Card Testing

What Is Card Testing?

Card testing is when a fraudster tests whether a stolen credit card is still active (“live”) before they go on to use it – as well as if it has funds left. 

Testing involves conducting card activity less likely to be flagged as suspicious, and is often done on long lists of illegally acquired card credentials, to separate the wheat from the chaff.

Card testing can be conducted on physically stolen bank cards, physical reproductions of cards from scraping, generated card information, as well as on stolen credit card credentials, also known as card fullz. 

How Does Card Testing Work?

There are two primary methods used by criminals to conduct card testing: pushing through small payments and conducting authorizations.

Small payments 

The fraudster attempts to use a card to make a small payment. Acceptance of the payment will show them if the card is live, but it is also likely to draw the attention of the legitimate cardholder, as it will appear on their statement. 

Even rejected payments can occasionally return useful information in terms of what caused the rejection, helping the fraudster to fool the system upon their next attempts.

Method benefits: easy to find places to use it; rejections can help criminals
Method risks: more likely to be caught

Authorizations

Unlike payments, authorizations are a query sent through the payment processor to the issuer as the first step in a payment, asking whether the customer has the funds to cover the transaction. These will take much longer to appear on card statements, giving the fraudster more time to use the active card.

Method benefits: cardholder not likely to find out; subtler method
Method risks: advanced anti-fraud methods will still catch these

At this point, the legitimate card owner might notice and contact the card issuer. This is bad news for the criminal but is also unfortunate for the merchant, who will be facing chargeback requests, which require time and often money to resolve – as well as affecting their chargeback rate, which can be catastrophic. 

It is estimated that each case costs merchants up to 3.60 times the money lost in that transaction.

Another thing fraudsters testing stolen debit and credit cards are wary of is causing too many declines on each card. Depending on the issuer, this can lead to the card automatically freezing, which means it can’t be used anymore. 

Card testing can be done on credit cards, as well as debit cards, prepaid cards and gift cards, usually in card-non-present environments. In fact, card-not-present (CNP) fraud is projected to cause losses of USD 34.66 billion to the economy every year. 

What Is Card Testing Used For?   

Card testing is conducted to see whether stolen cards and/or credentials (fullz) are still active. From there, fraudsters will:

  • resell live cards for a profit (verified cards sell for more than untested cards)
  • use them to conduct fraud, including chargeback fraud 
  • use them to buy gift cards or cryptocurrencies
  • use them to buy goods to reship 
  • use them to buy criminal or unlawful services on the dark web
  • as well as any other act that involves card payments

How Does Card Testing Fraud Harm Ecommerce?

Fraudsters tend to target digital goods and services, as well as non-profit organizations, and the donation and support pages of content creators, mainly because they provide instant feedback on whether the card is live and has funds available. 

Merchants have much to lose from card testing, both repetitive and one-off:

  • They can cause chargeback requests and as such, it can affect the chargeback ratio – which can ultimately even lead to being banned as a merchant.
  • Merchant can be flagged as high risk, thus being forced to pay higher fees to payment processors. 
  • Successful testing signals low anti-fraud protocols to criminals, opening a Pandora’s box of subsequent fraud attacks.
  • Additional costs: dispute fees, interchange fees, work hours spent, resolution fees.
  • Drop in employee morale, as well as reputational damage.

Of course, also at risk from card testing are payment gateways, where fraudsters spam orders using different credentials to see which will go through, as well as card issuers themselves.

card testing

How to Stop Card Testing Fraud

Protection from card testing fraud primarily concerns payment gateways and card issuers. However, merchants also have a vested interest in preventing this type of fraud, mainly because of its effects on their chargeback ratio.

Moreover, identifying testing in a timely fashion is of benefit to everyone except the criminal world, as it prevents fraudsters from then using the credentials for larger transactions and schemes at the detriment of several stakeholders as well as the wider economy. 

Generally speaking, the more information on the customer you have, the easier it is to figure out their intentions. Technologies and tools that enable organizations to prevent and mitigate card testing include:

The general idea is to gather as much information about the customer attempting a payment as possible while keeping friction to a minimum, so as not to deter legitimate consumers. 

Anti-fraud platforms will look into several data points acquired through data enrichment, device, canvas and browser fingerprinting, considering them over a wider period of time using velocity rules, as well as comparing them to historical data for that business and type of transaction specifically. 

The result gives an overall risk score per customer and/or transaction that can trigger KYC protocols, manual review or even outright bans, effectively discouraging and even catching card testing and other types of fraud.

There is a lot we can find out from the first part of a credit card number, known as the BIN, which is the same for each issuer bank. Enter the first few digits in SEON’s module below to see for yourself:

Free bin lookup!

Enter the first 6 or 8 digits of a card number (BIN/IIN)

Bank Name
···· ····

Text here

Cardholder name
Bank
Brand
Type
Level
Country
Phone

Sources

Thales Group: Slash card-not-present fraud with Gemalto Dynamic Code Verification

Nilson Report: Investments in merchant acquiring/processing 2021

Related Terms

Related Articles

Contact Us for a Demo

Feel free to reach out to us for a demo!