Card Testing Fraud: What It Is and How to Protect Your Business

If you’ve ever received a flurry of declined transaction notifications in quick succession — often for the same amount, often late at night — your business may have been the target of card testing fraud. It’s one of the most common forms of payment fraud targeting merchants today, and it can fly under the radar until real damage has been done.

What Is Card Testing Fraud?

Card testing (also called card cracking or BIN attacks) is when a fraudster obtains a batch of stolen credit card numbers — usually purchased on the dark web — and needs to verify which ones are still active before using them for larger purchases.

Rather than risk drawing attention with a big transaction, they run a series of small or exact-amount charges through a merchant’s payment page. Each attempt tells them something: a decline means the card is dead or flagged; an approval means they’ve found a live card worth exploiting.

Your business’s payment form is just a tool to them. They don’t want your product. They want confirmation.

What Does It Look Like in Practice?

Card testing attacks often share a recognizable pattern:

• Multiple transactions in a short window — sometimes dozens within minutes
• Identical or suspiciously round amounts (e.g., $1.00, $9.99, $9,999.00)
• No cardholder name, billing address, or CVV provided
• Sequential or similar card numbers, suggesting a single stolen batch
• Manual entry type rather than a saved card or wallet
• Transactions outside normal business hours
• Decline messages like “too many card numbers attempted” from your payment gateway

The fraudster may be a human operator, but increasingly these attacks are fully automated using bots that can run hundreds of attempts in minutes.

Why Should Merchants Care If the Cards Are Declined?

It’s easy to assume that declined transactions mean no harm done. That’s a costly misconception. Even failed attempts create real problems for your business:

Transaction fees. Many payment processors charge a fee per transaction attempt, approved or not. A bot running 500 tests through your payment page can rack up fees fast.

Chargebacks. If any cards do go through, the legitimate cardholders will eventually notice and dispute the charge — leaving you on the hook for chargeback fees and potential fraud penalties.

Processor scrutiny. Payment processors monitor fraud ratios. Too many suspicious transactions — even declined ones — can trigger account reviews, holds, or termination of your merchant account.

Reputational risk. If customers’ cards are tested through your platform and the breach becomes public, the trust damage can far outlast the financial hit.

Red Flags to Watch For

Beyond the transaction patterns above, keep an eye on these warning signs:

• Your payment gateway sends a message like “cardholder has tried too many card numbers”
• You see a spike in traffic to your payment or checkout page with no corresponding sales
• Transactions are coming from a single IP address or a narrow range of addresses
• AVS (Address Verification System) and CVV fields are consistently blank or mismatched
• Orders have no associated customer account, email, or identifiable information

How to Protect Your Business

No single measure eliminates card testing risk entirely, but layering defenses makes your payment page a much harder target.

Enable CAPTCHA on your payment form. This is one of the most effective deterrents against automated bot attacks. Even a basic CAPTCHA forces human interaction and dramatically slows testing attempts.

Require CVV and AVS verification. Stolen card data often lacks the CVV or correct billing address. Requiring both and declining mismatches cuts off a large percentage of testing attempts at the gate.

Set velocity limits. Configure your payment gateway to flag or block multiple failed attempts from the same IP address, device, or card BIN within a short time window. Most modern gateways support this natively.

Use fraud scoring tools. Services like Stripe Radar, Kount, or your gateway’s built-in fraud detection can assign risk scores to transactions and automatically block suspicious patterns before they reach your processor.

Monitor your transaction logs. Regularly review declined transaction reports. A sudden spike in declines — especially with identical amounts or missing cardholder data — warrants immediate investigation.

Implement rate limiting on your checkout page. Work with your developer to limit how many payment attempts can be made from a single IP or session within a given time period.

Keep your gateway and plugins up to date. Outdated payment integrations can have known vulnerabilities. If you’re using a CMS like WooCommerce or Magento, ensure your payment plugins are current.

What to Do If You’ve Been Targeted

If you recognize the signs of a card testing attack:

1. Contact your payment processor immediately. They can flag the suspicious activity, help you analyze the scope, and advise on gateway-level controls.
2. Block the offending IP addresses at your firewall or through your gateway’s fraud tools.
3. Review your fraud settings and tighten velocity rules and verification requirements.
4. Check for any successful transactions in the same window and treat them as potentially fraudulent.
5. Document everything — transaction IDs, timestamps, IP addresses — in case you need to file a report or dispute chargebacks later.

The Bigger Picture

Card testing fraud isn’t a sign that your business did something wrong. Fraudsters look for any accessible payment form — small businesses and large enterprises alike are targets. What matters is how quickly you recognize the pattern and how well your defenses are configured to stop it.

A few hours of setup on your payment page today can save you from significant fees, chargebacks, and headaches down the road. Treat your checkout form like the front door it is — and make sure it has a decent lock.

If you’re a merchant who has experienced suspicious transaction activity, reach out to your payment processor’s fraud team. Most have dedicated support for exactly these situations.