Pierre Fabre USA Ends Carding Fraud & Prevents Scraping With DataDome

The Problem: Carding Attacks Degrade Website Performance & Upset Development Schedules

Carding can be a particularly aggravating type of online fraud. No matter how safe you keep your own customer data, cybercriminals will bombard your payment interface with bots to test the validity of card data stolen elsewhere. For e-commerce businesses like Pierre Fabre’s skin care and hair care brands, carding attacks can cause all sorts of problems.

“Whenever a payment fails on a checkout page, we receive an email from the payment gateway,” explains Muhammad Nasir, Digital Project Manager at Crescentic Digital, the Adobe Commerce (Magento) specialist who developed and maintains Pierre Fabre USA’s e-commerce websites. “So, when we were hit with a major carding attack, we could receive more than 10,000 emails in a single day.”

The fraudulent orders were usually easy enough to spot. There would be fishy patterns to the transactions, with many orders in a row for the same product, or near-identical email addresses separated only by a single digit. Nonetheless, dealing with the consequences of attacks that had already happened was frustrating and time-consuming for the Crescentic Digital team.

“The additional server load from the bot traffic was slowing down the website or even crashing it for real customers, degrading the user experience and causing lost sales,” Nasir observes. “And we never knew when it was going to hit us. Sometimes, we had to deal with attacks in the middle of the night, and it took so much time that our development sprints went off track.”

The Solution: DataDome Blocks Malicious Requests Before They Hit Servers & Payment Gateways

For a while, Nasir and his team attempted various measures to mitigate the carding attacks.

“Many attackers were placing orders for a single product, so disabling that product would stop them—until they came back for another,” he says. “We also implemented CAPTCHAs and defined different Fastly rules, such as blocking users who were shopping too fast to be human, but it didn’t really work.”

To efficiently prevent carding attacks, it is key to have a security system that stops bots before they can initiate an exchange with the payment gateway. That’s precisely what DataDome does: the solution checks every request for browser fingerprints, IP reputation, mouse behavior, HTTP headers, and many other variables, and stops bots before they even reach the customer’s servers.

“We evaluated a few options, but some providers were not very responsive and wouldn’t commit to completely controlling the carding attacks,” says Nasir. “So we decided to test DataDome, which was easy to integrate with Adobe Commerce, and which fit our budget. The free trial period convinced us that it was the right solution for us.”

The Results: Optimized Website Performance, Serenity Restored

For the last two years, DataDome has protected Pierre Fabre USA’s e-commerce websites from carding attacks, web scraping, and all other types of bot-driven fraud. 

“We’re in good hands. The carding attacks are under control, and now that our infrastructure is serving only human traffic, our website performance and response times are great,” Nasir commends. 

The team also appreciates the intuitive dashboard, and how easy it is to customize the protection for specific use cases. For example, to see how the DataDome detection performs, they can monitor the CAPTCHA pass rate as an indication of false positives (most of the time, it’s below 0.005%). They also work with multiple third parties, and can easily use the custom rules function to allow their partners to access specific data, such as the product catalog.

Perhaps most importantly, midnight on-call incidents and attack mitigation in panic are things of the past.

“We’re in such a better position now,” Nasir confirms. “DataDome allows us to focus on our development tasks, rather than worrying about attacks.”