What you need to know about card testing fraud


Imagine waking up to find your site bombarded by thousands of transactions. “Yipee!” you think. “My hard work is paying off.” But you look closer and see that all the purchases are small, and for some reason, they don’t make sense. You realize they’re fraudulent.

At first, you aren’t sure it’s a big deal, the charges are small after all. But then you start getting calls from customers about purchases they never made. When the calls have subsided, you start adding up all the chargebacks and authorization fees and realize that this month’s profits—and maybe even this year’s profits—are down the drain. Unfortunately, you are not alone. Businesses of all sizes continue to be the victims of card testing.

What is card testing?

Fraudsters use card testing to validate stolen credit card numbers they’ve purchased off the dark web, or obtained via phishing or spyware software. Then, with the stolen numbers in hand, they attempt small purchases on an unsuspecting merchant’s site to see if the card is active and approved.1

This process reveals which cards have been canceled or deactivated—and which ones are still valid. Once the canceled or declined card numbers are weeded out, fraudsters move on to make larger purchases, or resell the validated information.

What role do botnets play?

The advancement of botnet (a network of computers used to accelerate malicious processes) card testing enters new realms of destruction.2 Unlike manual testing—which is time consuming and labor intensive—fraudsters can program networks of compromised computers (botnets) to run thousands of transactions at a time.

Botnets can rack of thousands of dollars in transaction fees in a matter of minutes. And the unsuspecting business is left holding the bill. Not to mention serious brand damage and a major tax on their time and resources.

Who’s at risk?

Card testing attacks often target small and medium businesses as well as organizations that accept donations or even tuition. Often these types of businesses and organizations lack the tools and technologies to protect themselves—making them easy prey.3

Businesses and organization that don’t sell a physical good tend to be particularly vulnerable because they assume fraud isn’t a worry—the fraudsters know this and deliberately target them as a result. Take nonprofits for example. Since many nonprofit donation pages collect little information from donors and fail to place minimum limits for giving, they provide an ideal environment for card testing.4

How can businesses and nonprofits protect themselves?

Fraudsters are relentless and many of them quite savvy. However, there are actions you can take to protect yourself.

  1. Be proactive. Look at your website and see where you might be vulnerable. What customer verification tools do you have in place now? Don’t ignore suspicious activity.
  2. Use a fraud mitigation tool. Authorize.Net has a built-in fraud tool. Advanced Fraud Detection Suite comes with 13 easily configurable fraud filters to help set proper minimum transaction thresholds, payment velocity settings, country limitations, and more to help prevent processing fraudulent transactions.
  3. Set up a simple firewall. Many firewalls come with basic tools for botnet detection, prevention, and removal.


1 ibid.

2 The Ever-Changing Landscape of Bots and Credit Card Testing by John Canfield, April 26, 2018, business.com.  

3 SMB Merchants Are Too Complacent When it Comes to Payment Fraud by Rei Carvalho, May 16, 2019, TotalRetail.

4 5 Ways to Minimize Card Testing Fraud on Your Nonprofit’s Donation Page by Robert Wright, September 11, 2019, The A Group.