Your IP: Unknown · Your Status: ProtectedUnprotectedUnknown

Skip to main content

Everything you need to know about card testing fraud

Have you ever wondered what happens to credit card data when it is stolen? Before thieves can do anything, they must verify that the cards are usable and haven’t been deactivated. That’s what card testing is for. Find out how it works, how it can harm your business, and why it’s not just cardholders who are harmed by it.

Everything you need to know about card testing fraud

What is card testing fraud?

Card testing is a type of fraud in which the fraudster(s) tests the validity of stolen credit card information. They do this by attempting to make small purchases or donations and watching to see if the transaction is accepted.

Attackers who conduct card tests use stolen card information obtained through various cyberattacks, purchased on the dark web, or stolen by previously deployed spyware. This allows them to check whether the cards are still active and if any funds are left on them.

If the transaction is successful, the card hasn’t been deactivated yet. In addition, if the card remains active after the test, the cardholder is unlikely to notice other fraudulent activities. Fraudsters can use these valid card numbers to make larger purchases or resell them on the dark web.

How does card testing work?

Two primary card testing methods are popular among fraudsters. Let’s take a look at them.


Card authorization is the first step that initiates a card transaction. It’s a process in which the payment processor sends an inquiry to the card issuer to determine whether the card is valid and has the funds needed to cover the transaction.

In a card testing fraud, scammers can use this process to weed out invalid cards. They use online payment gateways to make small transactions and look for confirmation that the transfer is indeed possible.

This is the more subtle of the two methods. It shows up late on bank statements, and cardholders are often unsuspecting of pending small transactions.


The second card testing attack method is the payment method. It’s very straightforward: The fraudster tries to make a small online purchase and waits for a payment confirmation. If the payment is successful, the card is still active, has funds, and can be further used.

Card testers typically make small payments because cardholders are less likely to notice them. A large transaction may be spotted and cause the cardholder to contact their bank and block the card.

What is card testing used for?

Cardholders can easily deactivate their credit and debit cards once they learn they have been the victim of phishing, malware, or other kinds of cyberattacks. Fraudsters use card testing attacks to separate these deactivated cards from those that can still be used.

After the attackers dispose of the worthless cards, they are left with those that can later be used for various purposes, including:

  • Attempting other types of card fraud, e.g., account takeover.
  • Buying cryptocurrencies.
  • Buying gift cards.
  • Buying prepaid cards.
  • Buying goods and services online.

Card testers can also simply resell verified card information on the dark web. Stolen cards that have been confirmed to be valid are more valuable to other fraudsters.

How do you know if your business has been hit by card testing fraud?

If you run an online store, nonprofit organization, or other type of business with an online payment system, you may experience card testing. This type of attack harms cardholders who are victims of theft as well as businesses.

Card testing attempts increase the decline rate, and a high decline rate damages a company’s reputation. A high number of declined transactions is a sign of risky or illegal activity, which can cause other organizations to stop working with you.

If you fall victim to card testing, you’ll also experience disputes because cardholders who notice strange activity on their accounts will report it. Disputes are costly as well as time-consuming.

The most telling sign of a card testing attack is a sudden spike in payment authorization requests and transaction declines. If you notice that many customers are suddenly making unsuccessful transactions, especially low-value ones, it is most likely card testers.

How to protect your business from card testing

Card testing fraud attacks can cause you to lose money, time, and morale and serve as a way for fraudsters to figure out that your business may be vulnerable to other types of attacks. It’s worth stopping card testers before they cause a real problem.

Here’s what you can do to prevent card testing fraud:

Establish transaction monitoring and control

Monitoring is crucial for any attack because it lets you know something is wrong. Effective monitoring can help you quickly detect card testing attempts. Look out for high payment traffic, large numbers of failed authorization attempts, and repeated transactions with the same customer attributes.

Use device fingerprinting

Device fingerprinting is a method of assigning a unique identifier to a device that attempts to communicate with a website. It can be used to detect devices previously associated with fraudulent activities. Such devices can then be blocked from accessing the site.

Integrate anti-bot tools into your payment system

Since manual card checking can be tedious, card testers often use botnets – malware-controlled devices – to test stolen cards more efficiently. Securing your site with bad bots in mind can complicate fraudsters’ attempts.

Monitor customer IP addresses

Monitoring customer IP addresses can alert you to suspicious activity. For example, a spike in unsuccessful transactions from outside the country might indicate fraud. It’s also a good idea to set up your payment gateway to limit transactions from the same IP address made within a short period.