Dictionary

Card Testing

What Is Card Testing?

Card testing is when a fraudster tests whether a stolen debit or credit card is still active (“live”) before they go on to use it – as well as if it has funds left.

Testing involves conducting card activity less likely to be flagged as suspicious and is often done on long lists of illegally acquired card credentials, to separate the wheat from the chaff.

Card testing can be conducted on physically stolen bank cards, physical reproductions of cards from scraping, generated card information, as well as on stolen card credentials, also known as card fullz.

How Does Card Testing Work?

There are two primary methods used by criminals to conduct a card testing attack: pushing through small payments and conducting authorizations.

Small payments 

The fraudster attempts to use a card to make a small payment. Acceptance of the payment will show them if the card is live, but it is also likely to draw the attention of the legitimate cardholder, as it will appear on their statement. 

Even rejected payments can occasionally return useful information in terms of what caused the rejection, helping the fraudster to fool the system upon their next attempts.

  • Method benefits: easy to find places to use it; rejections can help criminals
  • Method risks: more likely to be caught

Authorizations

Unlike payments, authorizations are a query sent through the payment processor to the issuer as the first step in a payment, asking whether the customer has the funds to cover the transaction. These will take much longer to appear on card statements, giving the fraudster more time to use the active card.

  • Method benefits: cardholder not likely to find out; subtler method
  • Method risks: advanced anti-fraud methods will still catch these

At this point, the legitimate card owner might notice and contact the card issuer. This is bad news for the criminal but is also unfortunate for the merchant, who will be facing chargeback requests, which require time and often money to resolve – as well as affecting their chargeback rate, which can be catastrophic. 

It is estimated that each case of fraud costs merchants up to 3.60 times the money lost in that transaction.

Another thing fraudsters testing stolen debit and credit cards are wary of is causing too many declines on each card. Depending on the issuer, this can lead to the card automatically freezing, which means it can’t be used anymore. 

Card testing can be done on credit cards, as well as debit cards, prepaid cards and gift cards (for gift card fraud prevention), usually in card-non-present environments. In fact, card-not-present (CNP) fraud is projected to cause losses of USD 34.66 billion to the economy every year. 

What Is Card Testing Used For?   

Card testing is conducted to see whether stolen cards and/or credentials (fullz) are still active. From there, fraudsters will:

  • Resell live cards for a profit (verified cards sell for more than untested cards)
  • Conduct further fraud, including chargeback fraud
  • Buy gift cards or cryptocurrencies to rapidly convert stolen value into untraceable assets
  • Buy goods to reship
  • Buy criminal or unlawful services on the dark web
  • Use them for any other act that involves card payments

How Does Card Testing Fraud Harm Ecommerce?

Fraudsters tend to target digital goods and services, as well as non-profit organizations, and the donation and support pages of content creators, mainly because they provide instant feedback on whether the card is live and has funds available.

Merchants have much to lose from credit card testing, both repetitive and one-off. These consequences include:

  • Chargeback rate rises: Card testing will cause chargeback requests from cardholders and as such, it can affect the chargeback ratio, which can ultimately even lead to being banned as a merchant.
  • Higher processing fees: Merchants can be flagged as high risk, thus being forced to pay higher fees to payment processors, for all transactions.
  • Increased risk overall: Successful testing signals low anti-fraud protocols to criminals, opening a Pandora’s box of subsequent fraud attacks. In other words, fraudsters are more likely to attack you.
  • Extra fees: Additional costs include dispute fees, interchange fees, work hours spent, resolution fees.
  • Infrastructure strain: Card testing and its results can put a strain on merchant resources, including human resources.
  • Reputational damage: There is increased possibility for reputational damage and a drop in employee morale.

Of course, also at risk from card testing are payment gateways, where fraudsters spam orders using different credentials to see which will go through, as well as card issuers themselves.

Identify Online Card Fraud Fast

Card testing & carding can be a huge pain point. Find out how to stop it at payment gateways and other touchpoints.

Learn More

How to Stop Card Testing Fraud

Protection from card testing attacks primarily concerns payment gateways and card issuers. However, merchants also have a vested interest in preventing this type of fraud, mainly because of its effects on their chargeback ratio.

Moreover, identifying testing in a timely fashion is of benefit to everyone except the criminal world, as it prevents credit card fraud testing fraudsters from then using the credentials for larger transactions and schemes at the detriment of several stakeholders as well as the wider economy.

Generally speaking, the more information on the customer you have, the easier it is to figure out their intentions. Technologies and tools that enable organizations to prevent and mitigate card testing include:

  • Data enrichment: Finds out extensive information starting from single data points, for instance, the buyer’s IP address or provided email address.
  • PCI DSS: A widely accepted set of standards that helps boost the security of card payments from major issuers.
  • Device fingerprint analysis: Fraud detection tools examine a consumer’s hardware and software to reach conclusions about their intentions.
  • Risk analysis: Strategies and software that calculate the risk of card testing and implement strong protocols that scale.
  • SCA protocols: A means to ensure that those who pay with credit cards online are the actual, legitimate cardholders.
  • Velocity rules: These checks identify patterns over time, flagging, for example, multiple attempts at payment with too many cards from the same device or location.
  • Risk scoring: Factors in all gathered data to create a score that reflects the likelihood of a transaction being fraudulent.
  • Dynamic friction: Asks suspicious customers only for additional proof they own their payment cards, providing card testing fraud prevention without adding friction for legitimate customers.

The general idea is to gather as much information about the customer attempting a payment as possible while keeping friction to a minimum, so as not to deter legitimate consumers.

For purposes of credit card testing fraud prevention, anti-fraud platforms will look into several data points acquired through data enrichment, device, canvas and browser fingerprinting, considering them over a wider period of time using velocity rules, as well as comparing them to historical data for that business and type of transaction specifically.

The result gives an overall risk score per customer and/or transaction that can trigger KYC protocols, manual review or even outright bans, effectively discouraging and even catching card testing and other types of fraud.

Share
Share
Share

You Might Be Interested In

SEON 2026's G2 top-rated fraud prevention platform

Take the First Step Toward Transformative Fraud Prevention

Book time with our experts