Credit Card Slamming

A major new problem for ecommerce websites is called credit card slamming. Credit card slamming is the practice of foreign scammers hitting multiple times with different credit cards in an attempt to find credit cards that are active. Why am I writing a post on credit card slamming? A friend of mine recently had his website hit with a credit card slamming scam that racked up tons of transaction charges and charged lots of credit card scam victims thousands of dollars. Most of that money will probably be refunded, but my friend is still stuck holding the bag for transaction fees and the client who owned the website may leave him.

I run a website selling truck and car gauges that operates using zen-cart ecommerce software and uses (as well as PayPal and Google Checkout) for payments. After I heard about what happened to my friend who got scammed by the credit card slammers, I decided to take proactive action. I use the most up-to-date version of zen-cart and am operating with extra security measures. After doing some research I found additional methods for protecting your website from credit card slamming scams:

  • Block all IP traffic from outside of your primary sales regions. You don’t really want to be shipping goods to South America or Africa anyways do you? This method is helpful at protecting yourself from criminals, but there are still ways for them to get around those blocks.
  • Another method for protecting your zen-cart website from credit card slamming is to use this helpful piece of code from Damon Parker:

“The code snippet below can be used in modules/checkout_process.php to automatically log a user out after a set number (6 in the below snippet) of payment attempts.

// damonp add auto logoff after 6 attempts
if(! isset($_SESSION[‘payment_attempt’])) $_SESSION[‘payment_attempt’] = 0;
$_SESSION[‘payment_attempt’]++;if($_SESSION[‘payment_attempt’] > 6) { // change 6 to change how many attempts to allow before logout
// log attempt or email report
// the following information is useful
// “Host:\t\t”.$_SESSION[‘customers_host_address’].
// “\nCustomer:\t”.$_SESSION[‘customer_id’].
// “\nTotal:\t\t”.$_SESSION[‘cart’]->total,
// destroy session to log customer out
// redirect to timeout page or create new page to redirect to
zen_redirect(zen_href_link(FILENAME_TIME_OUT, , ‘SSL’));

Place in between this code near the top of the file:

// if the customer is not logged on, redirect them to the time out page
if (!$_SESSION[‘customer_id’]) {

// load selected payment module
require(DIR_WS_CLASSES . ‘payment.php’);
$payment_modules = new payment($_SESSION[‘payment’]);
// load the selected shipping module
require(DIR_WS_CLASSES . ‘shipping.php’);

I found six attempts to work well on the sites I implemented on. You do not want to adversely impact normal users but you do want to make it harder on abusers so that they just go away.”

Credit card slamming appears to be a pretty annoying new scam. I would like to hear if anyone else in the zen-cart or communities has found a solution for credit card slamming… any ideas?

Published by

Joel Gross

Joel Gross is the CEO of Coalition Technologies.

2 thoughts on “Credit Card Slamming”

  1. Interesting-

    Does simply require a credit card numbers to authorize transactions? Can an ecommerce site require a Vcode or similar physical, back up verification number? And if so, why don’t they?

  2. Yes, they do require a verification code from the back of a credit card, but hackers can still hammer servers enough to get even these. I require it on

Comments are closed.