Credit Card Testing: What You Need to Know

Learn what it is, how it looks, and the PayConex® tools available for mitigation

What Is Card Testing?

Fraudsters use card testing to determine whether stolen credit card information is valid. This information may have been purchased on the Dark Web from a data breach or could have been stolen directly by the fraudster using phishing, ransomware or other hacking methods.

Once they have the stolen information, they will attempt several small purchases on an Ecommerce page to see if the card is still active. They do this because cards are often stolen weeks or months prior and may have been deactivated by the cardholder or bank.

If the transaction is successful, they can then move on to use that card for bigger purchases on other websites or they can resell that card information to someone else.

What Does Card Testing Look Like?

Credit Card Testing
  • Transactions will usually be processed in rapid succession (bots can be used to facilitate this).
  • Timestamps will show many transactions per minute (often within seconds of each other).
  • Transactions are typically characterized by a small monetary amount.
  • There is an unusual spike in the number of declined transactions.
  • The cardholder naming and associated data (address, phone) is often nonsense or duplicates across multiple cards.

PayConex Mitigation Tools

Payment Page

Payment Page Security

Page Security

Several standard security elements can be enabled on your payment page. These include AVS (Address Verification Service), requiring the CVV of the card and requiring the zip code for purchase. Each will make it more difficult for fraudsters to perform card testing.


Enabling Google’s reCAPTCHA on your Hosted Payment Form (HPF) enhances online payment security by preventing a fraudster from submitting a payment form using automated bots or scripts. There are multiple types of reCAPTCHA tests available, from using a real-life image or a simple checkbox. This is a free service.

Transaction Monitoring

There are several transaction monitoring tools that you can set up, such as velocity limits and velocity controls. An example of a velocity control is blocking the same transaction amount or the same transaction type. This feature applies to Bluefin’s Ecommerce PayConex merchants that utilize the HPFs, Transparent Redirect or the PayConex API.

Transaction Monitoring

Card Testing Frequently Asked Questions

Why Should I Care about Card Testing?

For merchants, fraudulent credit or debit card transactions can occur quickly, resulting in significant damage to the merchant before the problem is identified.

Card testing is a small transaction that fraudsters hope will be accepted so they can test whether the stolen or bogus card information works with more significant purchases. Once the transaction is authorized, fraudsters will know if the card is working. They can then use the stolen information to make more expensive purchases or sell it on the black market.

Even if fraudsters’ credit cards are declined, they can still learn valuable information from the transaction that will enable them to commit future crimes. That’s because some merchants have their credit card processing settings configured to provide the user with specific information about why a transaction was declined.

If the message comes back that one component of your payment credentials doesn’t match (e.g., address), fraudsters will know what piece of info they need from you.

What are the Consequences of Card Testing?

Card testing can be extremely costly for merchants, resulting in thousands of dollars in unauthorized transactions and a shutdown of your processing account. Additional consequences include:

  • Customer disputes: Sometimes card testing is successful, resulting in a fraudulent card transaction. Customers can dispute these charges, which can result in chargebacks that cost a business time and money to resolve.
  • Increased decline rates: Card testing increases the ratio of declined credit card transactions, which increases risk for your customers, card issuers and card networks. Even after a business is able to stop card testing, decline rates can continue to affect legitimate transactions due to the surrounding suspicion of fraud and a lower trust in the merchant by the issuer.
  • Costs and reputational risk: Costs surrounding card testing include dispute fees, interchange fees, resolution fees and hours of work spent to resolve fraudulent charges. Additionally, there can be a reputational risk. Fraudulent purchases caused by card testing can damage relationships between businesses, processors, brands and customers, increasing risk, doubt and loss of business for all involved.

What Can I Do to Prevent or Mitigate Card Testing?

There are simple steps that your business can take to prevent and mitigate card testing. These include:

  • Enabling Google’s free reCAPTCHA service on your checkout
  • Enabling Address Verification (AVS) on your checkout
  • Requiring the card CVV and the customer’s zip code on your checkout
  • Setting up transaction monitoring tools, including velocity controls
  • Learning more about IP blocking and if it is right for you

Each of these tools can be set up through your PayConex account. If you do not use PayConex for your Ecommerce processing, please speak with your provider on their fraud management tools.

As good business practice, you should also put processes in place to:

  • Monitor transaction activity. Monitoring purchases made with multiple credit cards within a short time frame is one way to identify card testing. These purchases may be for the same account or dozens of different ones, and your company should have a procedure in place that flags such orders so they can be reviewed more thoroughly.
  • Monitor IP addresses. The majority of fraudulent card testing attempts originate from outside the United States, which is another possible indicator that a transaction is fraudulent – especially if a number of other signs are present at the same time. Merchants should also consider setting their payment gateway to block multiple orders from the same IP address within a short time frame.
  • Blacklist bad actors. If you suspect that a customer is card testing, blacklist them and prevent future purchases. Fraudsters tend to target the same merchants they have successfully victimized in the past. Therefore, if a merchant allows one fraudulent transaction to go through and then blocks the customer’s card, they are likely to try again with a different card or using a different IP address. The safest course of action is to blacklist bad actors so that they cannot successfully test any other cards.

What is reCAPTCHA?

reCAPTCHA protects websites from spam by ensuring that human users are caught in the act of filling out forms, not bots or other automated processes.

Did you know that a CAPTCHA is an abbreviation for “Completely Automated Public Turing test to tell Computers and Humans Apart?”

It is easy for humans to solve, but difficult for malicious software to figure out. By adding reCAPTCHA to a site, you can block automated bots from gaining access while letting legitimate users easily log in.

The reCAPTCHA API allows you to integrate the reCAPTCHA service into your website or application. It is available for free and does not require any registration.

What is AVS?

The Address Verification Service (AVS) is used to ensure that customers are not engaging in fraud when they pay by credit card over the phone or online.

AVS was initially designed for mail and catalog orders. However, it is now most commonly used by Ecommerce merchants to verify that the billing information provided by customers shopping on their websites is real.

An AVS check is a fraud prevention tool used by credit card processing companies to verify that the billing address provided by a customer is legitimate. It works by comparing the information on file for your credit card to the billing address provided by the customer. If there’s a discrepancy, AVS can trigger a decline and prevent fraud from taking place.

Because AVS can verify the card number’s validity, seeing a full match during order review provides basic assurance that a transaction is not fraudulent.

What is IP Blocking?

IP address blocking – also known as IP banning – is a network service configuration that blocks requests from certain hosts based on their IP addresses.

Mostly used to prevent spam bots, hackers and malicious threats from accessing your website, it can also be used to block specific users or IP addresses to and from a particular geographical area.

IP address blocking is a method by which specific or restricted IP addresses can be excluded from accessing a network. It is usually done to keep unwelcome or harmful sites and hosts from entering the server or node.

IP blocking is a common tool used by companies to prevent intrusion, grant remote access to company employees or restrict the kinds of websites that can be accessed by staff.

Schools and other academic institutions deploy IP address blocking to protect sensitive information from unauthorized access, as well as censor content.

Additional Resources

Protect your business from Holiday Fraud

Ecommerce Holiday Fraud: Blog

[Read More]

ACH account data protection

3D Secure (3DS) Tool for Fraud

[Read More]

Anti-Fraud Scoring

Anti-Fraud Management Platform

[Read More]