactions.
Step 4: Configure Transaction Limits
Clover’s fraud tools include transaction limit controls that restrict how many transactions can be attempted from the same IP address or card within a time period.
How to Check for Transaction Controls
- In Account & Setup → Ecommerce → Fraud Tools
- Look for any additional sections beyond AVS and CVV
- If transaction controls are available, configure limits such as:
- Maximum transactions per card per day
- Maximum transactions per IP address
Note: The availability of transaction limit controls may vary by merchant account and region. If you don’t see these options, contact Clover support to ask about enabling them.
Step 5: Monitor Your Transactions
Fraud prevention isn’t set-and-forget. Regular monitoring helps you catch attacks early and refine your settings.
What to Monitor
- Declined transaction rate: A sudden spike may indicate an attack in progress
- Failed CVV/AVS rate: High failure rates suggest card testing
- Orders from new email addresses: Fraudsters rarely use established email accounts
- Multiple orders to the same address: May indicate a “drop” address for reshipping fraud
Where to Monitor
- Clover Dashboard: Review transaction history and declined transactions
- WooCommerce Orders: Look for patterns in order notes and customer details
- HTTP 402 errors: In your server logs, these indicate CVV decline errors
- HTTP 429 errors: May indicate you’re hitting rate limits due to high volume attacks
Alternative CAPTCHA: Cloudflare Turnstile
If you prefer Cloudflare Turnstile over Google reCAPTCHA (privacy-first, no puzzles for customers), you can use it instead of Clover’s built-in reCAPTCHA.
Important: Choose one CAPTCHA solution, not both. Running Clover’s reCAPTCHA alongside Turnstile creates two verification challenges during checkout, adding unnecessary friction for customers.
Option A: CheckoutWC (Recommended)
CheckoutWC includes native Cloudflare Turnstile integration that’s fully tested with Apple Pay, Google Pay, and PayPal Express. Available on Pro and Agency plans.
- Get free Turnstile keys from Cloudflare Dashboard
- In WordPress, go to CheckoutWC → Settings → Integrations
- Enter your Site Key and Secret Key
- Enable Turnstile on Checkout, Order Pay, Login, and Registration
- Disable Clover’s reCAPTCHA in the Clover Dashboard (Account & Setup → Ecommerce API Tokens) to avoid double-verification
See: CheckoutWC Turnstile documentation
Option B: Simple Cloudflare Turnstile Plugin
Free plugin for default WooCommerce checkout: wordpress.org/plugins/simple-cloudflare-turnstile
Additional WooCommerce Protections
These settings in WooCommerce can provide additional protection:
Minimum Order Value
Fraudsters often test cards with small amounts. Setting a minimum order value (e.g., $5) can deter card testing. See our minimum order amount snippet with no plugin required.
Shipping Restrictions
Only ship to countries you actually serve. Configure in WooCommerce → Settings → General → Selling location(s).
Anti-Fraud Plugins
- WooCommerce Anti-Fraud – Scores orders based on risk factors and can auto-hold suspicious orders
- FraudLabs Pro – Free tier available with fraud scoring and validation
What About 3D Secure (3DS)?
3D Secure adds cardholder verification (like a one-time PIN sent by the bank) and shifts fraud liability to the card issuer.
Current status: 3D Secure is not currently supported in the Clover for WooCommerce plugin.
If you need 3DS: We’re tracking customer interest. Please contact support to let us know—your feedback helps us prioritize this feature.
Before Requesting 3DS, Consider the Costs
Per-transaction fees:
- $0.04 per transaction with Ravelin
- $0.06 per transaction with CardinalCommerce
- These fees are in addition to your regular Clover transaction fees
Setup requirements:
- Your Clover reseller or merchant acquiring bank must be approved for 3DS
- Enable 3DS in Clover Dashboard (Account & Setup → Ecommerce → Fraud Tools → 3D Secure 2.0 Authentication)
- Select your provider (CardinalCommerce or Ravelin)
- Configure which card networks require authentication
- Optionally set a transaction threshold amount
When 3DS makes sense:
- High-ticket items where liability shift is valuable
- Merchants experiencing sophisticated fraud that bypasses CAPTCHA and other tools
For most card testing attacks, Clover’s reCAPTCHA + AVS + CVV provide excellent protection without the additional per-transaction costs.
Quick Setup Checklist
In WooCommerce (Plugin Settings):
- Go to WooCommerce → Settings → Payments → Clover Credit Card
- Enable Address Verification Service (AVS) — Show the Street Address payment field
- Enable AVS Card Holder Name Present — Show the Card Holder Name payment field
In Clover Dashboard:
- Enable reCAPTCHA (Account & Setup → Ecommerce API Tokens) — OR use Cloudflare Turnstile instead, not both
- Configure AVS rules (Account & Setup → Ecommerce → Fraud Tools → Address Verification System)
- Configure CVV rules (Account & Setup → Ecommerce → Fraud Tools → Card Verification Value)
- Check for transaction limits (Fraud Tools, if available)
Additional measures:
- Set minimum order value ($5 or higher) in WooCommerce using a plugin
- Monitor regularly for unusual patterns in declined transactions
Need Help?
If you’re experiencing a fraud attack or need help configuring these settings, contact us:
- Clover for WooCommerce support: support@kestrelwp.com
Related Resources
- Clover: Protect Ecommerce Merchants from Card Testing Fraud – Official Clover documentation
- Clover for WooCommerce Documentation – Full plugin documentation
- Stop Carding Attacks on Your WooCommerce Store (Without Hurting Conversions) – Comprehensive guide including Cloudflare WAF rules
- Stop WooCommerce Spam Orders with Cloudflare Turnstile – Detailed Turnstile setup guide
- How to Setup Cloudflare Turnstile on WooCommerce Checkout – CheckoutWC Turnstile documentation