cancel
Showing results for 
Search instead for 
Did you mean: 

Important - Targeted carding activity on merchants using Payflow Pro

lkrell
Adobe Team

The PayPal Payflow Pro integration in Magento is being actively targeted by carding activity, where attackers attempt hundreds of $0 transactions with stolen credit cards to check the card’s validity.

 

The activity currently targets versions of this Payflow Pro integration that were included in Magento 2.1.x and 2.2.x for Open Source and Commerce (on prem and cloud). Merchants on v2.3.x may also be vulnerable. The carding activity is inherent to the way Payflow Pro is integrated into shopping carts.

 


info.png For the latest updates and information, see the Magento KB PayPal Payflow Pro active card fraud attacks.


 

Affected Magento merchants

 

The issue affects the following Magento versions (on prem and cloud):

 

  • Magento Open Source v2.1.x, 2.2.x
  • Magento Commerce v2.1.x, 2.2.x

 

Protect your store

Magento recommends working with partners, developers, and hosting providers to introduce protections that can block IPs that perform fraudulent requests, DOS protection, and introduce rate limiting on specific endpoints to help reduce the number of attack attempts.

 

Please work with your security teams and experts to determine which tools are recommended or appropriate for use such as: fail2ban, web application firewall (WAF) configuration, or integrating with commercial anti-automation/bot detection packages.

 

Magento Commerce merchants are currently protected against repeated attacks through infrastructure updates, WAF rules, extensive network configurations, and additional monitoring. The Cloud teams are coordinating continuous monitoring and updates to actively handle new attacks. 

 

PayPal support and contacts

 

Please contact PayPal Payflow Merchant Support to learn more about Fraud Protection Services. You can request the PayPal Support team to enable Basic Fraud Protection Services filters to provide the tightest control possible over payments so that you can automatically deny payments that are likely to result in fraudulent transactions and accept payments that are not typically a problem. Please note, that once you turn on PayPal Fraud Protection Services filters, transactions can take up to 2 hours to settle.

 


info.png For additional information, see PayPal’s KB “Magento has contacted me about my Payflow Pro integration. What do I need to do?”.


 

PayPal Payflow Merchant Support Details

 

Payflow Merchant Support’s business hours are Monday through Friday from 7:00am-8:00pm CST. You can contact Payflow Merchant Support for account assistance by phone or email:

 

 

Australian Support

 

 

Additional information

 

PayPal and Magento are working closely to investigate and help resolve this situation and will provide further information when available.  Please continue monitoring Magento and PayPal channels (Twitter, company blog posts, etc) for updates.

1 Comment
lkrell
Adobe Team

Important Update and Package Update from Magento!

 

To help resolve these issues, we have provided new Composer packages to add Google reCAPTCHA or CAPTCHA to the Payflow Pro checkout form. We recommend installing these packages on all Magento 2 Open Source and Commerce (on prem and cloud) and Commerce Cloud for v2.1.x, 2.2.x, and 2.3.x.

 

We recommend this install even if you have Google reCAPTCHA and CAPTCHA already installed.

 

info.png  See the UPDATED Magento KB PayPal Payflow Pro active card fraud attacks for all information!

 

  • [RECOMMENDED] Composer package available to install Google reCAPTCHA + Payflow Pro checkout form updates
  • Composer package available to add Payflow Pro checkout form for CAPTCHA
  • Instructions to install for all editions and versions
  • Documentation links for configurations
  • Information on protecting your store