Posted: April 21, 2026
Card testing is not just a minor nuisance; it is a precursor to devastating financial loss and operational damage. Card testing attacks are automated processes where fraudsters use scripts to test the validity of stolen credit card numbers on a merchant’s payment gateway. Every transaction incurs a processing fee for your business. These charges, referred to as authorization fees, are the micro-costs incurred by payment processors each time a card is processed, whether the payment is approved or declined.
Most business owners buy into the false illusion of safety that zero chargebacks mean zero fraud. This is a myth. Zero chargebacks do not mean zero fraud; fraud can happen without chargebacks and cause massive revenue leakage. Card testing is the “reconnaissance phase” of the fraud cycle. Card testing causes dual bleeding for any business. Every card transaction that touches the business will incur a processor authorization fee. This is only one aspect of the danger. Every card that is tested and found to be working will eventually be used to make purchases from your business, resulting in chargebacks. Chargebacks cost your business the transaction fee and an additional chargeback fee, which are deducted from your operational cash.
Automated bots have commoditized these attacks. Earlier, hackers used to manually attack every business website one at a time. With advances in technology, automated bots can launch DoS and DDoS attacks at scale across multiple websites simultaneously. This means that even if you have a low transaction volume, your business is equally likely to be attacked. The probability may even be higher, since most small e-commerce stores lack enterprise-level security features.
Proactive detection is the only way to protect merchant accounts and profit margins. You should be aware of the latest cybersecurity developments and understand key concepts relevant to your business to ensure the security of your sensitive data.
Now, let us understand the fundamentals of card testing attacks. You must first understand the two main concepts: carding forums and BIN attacks. Carding forums, or simply carding, refer to dark web communities where bulk stolen credit card data is bought and sold. Next, BIN (Bank Identification Number) attacks involve generating variations of card numbers based on the first six digits (the issuer code) to find valid combinations.
Card testing attacks are not meant to steal data or cause chargeback damages to your organization. The primary goal of any card attack is validation. The hacker wants to sort the “live” cards from the dead ones, from the list of card details they have.
Traditional fraud consisted of buying high-value goods from businesses and issuing chargebacks. Those were immediate losses that could be flagged easily based on purchase patterns. For example, the hacker would maximize the purchase amount. Modern fraud has evolved into a much subtler form of data theft. Unlike their traditional counterparts, they do not rely on the data of a single stolen card. Automated scripts and bulk-stolen data from card forums enable attackers to conduct multiple attacks against businesses simultaneously. Card testing validates the details of stolen card numbers by performing very small/zero-dollar checks to determine whether transactions are authorized.
Charities and digital goods merchants are historically the prime targets of these attacks. This is because these businesses have low-friction checkout pages and lower security, making them low-hanging fruit for attackers.
This section aims to break down the attacker’s operational flow to show how easily these attacks can be scaled through automation. For this, we need to understand what botnets and scripting tools are. Botnets, as the name indicates, are networks of infected computers used to launch automated scripts from thousands of IP addresses. Scripting tools are software that automates filling out checkout forms and submitting payment requests at superhuman speeds.
Now, let us understand the various phases of a card attack on a business. The card attack begins with data acquisition. It includes sourcing raw, untested data from carding forums that must be validated during an attack. The next step involves target selection. Hackers scour the internet for small businesses or charities with low security barriers and frictionless, non-secure payment portals to execute the card attack. The third phase of a card attack is execution. In this step, distributed bots are deployed to cycle through cards at lightning-fast speeds. The last step of a card attack is harvesting. After processing thousands of card transactions, the details of cards that received a positive authorization response are collected.
Automated scripts and botnets have increased the speed of these attacks. While traditional attackers ran scripts on personal computers via VPNs and the dark web, the modern approach involves using infected computers to conduct these attacks on behalf of the hacker. The large number of these bots increases the number of cards that can be tested per minute, enabling much faster, stealthier attacks.
Let us now understand the systematic vulnerabilities an attacker looks to exploit in modern e-commerce platforms. The first thing you should understand is guest checkouts. Guest checkouts are purchasing flows that do not require account creation or email verification. While this is an important step to reduce friction for legitimate, first-time visitors, it also serves as a gift to attackers looking to exploit this vulnerability.
Next, you must understand what zero-auth or $1 auth transactions are. Zero auth refers to pre-authorization pings used to check whether a card is valid before charging the full amount.
Optimizing your websites for conversion means guiding visitors from product view to the checkout page in the fewest possible clicks. To minimize clicks, many e-commerce stores offer guest checkout. However, this inadvertently optimizes your website for fraud as well. Digital goods, such as SaaS, gift cards, and donations, are the easiest targets because they lack shipping address validation.
Another danger most e-commerce stores face is the use of custom checkout APIs. These APIs lack rate limiting, i.e., a cap on the number of requests processed per minute, making them an ideal target for attackers looking to exploit vulnerable networks. Having fragmented tech stacks, such as separate CMS, gateway, and processor components, creates security loopholes that are an open invitation for attackers to launch a card testing attack on your website.
In this section, we will provide a tactical checklist for fraud analysts and operators to spot attacks in real time. You must first understand velocity checks and AVS in order to better understand the symptoms of a card attack. Velocity checks monitor the speed and volume of transactions for a single user, IP address, or BIN. An Address Verification System (AVS) is a tool that verifies whether the billing address entered during checkout matches the cardholder’s bank file.
The first indication of a card testing attack is unusual spikes in checkout traffic without a corresponding marketing campaign. You should not ride high on the illusion of sudden overnight discovery, and proactively try to spot if the spikes indicate a card testing attack is underway. Higher volumes of micro-transactions, typically from $1 to $5, or identical cart values, are a major indication of a card testing attack on your website.
Another signal of a card testing attack is a dramatic increase in authorization failure rates. If you see high percentages of card transactions being declined, it is a strong signal that your website is under a card testing attack. In the previous sections, we discussed how hackers try various combinations of card numbers whose issuer code (the first six digits) is known. If you spot sequential card numbers being attempted in rapid succession, then your website has been compromised.
Another indication of a card testing attack is a single successful card transaction. An attacker has the “bingo” moment of successful transaction after multiple failed attempts. Card behavior anomalies, such as skipping product pages and hitting the checkout API directly, are almost a sure indication of a card testing attack on your website.
Chargebacks are a forced reversal of funds initiated by the legitimate cardholder’s bank due to unauthorized use. The MATCH (Member Alert to Control High-Risk Merchants) list is a blacklist for merchants terminated by processors for excessive fraud. This section explains how card testing attacks ultimately lead to chargebacks. When a card testing attack is executed on an e-commerce website, a list of card details is checked for payment authorization, and a list of cards that return a positive transaction response is returned. This data is then used for purchasing goods and subscriptions online. Since these cards are stolen, the legitimate owner of the card will issue a chargeback when they see unauthorized and unknown transactions on their bank statements.
Card testing attacks are a part of the “validation pipeline.” Once a card is validated on your site, it may be used for large fraudulent purchases immediately after the card details are validated. Chargebacks are not limited to reversing the sales amount from your bank accounts. It incurs additional costs for the business, such as a chargeback penalty that typically ranges from $15 to $35. This may seem like a small amount, but it is a massive operational cash leak on low-ticket sales.
You should proactively look for signs of card-testing attacks on your website, because exceeding thresholds has consequences. Exceeding the 0.9% to 1% chargeback ratio brings you into the radar of card networks. The penalties include higher processing charges and elevated subscription fees, and in rare cases, permanent revocation of a merchant account.
A card testing attack is an invisible leak that leads to chargeback floods and processor bans. E-commerce stores are low-hanging fruit for attackers, particularly because of optimizations to improve conversion rates, such as guest checkouts. Security should be viewed as an enabler of growth, not a cost center. Confident fraud prevention enables merchants to accept more legitimate orders. The cost of implementing proper friction, rate limits, and ML scoring is negligible compared to losing your merchant account altogether.
A card testing attack occurs when fraudsters use automated bot scripts to rapidly test stolen credit card numbers on an e-commerce checkout page to see which ones are active and have available funds.
Even if transactions fail, merchants are charged non-refundable authorization fees for each attempt. When a card is validated, it is used to make purchases from your store, which eventually result in chargebacks.
You can use invisible tools such as reCAPTCHA v3, device fingerprinting, and backend machine learning to assess risk silently.
This is not always true. Legitimate customers make typos or move without updating their bank. But thousands of AVS mismatches during sudden traffic spikes are almost a guarantee of a card testing attack.
These stores are optimized for increasing conversion rates. They implement strategies such as guest checkouts, which eliminate the need for email or mobile verification, making them an easy target for attackers.
