At 3:14 AM last Tuesday, a bot sent 1,247 different card numbers through a checkout form on a small Shopify store selling handmade candles. The store owner was asleep. The bot was methodical: one card per second, all with a $0.01 test amount, all from rotating IP addresses. By 3:35 AM, it had identified 312 valid cards. By the time the owner woke up to a Stripe email about "unusual activity," the fraudster had what they needed and moved on.
This is card testing fraud. It happens to merchants of every size, and most of them don't know about it until the damage is done.
What card testing actually is
Card testing (also called carding, BIN attack, or card cracking) is the process fraudsters use to validate stolen card numbers before using them for larger purchases. The logic is straightforward: stolen card databases contain millions of card numbers, but not all of them are still active. Rather than attempt a $500 purchase on a random card and risk getting flagged immediately, criminals test each card with a tiny, low-risk transaction first. The ones that succeed get promoted to the "working" list. The ones that decline get discarded.
Your checkout form is their testing ground.
How modern card testing works in 2026
Card testing has gotten significantly more sophisticated in recent years. Modern attacks don't look like a single IP hammering your checkout with 1,000 cards. They look like:
- Distributed bot networks — each card attempt comes from a different IP address, often through residential proxies that look like real users
- AI-paced testing — requests timed to mimic human browsing patterns, with randomized delays between attempts
- BIN-targeted attacks — attackers purchase specific BIN ranges from card databases and test systematically within those ranges
- Micro-donation exploitation — nonprofits and open-amount payment forms are frequent targets because there's no fixed product price to be suspicious about
Signs your checkout is being tested right now
Card testing attacks often go undetected for hours or days. Watch for:
- Surge in declined transactions — especially small amounts ($0.01, $1.00) with no corresponding increase in successful sales
- Multiple failures from the same email or shipping address with different card numbers
- Unusual traffic spikes on your payment page that don't correspond to traffic on the rest of the site
- Cards from many different issuing countries in a short time window — attackers test across BIN ranges from multiple countries
- A sudden wave of Stripe or PayPal "dispute early warning" notifications — card owners noticing small unfamiliar charges
The costs merchants don't think about
The obvious cost is the testing transactions themselves — you pay processing fees even on declined transactions. But the less obvious costs are often much larger:
- Degraded authorization rates. After a card testing attack, your merchant account is associated in the card networks' systems with a high volume of declined transactions. This can cause your legitimate transactions to be scrutinized more heavily, reducing your approval rate for real customers.
- Compliance monitoring. Visa's VAMP program (Visa Acquirer Monitoring Program) cut its threshold to 1.5% in April 2026. Merchants whose dispute ratios spike due to testing-related chargebacks can end up in monitoring programs, which come with extra fees and potential account termination.
- Payment processor intervention. Too many failed transactions can trigger your processor to freeze your account while they investigate — meaning no payments at all until it's resolved.
How to defend against it
Rate limiting at the payment endpoint
The most basic defense: limit how many payment attempts any single IP address can make in a time window. Most bots won't bother trying to circumvent basic rate limiting if there are easier targets available.
CAPTCHA on your payment form
Not a perfect solution — CAPTCHA solving services exist — but it raises the cost of running an automated attack significantly. Google reCAPTCHA v3 (invisible scoring) is less disruptive to real users than visible challenges.
Block suspicious patterns in advance
Multiple declined cards from the same email or device fingerprint, or many card attempts from the same IP in a short window, are strong signals. Most payment processors let you set rules to block or flag these patterns.
Pre-verification for high-risk scenarios
For fraud teams monitoring specific cards or account patterns, running a verification through CVV Checker before attempting a charge can confirm whether a card is active without generating a failed transaction on your processing statement. This is particularly useful when you suspect an account is being used for card testing and want to assess specific cards without triggering payment events.
What to do if you're actively under attack
- Enable temporary CAPTCHA on the payment form immediately
- Contact your payment processor — they can apply temporary blocks and help investigate
- Look at your declined transaction log to identify patterns (BIN ranges, IPs, email addresses)
- Block the identified patterns via your fraud rules
- Document everything — if you end up in a monitoring program, having records of the attack helps your case