Card Testing

Card testing is mechanically simple but commercially damaging. Fraudsters acquire batches of card numbers from dark web markets (typically from data breaches), then need to determine which are active before attempting larger purchases. Merchants with light fraud controls and low-value checkout flows are the preferred testing ground.

How Card Testing Works

A typical card testing operation:

1. Card acquisition: Fraudster purchases a batch of card numbers from dark web carding markets. Prices range from $5 to $50 per card depending on data completeness (card number only vs full CVV + expiry + billing address).

2. Script setup: Automated tools (bots) are configured to submit transactions through a target merchant’s checkout or payment API. The bot rotates through card numbers, shipping addresses, and IP addresses to evade velocity checks.

3. Test transaction type: Fraudsters prefer low-value transactions ($0.01, $1.00) or donations, or merchants that offer free trials with card verification. Some use authorization-only flows that don’t charge the card. The goal is a successful authorization response — not a purchase.

4. Card sorting: Cards that return successful authorizations are flagged as “live.” Cards that return hard declines (lost/stolen, invalid account) are discarded.

5. Monetisation: Live cards are used for high-value purchases at merchants with weaker controls, sold back to other fraudsters at a premium, or used in ATO attacks.

Impact on Merchants

Direct costs:

• Authorization fees on every attempted transaction, including failed ones
• Chargeback fees if test purchases aren’t caught before dispute
• Processing costs from inflated transaction volumes

Scheme monitoring programme risk: Visa and Mastercard monitor merchants for abnormal authorization rates and chargeback ratios. A card testing attack that drives hundreds of failed authorizations in a short period can push a merchant into monitoring programmes (VAMP, MATCH list) with fines and eventually termination.

Infrastructure costs: High-volume bot traffic can stress checkout infrastructure and API rate limits.

Detection Signals

Card testing attacks produce distinct patterns that fraud detection systems can identify:

• Authorization decline spike: Sudden increase in decline rate, particularly for do-not-honour and invalid card responses
• Velocity anomaly: Multiple distinct card numbers attempted from the same IP, device fingerprint, or shipping address in a short window
• Unusually small transaction amounts: Clustering of $0.01–$1.00 transactions
• Sequential BIN patterns: Cards being tested often come from the same BIN range, producing sequential card number attempts
• New device + new card + low-value: This combination has very high card testing signal

Mitigation

CAPTCHA and bot detection: Effective against naive automated scripts. Sophisticated bot operators use CAPTCHA-solving services, reducing but not eliminating friction.

Velocity rules: Limit authorization attempts per device fingerprint, IP, and shipping address per time window.

Minimum transaction values: Eliminate the free trial or $0.01 transaction use case that makes merchants easy testing targets.

3DS2 on unrecognised sessions: Requiring 3DS challenge for first-transaction guests from unrecognised devices significantly raises the cost of automated testing.

Real-time fraud scoring: ML-based fraud models that detect the behavioral signature of card testing (velocity, pattern, session characteristics) can block attacks within the first few dozen attempts rather than after thousands.