Card TestingOur Top 10 Tips to Stop Credit Card Testing Attacks

February 21, 2023 | 12 min read

This image was created by artificial intelligence using the following prompts:

A credit card floating in a test tube like a science project, colored red and teal, all other colors muted, wide angle shot, plain background, professional photography, hyper-realistic, masterpiece, cinematic lighting, insanely detailed, unreal engine lighting

Card Testing Fraud

In a Nutshell

Have you noticed an unusual spike in your decline rates lately? It could be a sign that card testers are targeting your business. If so, what can you do? This article will explain what card testing is, why it happens, and how it’s affecting you. We’ll also include our top 10 tips to avoid the situation in the first place.

What is a Card Testing Scam? What are Some Key Best Practices to Stop These Attacks?

As the digital landscape expands and online shopping becomes the new norm, the opportunities for fraudsters grow as well.

Credit card testing is just one of many clever ways to defraud cardholders and merchants. It’s a very subtle attack with a small impact per each incident. However, when conducted at scale, card testing becomes a big problem.

How does card testing work, though? How is it impacting eCommerce in general, and merchants in particular? Crucially, what are the signs that can tip you off and help stop these attacks? Let’s find out.

What is Credit Card Testing?

Card Testing

[noun]/kärd • test • iNG/

Card testing, also known as “card cracking,” is a type of credit card fraud that involves testing the validity of a credit card to determine if it's a valid, active card. This is done by charging a small amount to the card. If the charge goes through, the fraudster knows that the card is active and can then use it for larger purchases.

Card testing is often an incremental process. Because the transaction is so small, it can be easy to write off as a minor concern. However, these little experiments in fraud can add up pretty quickly.

Card testing has gained a lot of popularity with fraudsters in recent years. This is because it’s extremely subtle; to the point of being undetectable. It can also provide an opportunity for fraudsters to identify the best candidates for long-term theft.

All things considered, it’s no wonder that card testing surpassed phishing and identity theft to become the most common fraud attack globally in 2021.

Why Do Fraudsters Engage in Card Testing?

The popularity of card testing has a lot to do with the increased availability of credit card numbers. It’s also due to advancements in technology, improved security measures, and increased use of online transactions. 

Credit card testing is a method that fraudsters use to minimize their risk of detection and maximize their potential profits. This is because, when a fraudster uses a stolen credit card number for a large purchase, there is a higher risk of detection. Merchants may notice suspicious activity and block the user, which would prevent the fraudster from making further purchases.

Take action now to manage fraud and prevent chargebacks.REQUEST A DEMO

By testing the validity of a credit card through small purchases, the fraudster can determine if the card is active and not yet canceled. This helps to minimize the risk of detection and increase the chances of successfully using the card for larger purchases.

Some fraudsters may test multiple cards at once. When one has access to a large volume of credit card numbers (such as after a data breach), they can use credit card testing to validate the cards and identify which ones are active and valid. This allows them to focus on using the active cards for larger purchases, maximizing their potential profits.

How Does Card Testing Work?

Card testers typically use automated scripts or bots to test hundreds of credit card numbers at once.

The process starts with the fraudster obtaining a large volume of credit card numbers. This can be done first-hand through a data breach or a phishing scam, or they can be purchased on the dark web from other hackers.

The fraudster will then make several small purchases or charges on the card; often for amounts less than $1. The purpose of these small transactions is to determine if the card is active, and has not yet been canceled or flagged as stolen.

If the small charges go through, the fraudster knows that the credit card number is active and valid. They can then use this information to make larger purchases. 

Some card testers may opt to resell individual credit card numbers on the dark web. Numbers that have been verified and are active can sell for a much higher price point. In some cases, the fraudsters may even use the information to create counterfeit credit cards and use them for in-person purchases.

Negative Impacts of Card Testing

Between February and August 2022, payment processor Stripe tracked a wave of card fraud incidents in which bad actors inundated merchants with millions of small-dollar, or even zero-dollar transactions. At the peak of this activity, the company blocked more than 20 million card testing attempts per day.

As the situation continues to get worse, the negative effects of card testing fraud will reverberate more and more through eCommerce. Merchants, in particular, suffer the majority of the repercussions.

Although this list is far from exhaustive, here are a few major concerns merchants have about card testing:

Increased Chargeback Rates

Card testing inevitably leads to spikes in disputes and chargeback requests from cardholders. Naturally, this translates to a high chargeback threshold for merchants, which is never a good thing.

Higher Decline Rates

Card testing can cause more orders declines and false negatives. A high decline rate damages the reputation of your business with card issuers and card networks, which makes all of your transactions appear riskier.

Higher Processing Fees

If your business has a high number of declines and reports of fraud, you could be labeled a high-risk merchant, which carries higher fees. It could even cost you your merchant account, depending on the scale of the problem.

Increased Fraud Risks

Fraudsters often communicate and compare notes with each other. If several successful card tests go through on your watch, you could be facing many more incoming.

Higher Overall Costs

You should factor in increased costs like dispute fees, interchange fees, labor hours, and resolution fees. Card testing can cause increases in all of these ancillary costs.

Infrastructure Strain

Card testing, like any other form of card-not-present fraud, can place a lot of strain on your resources, particularly when solutions fail because they’re not focused on the right threats.

Damage to Reputation

No merchant wants to be known as a business that lets fraudsters attack its customers. If you gain an association with fraud due to card testing, it could scare away legitimate buyers.

Industry Damage

Every act of fraud has an impact on eCommerce, from how much goods cost to general item availability and material shortages. No one is spared in this equation; end prices for consumers get pushed up.

You can never fully, 100% reliably stop fraudsters from inserting themselves into your payment processes. That said, how you respond to these attacks — how hard you work to stop them — can have a positive impact on your reputation. 

Common Question What are banks doing to fight card testing??

Stripe rolled out a new tool last year aimed at tackling card testing. However, it's only for Stripe merchants.

On a broader scale, there’s not a lot being done currently. A key part of the problem is that, because the immediate financial impact of card testing is so small, there’s not as much institutional pressure to act.

Put card fraud to the test. Take the first step today.REQUEST A DEMO

How Will I Know if I’ve Been Targeted?

There’s a good chance that your business has already been the victim of card testing scams in the past. Either way, you want to make sure you’re doing everything you can to keep it from happening. The key is knowing what to look for. 

There are several signs which may indicate that card testers have targeted your business, including:

Increased Declines

A sudden spike in declined transactions can indicate that bots are attempting to use stolen or invalid card information at your business.

Multiple Small Transactions

If you notice a bunch of small transactions coming from the same card or IP address, it could be a sign that someone is testing the card.

Transaction Velocity

Watch for customers making an unusual number of transactions in a short amount of time, using multiple different cards. This may indicate that the customer is attempting to test multiple cards at once.

Mismatched Card Credentials

Don’t accept payments with addresses that don’t match up to historical data or display other suspicious behaviors. For example, if the billing address for the card does not match the customer's location.

If you suspect that card testers have targeted your business, it's important to take steps to protect your business's financial security. This may include reporting the incident to the card issuer and law enforcement, as well as reviewing and updating your business's security and fraud prevention procedures.

10 Tips to Stop Credit Card Testing Fraud Attacks

Our best advice is to monitor absolutely everything.

Most businesses use some type of CRM (Customer Relationship Manager). If your business isn’t currently using a CRM, now may be the time to make the investment.

A CRM can help you reveal payment discrepancies, better communicate with customers, and manage and monitor social media accounts. And, for our purposes, it can help you keep track of metrics and analytics that can identify card testers posing as customers. CRM data should pair seamlessly with your payment gateway and also integrate with anti-fraud measures.

Of course, investing in or upgrading your CRM is just one idea. Here are 10 additional steps you can take to fight card testing fraud today:

Step #1 | Implement the Right Fraud Tools

Setup may be a time-consuming process, but ultimately worth it. Card testers will struggle to overcome safety measures like AVS, CVV matching, velocity checking, and IP monitoring if they’re all in place as part of a coordinated, multilayer strategy.

Pro Tip:

Integrate all or as many of these systems with your CRM as possible, and never authorize transactions that do not meet pre-required criteria.

Step #2 | Use a VPN

Ensure that your payment gateway and CRM data are accessed only through a VPN, or Virtual Private Network. As we’ve alluded to, basic firewall protections cannot stop every hacker. The security of your — and your client’s — accounts could be compromised.

Pro Tip:

If you offer WiFi for your customers, DO NOT take payments or access sensitive CRM data on the same network!

Step #3 | Enable SSO

SSO (Single Sign-On) can centralize password data under a secured framework, which will make it that much more difficult to compromise. This applies for you and your customers; SSO can help you safeguard your computers and terminals as well.

Pro Tip:

Google’s CAPTCHA (Completely Automated Public Turing Test) is a great addition to your SSO arsenal. Card testers often run automated scripts that CAPTCHA can block.

Step #4 | Designate Officers

Choose managers to “gatekeep” certain access points that could lead to data breaches. Also, make sure all employees must log in to the system securely to operate within it and are compliant with PCI standards.

Pro Tip:

Not everyone in your organization needs access to every portal. Make sure your crucial details are only accessible by accredited individuals.

Step #5 | Set Rate Limits

Flagging specific transactions based on the dollar value can be quite effective at stopping card testing. If you’re experiencing a specific, recurring amount associated with card testing, set your limits to exclude them.

Pro Tip:

Limit the number of IP addresses that can be used to create new accounts in a single day.

Step #6 | Limit Checkout Attempts

Remember, card testing often utilizes brute force tactics, such as many cards at once in hopes that one will prove fruitful. Limiting the number of transaction attempts can dramatically decrease these attacks. 

Pro Tip:

You should also limit the number of times a cardholder can attempt to run a single card during checkout.

Step #7 | Block Cross-Border Transactions

Unfortunately, a majority of card testers and botnet companies are located and operated outside of the US. While becoming a global retailer is a fantastic goal for merchants, you should be extremely cautious of international IP addresses. 

Pro Tip:

Try segmenting orders based on IP address. Orders from countries or regions known to have elevated fraud levels can be subjected to additional screening.

Step #8 | Encourage Customer Sign Up at Checkout

While guest checkout can speed up the payment process, it can also leave you vulnerable to fraud. Encouraging users to register before checkout will deter many fraudsters from targeting you. 

Pro Tip:

Encourage — even incentivize — your buyers to create an account, but don’t mandate it. This is one of the leading drivers of shopping cart abandonment.

Step #9 | Set a Botnet Firewall

If you don’t already use a firewall on your website, stop reading this and go install one right now. Firewalls and various anti-fraud services generally include botnet prevention tools, which can deter card testing attacks.

Pro Tip:

Most card testing attacks are performed by bots on a large scale. Having a firewall in place can alleviate a lot of risk.

Step #10 | Deploy Third-Party Fraud Monitoring

If you lack the bandwidth or staff to effectively monitor and manage fraud prevention, many reputable third-party companies exist to help. Professional services utilize expert industry knowledge to detect, isolate, and help you recover from fraud attacks. 

Pro Tip:

Many services combine fraud detection with chargeback prevention methods, which can protect your business from threats while you focus on increasing your revenue.

Get More Help With Card Testing Fraud

We certainly understand that this is a lot for anyone to take in. Of course, that’s no excuse to be complacent.

Fraud of any stripe can be a costly challenge for your business, and card testing is perhaps one of the most insidious. It can wreak tons of havoc within your organization and cause many problems that can leave lasting, painful scars. Chargebacks, for instance, are just one factor in the equation.

Now that you are familiar with the problem and the various ways in which you might combat card testing fraud… are you ready to fight back? Continue below and learn how today.

Like What You're Reading? Join our newsletter and stay up to date on the latest in payments and eCommerce trends.
Newsletter Signup
We’ll run the numbers; You’ll see the savings.
Please share a few details and we'll connect with you!
Over 18,000 companies recovered revenue with products from Chargebacks911
Close Form