Card testing attacks are one of the most damaging forms of checkout fraud facing online businesses today. Fraudsters use automated bots to test thousands of stolen credit card numbers on your checkout, causing chargebacks, processing fees, and potentially getting your merchant account suspended.
This comprehensive guide explains exactly what card testing is, why it's so dangerous for your business, and the proven strategies to stop it before it costs you money.
What Is a Card Testing Attack?
A card testing attack occurs when fraudsters use your online checkout to verify whether stolen credit card numbers are valid. They typically run small transactions—often under €1—to test which cards work before using them for larger fraudulent purchases elsewhere.
Here's how a typical attack unfolds:
Step 1: Obtain Stolen Card Data Fraudsters acquire large batches of credit card numbers through data breaches, phishing scams, or dark web purchases. These lists often contain thousands of card numbers with varying amounts of information—some include CVV codes and billing addresses, others just the card number.
Step 2: Target Vulnerable Checkouts Attackers look for checkouts without fraud protection. Sites without CAPTCHA, rate limiting, or address verification become easy targets. Payment pages that accept small amounts or don't require full billing details are particularly attractive.
Step 3: Automate the Testing Using automated scripts and bots, fraudsters attempt transactions at high speed—sometimes hundreds per minute. Each successful transaction confirms a valid card number. Failed transactions help them eliminate invalid cards.
Step 4: Use Valid Cards Elsewhere Once cards are validated, they're either used for larger fraudulent purchases or sold to other criminals at premium prices. A verified stolen card is worth significantly more on the black market than an untested one.
Why Card Testing Devastates Businesses
The damage from card testing extends far beyond the immediate fraudulent transactions. Understanding these consequences helps explain why prevention is so critical.
Every transaction attempt—even failed ones—may incur processing fees depending on your payment provider. When bots attempt thousands of transactions, these small fees compound into significant losses. Some businesses report paying hundreds in fees during a single attack.
Any successful test transactions will eventually result in chargebacks when legitimate cardholders notice the charges. Each chargeback typically costs €15-25 in fees, plus the transaction amount, plus potential penalty fees for high chargeback ratios.
Payment processors monitor chargeback ratios closely. Under Visa's VAMP guidelines effective October 2025, merchants with excessive fraud attempts face penalties. High fraud ratios can result in increased processing fees, reserve requirements, or complete account termination.
Card testing attacks flood your order system with fake transactions. Your team wastes time investigating suspicious orders, your analytics become polluted with false data, and legitimate customer orders can get delayed or caught in fraud filters.
The 7 Essential Protection Methods
Stopping card testing requires a multi-layered approach. No single technique works perfectly alone, but combining several methods creates formidable defense.
Modern CAPTCHA solutions like Cloudflare Turnstile run silently in the background, distinguishing humans from bots without showing puzzles or image challenges. This stops automated scripts while creating zero friction for legitimate customers.
Unlike traditional CAPTCHAs that frustrate users, invisible CAPTCHA analyzes browser behavior, mouse movements, and other signals to detect automation. Bots fail these checks automatically.
Rate limiting restricts how many transactions can originate from a single IP address or email within a time window. Legitimate customers rarely attempt more than a few purchases per hour, but bots need to test cards rapidly to be effective.
Recommended settings:
- Maximum 10 checkout attempts per IP per hour
- Maximum 5 attempts per email per hour
- 30-minute cooldown after hitting limits
Most stolen card data doesn't include CVV codes—the 3-digit security number on the back of cards. Requiring CVV verification blocks transactions where fraudsters only have the card number.
Configure your payment processor to decline all transactions with missing or incorrect CVV responses. This simple setting blocks a large percentage of card testing attempts.
AVS compares the billing address entered during checkout against the address on file with the card issuer. Fraudsters testing cards often don't have accurate billing information.
Set your processor to decline transactions where the street address doesn't match. While this may occasionally block legitimate customers who moved recently, it provides strong protection against fraud.
Honeypot fields are invisible form inputs that real users never see or fill out. Bots, following their scripts, often complete every field—including hidden ones. When a honeypot field contains data, the transaction is automatically blocked.
This technique catches automated scripts without affecting legitimate users at all.
If your business doesn't serve certain geographic regions, blocking checkout attempts from those areas eliminates a significant fraud vector. Many card testing operations originate from specific countries.
Rather than blanket country blocking, analyze your legitimate customer geography and create targeted restrictions. If you've never had a real customer from a particular region, there's little downside to blocking it.
Velocity filters detect patterns that indicate testing behavior: multiple failed attempts with different card numbers, sequential card numbers being tested, or rapid-fire transactions. These patterns are unmistakably bot behavior.
Configure your fraud prevention to flag or block orders matching these velocity patterns.
How PayRequest Protects Your Checkout
PayRequest includes built-in checkout fraud protection that implements all these techniques automatically. When you enable spam protection in your settings, you get:
Multi-Layer Detection: Cloudflare Turnstile CAPTCHA, honeypot fields, name analysis, and rate limiting work together to stop bots before they reach your payment processor.
Sensitivity Controls: Choose between Low, Medium, and Strict protection levels based on your risk tolerance. Most businesses find Medium provides optimal balance.
Country Blocking: Block orders from specific countries with a friendly message for legitimate customers who may need assistance.
Whitelist Management: Ensure trusted customers and partners always get through by whitelisting their email addresses or domains.
Real-Time Monitoring: View every blocked attempt with details about why it was stopped. See risk scores, IP addresses, and block reasons at a glance.
Quick Recovery: If a legitimate customer gets blocked accidentally, unblock their IP with one click directly from your dashboard.
Responding to an Active Attack
If you're currently experiencing a card testing attack, here's your immediate action plan:
Step 1: Enable All Protection Turn on maximum fraud protection immediately. Accept that you may temporarily block some legitimate customers—stopping the attack is the priority.
Step 2: Block Identified IPs Review your blocked attempts log and add persistent attackers to your permanent blocklist.
Step 3: Contact Your Payment Processor Notify your payment processor about the attack. They may be able to provide additional protection at the gateway level and will understand if your fraud metrics spike temporarily.
Step 4: Review Completed Orders Audit any orders that did complete during the attack period. Cancel suspicious transactions before they ship to reduce chargeback exposure.
Step 5: Strengthen Verification After the attack subsides, consider requiring stronger verification—like email confirmation—for high-risk order profiles.
Preventing Future Attacks
Card testing prevention isn't a one-time fix. Maintain strong protection through these ongoing practices:
- Keep fraud protection enabled at all times, not just during attacks
- Monitor your blocked attempts dashboard weekly for patterns
- Review and adjust sensitivity settings based on your false positive rate
- Stay informed about new fraud techniques and attack patterns
- Maintain relationships with your payment processor for quick escalation
The cost of prevention is always less than the cost of an attack. A few blocked legitimate customers is far preferable to thousands in chargeback fees and a suspended merchant account.
Get Protected Today
Don't wait for an attack to take checkout security seriously. PayRequest's fraud protection takes one click to enable and immediately shields your business from card testing, bot attacks, and fake orders.
With 0% platform fees and protection included at every plan level, there's no reason to leave your checkout vulnerable. Start your free trial and see how easy proper fraud prevention can be.