What you need to know about card testing fraud

April 01, 2020
3 min
Cybersource Team
Cybersource Team
Global Experts

Imagine waking up to find your site bombarded by thousands of transactions. “Yipee!” you think. “My hard work is paying off.” But, you look closer and see that all the purchases are small, and for some reason, they don’t make sense. You realize they’re fraudulent.

At first, you aren’t sure it’s a big deal but your phone starts to ring with complaints from angry customers. When the calls have subsided, you start adding up all the chargebacks and authorization fees and see that this month’s profits—and maybe even this year’s profits—are down the drain. For more and more businesses and organizations, this nightmare scenario has become all too real. The culprit? Card testing, often executed through botnets.

What is card testing?

Fraudsters use card testing to determine the validity of credit card numbers. First, they purchase or steal card details on the dark web, or via phishing or spyware software. Then, with the numbers in hand, they attempt small purchases on an unsuspecting merchant’s site to see if the card was approved.1

Since cards are often stolen weeks or month prior, this process reveals which cards have been canceled by cardholders and banks—and which ones are available for use. Once the canceled or declined card numbers are weeded out, fraudsters can move on to make larger purchases, or resell the validated information on the dark web.

What role do botnets play?

When you add botnets to the equation, card testing enters new realms of destruction.2 Unlike manual testing—which is time consuming and labor intensive—fraudsters can program networks of compromised computers (botnets) to run thousands of low-value transactions at a time.

Fraudsters come away from these attacks with valid card numbers, while merchants are left with a huge revenue hit from authorization processing fees, not to mention serious brand damage and a major tax on their time and resources.

Who’s at risk?

Card testing attacks often target small and medium businesses as well as organizations that accept donations or even tuition.  Because these types of merchants often lack the tools and technologies to protect themselves, they make easy prey.3

Businesses and organizations that don’t sell physical goods tend to be particularly vulnerable because they assume fraud isn’t a worry—the fraudsters know this and deliberately target them as a result. Take nonprofits for example. Since many nonprofit donation pages collect little information from donors and fail to place minimum limits for giving, they provide an ideal environment for card testing.4

How can businesses and nonprofits protect themselves?

There’s no one component that can stop card testing. However, there are key steps you can take to stay ahead of the curve and avoid attacks. Check out part two of our card testing series to learn more.


1 ibid.

2 The Ever-Changing Landscape of Bots and Credit Card Testing, by John Canfield, April 26, 2018, business.com, https://www.business.com/articles/bots-credit-card-testing/

3 SMB Merchants Are Too Complacent When it Comes to Payment Fraud, by Rei Carvalho, May 16, 2019, TotalRetail, https://www.mytotalretail.com/article/smb-merchants-are-too-complacent-when-it-comes-to-payment-fraud/

4 5 Ways to Minimize Card Testing Fraud On Your Nonprofit’s Donation Page, by Robert Wright, September 11, 2019, The A Group, https://www.agroup.com/blog/5-ways-to-minimize-card-testing-fraud-on-your-nonprofits-donation-page/