What is Card Testing Fraud?

What Is Card Testing Fraud?

Card testing fraud -- sometimes called card checking or carding -- is a technique used by criminals to verify whether stolen credit or debit card numbers are valid and active. The fraudster makes a series of small, low-value transactions to see which cards go through. Once they have confirmed a card works, they move on to making larger purchases or sell the verified card details to other criminals at a premium.

It is one of the most common forms of payment fraud, and it affects businesses of all sizes. If you have ever noticed a cluster of small, seemingly random transactions on your merchant account, there is a good chance someone was using your payment system as a testing ground.

How Card Testing Works in Practice

Card testing typically follows a predictable pattern. Criminals obtain large batches of stolen card numbers -- often from data breaches, phishing attacks, or dark web marketplaces. These batches might contain thousands or even millions of card numbers, but the fraudster has no way of knowing which ones are still active, which have been cancelled, and which have sufficient funds.

To find out, they need to test them. The most common approach is to use automated scripts or bots that rapidly submit small transactions -- often under one pound -- against an online payment form or checkout page. The amounts are deliberately kept low to avoid triggering fraud detection systems and to reduce the chance of the cardholder noticing the charge on their statement.

If a transaction is approved, the fraudster knows the card is live. If it is declined, they discard that number and move on to the next. A sophisticated card tester can process hundreds of card numbers per minute using automated tools, which is why the attack often appears as a sudden burst of activity on a merchant's payment system.

Why Small Amounts?

The small transaction values are deliberate. Many fraud detection systems use thresholds -- they look more closely at large purchases but may let very small ones pass without scrutiny. Similarly, cardholders are far less likely to notice or report a charge of 50p than a charge of 50 pounds. By the time the small test charge is discovered, the criminal has already used the validated card for bigger purchases elsewhere.

Who Is Targeted?

Card testers look for businesses with payment forms that are easy to exploit. Characteristics that make a business a target include:

• No velocity limits -- if you allow unlimited transaction attempts from the same IP address or device, you are an easy target
• Simple checkout flows -- minimal authentication steps make automated testing faster
• Digital goods or donations -- transactions that do not require a shipping address are harder to trace and easier to automate
• Weak CAPTCHA or no bot protection -- without measures to detect automated submissions, bots can test cards at scale

Charities and nonprofit organisations are frequently targeted because their donation pages often accept any amount and have minimal fraud checks. Small e-commerce businesses without sophisticated fraud tools are also common targets.

The Real Cost to Your Business

Card testing fraud costs you money in several ways, even though the individual transaction amounts are tiny. First, every approved transaction incurs processing fees from your payment gateway and acquiring bank. If a fraudster tests 500 cards through your system, you are paying processing fees on every single one of those test transactions.

Second, many of those test charges will result in chargebacks when the legitimate cardholders notice the unauthorised transactions and dispute them. Each chargeback carries a fee -- typically between fifteen and twenty-five pounds -- on top of the refunded amount. If you experience a high volume of chargebacks, your payment processor may increase your transaction fees, impose rolling reserves, or even terminate your merchant account entirely.

Third, the burst of automated traffic can strain your payment infrastructure, potentially slowing down or disrupting legitimate transactions. And fourth, there is the time and administrative cost of investigating the fraudulent transactions, processing refunds, and dealing with the fallout.

How Card Testing Relates to Telephone Payments

While card testing is most commonly associated with online payment forms, it can also affect businesses that take payments over the phone. An organised fraudster might call a business repeatedly, giving different card numbers for small orders, to test which ones are accepted. This is slower and more labour-intensive than automated online testing, but it does happen -- particularly with businesses that process high volumes of telephone orders.

The telephone environment presents both advantages and disadvantages in this scenario. On the one hand, the human element means an attentive agent might notice suspicious patterns -- the same voice calling multiple times, requests for unusual small amounts, or hesitation when asked for card details. On the other hand, if agents are not trained to spot these signs, they may unwittingly process test transactions without raising an alert.

For businesses that take payments over the phone, integrating your telephony payment system with fraud detection tools that flag unusual patterns is essential. This includes monitoring for multiple small transactions from the same caller, rapid repeat calls, and cards that are being used for the first time with your business.

How to Protect Your Business

There are several practical measures you can put in place to reduce card testing fraud:

• Implement velocity checks -- limit the number of transactions that can be attempted from the same IP address, device, or card number within a given time period
• Use AVS and CVV verification -- requiring the billing address and card security code adds friction that automated testing tools struggle with
• Deploy CAPTCHA or bot detection -- these tools can identify and block automated submission scripts on online payment forms
• Set minimum transaction amounts -- if your business model allows it, setting a minimum purchase value above the typical test amount can deter testers
• Monitor for patterns -- look for clusters of small transactions, high decline rates, and unusual activity spikes, and set up alerts to flag them in real time
• Use 3D Secure -- adding an authentication step for online payments makes card testing significantly harder because each test would require the cardholder to approve the transaction

What to Do If You Are Being Targeted

If you notice signs of card testing on your system -- a sudden spike in small transactions, a high number of declines, or multiple chargebacks for small amounts -- act quickly. Contact your payment processor immediately. They can help you implement emergency velocity limits and block the suspicious traffic. Review your transaction logs to identify patterns and block the IP addresses or card BINs (the first six digits of the card number, which identify the issuing bank) involved.

Document everything. If the attack is significant, you may want to report it to Action Fraud (in the UK) or your local equivalent. And once the immediate threat is contained, take the time to review and strengthen your fraud prevention measures so you are better prepared next time.