At 3:14 AM last Tuesday, a bot sent 1,247 different card numbers through a checkout form on a small Shopify store selling handmade candles. The store owner was asleep. The bot was methodical: one card per second, all with a $0.01 test amount, all from rotating IP addresses. By 3:35 AM, it had identified 312 valid cards. By the time the owner woke up to a Stripe email about "unusual activity," the fraudster had what they needed and moved on.

This is card testing fraud. It happens to merchants of every size, and most of them don't know about it until the damage is done.

What card testing actually is

Card testing (also called carding, BIN attack, or card cracking) is the process fraudsters use to validate stolen card numbers before using them for larger purchases. The logic is straightforward: stolen card databases contain millions of card numbers, but not all of them are still active. Rather than attempt a $500 purchase on a random card and risk getting flagged immediately, criminals test each card with a tiny, low-risk transaction first. The ones that succeed get promoted to the "working" list. The ones that decline get discarded.

Your checkout form is their testing ground.

How modern card testing works in 2026

Card testing has gotten significantly more sophisticated in recent years. Modern attacks don't look like a single IP hammering your checkout with 1,000 cards. They look like:

85%of Merchant Risk Council members have experienced card testing attacks
$28Bprojected global card-not-present fraud losses in 2026

Signs your checkout is being tested right now

Card testing attacks often go undetected for hours or days. Watch for:

The costs merchants don't think about

The obvious cost is the testing transactions themselves — you pay processing fees even on declined transactions. But the less obvious costs are often much larger:

How to defend against it

Rate limiting at the payment endpoint

The most basic defense: limit how many payment attempts any single IP address can make in a time window. Most bots won't bother trying to circumvent basic rate limiting if there are easier targets available.

CAPTCHA on your payment form

Not a perfect solution — CAPTCHA solving services exist — but it raises the cost of running an automated attack significantly. Google reCAPTCHA v3 (invisible scoring) is less disruptive to real users than visible challenges.

Block suspicious patterns in advance

Multiple declined cards from the same email or device fingerprint, or many card attempts from the same IP in a short window, are strong signals. Most payment processors let you set rules to block or flag these patterns.

Pre-verification for high-risk scenarios

For fraud teams monitoring specific cards or account patterns, running a verification through CVV Checker before attempting a charge can confirm whether a card is active without generating a failed transaction on your processing statement. This is particularly useful when you suspect an account is being used for card testing and want to assess specific cards without triggering payment events.

What to do if you're actively under attack

  1. Enable temporary CAPTCHA on the payment form immediately
  2. Contact your payment processor — they can apply temporary blocks and help investigate
  3. Look at your declined transaction log to identify patterns (BIN ranges, IPs, email addresses)
  4. Block the identified patterns via your fraud rules
  5. Document everything — if you end up in a monitoring program, having records of the attack helps your case