How to detect and prevent credit card fraud attacks on your business

Selection of credit cards

4 mins

What is card testing?

Card testing is a form of cybercrime activity in which criminals test stolen debit or credit card details on e-commerce websites to find out if they’re valid. It’s also known as “carding”, “account testing”, and “card checking.”

Card testing is common across e-commerce and m-commerce (where customers use mobile or tablet devices) businesses. Card testing may involve small dollar amounts at first, but once a valid card is identified, fraudsters will use it to make larger purchases themselves or sell the details to other criminals.

How does card testing work?

Fraudsters can test card numbers in a number of ways. Attackers target websites with basic validation processes, trying many card numbers in succession until they find one that works.

A common form of testing we see is enumeration testing, or brute force attacks. This is where fraudsters submit card authorisation attempts that concentrate on a single Bank Identification Number (BIN) or multiple BINs. They try various combinations of payment values (eg. account number, expiry date, CVV number, and postcode) until the right combination of values are approved.

Alternatively, they could just complete a payment. Either way, if a transaction is approved, the account is open and the card hasn’t been reported stolen.

Fraudulent transaction attempts could be made manually, but typically, card testing methods use automated programs — or bots — to submit multiple orders across many websites at once. Often a small and apparently manual attack may indicate that a bot is being developed to attack your website at a later date.

Bots are much faster than manual testing methods and can do more damage due to the volumes they can achieve. However, the good news is they can be easier to detect using fraud detection software programs.

How is card testing detected?

There are a number of trends that may indicate card testers are at work. Here are some patterns to look out for:


  • A large number of low value transactions over a short time period (especially if this is different to your usual selling pattern).

  • A higher than usual amount of declined transactions (especially during a short time period).

  • A large amount of chargebacks due to the cardholder disputing the payment. 

  • Multiple purchases from the same IP address.

  • Multiple purchases using the same bank identification number (BIN) (the first 6 digits of the card number).

Impacts of card testing

As card testing involves relatively small amounts of money, it may be tempting not to worry about its impact on your business. However, if allowed to continue, there can be some serious consequences. 


Firstly, once a fraudster has found a card that works, it can be used to make larger purchases - either with your business or elsewhere - costing money and weakening consumer confidence.


An increase in disputes and chargebacks will cost you time and money to sort out and may involve additional dispute fees. 


The higher number of declined payments reduces customer confidence in your business and can also increase your risk profile from a card issuer perspective. Having a higher risk profile can result in higher fees for your business. These can include card scheme fines and loss of merchant facilities, higher costs, and damage to your business reputation. This can impact genuine payments long after card testing has stopped.


Due to the heavier load on the payment network, card testing can not only provide a negative experience for your customers, but also damage the payments system as a whole. Additionally, having a system that easily allows card testing may encourage fraudsters to attempt more serious attacks on your business. 

What can you do to protect yourself?

The best way to prevent automated card testing scripts is to install a CAPTCHA tool on your website as a requirement for each payment attempt.

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) observes website behaviour to distinguish between humans and bots and, if unsure, poses a challenge for the customer to complete.

A popular captcha tool is Google's reCAPTCHA.

Honeypot is an additional technique that may help prevent testing. It adds an invisible field on your business's payment form that humans can’t see but will be picked up by automated scripts. If the automated script fills in that field, your website will not process the payment.


Other security precautions you can take include:


  • Set up a firewall with a botnet prevention feature to improve your network security and better monitor traffic on your site.

  • Request card security (CVV) codes that fraudsters are less likely to have access to.

  • Monitor IP addresses to check locations match billing/shipping addresses and to pick up multiple card attempts. You can also block any fraudulent IP address, directly stopping them from accessing your website.

  • Limit the number of transaction attempts to prevent fraudsters from guessing different account details.

  • Don’t allow guest checkout so you can better verify genuine cardholders and discourage fraudsters.

  • Encourage shoppers to call and discuss reasons for a transaction decline, rather than providing the reason up front.

  • Set minimum limits for credit card transactions.

How do we help?

Prevention is better than the cure. Our fraud monitoring tools alert us if card testing is attempted on Ezidebit accounts. Typically, we find that unless preventative measures are implemented quickly, testing will reoccur. Therefore we would usually notify you this is happening and provide advice on how to prevent it. If we detect further testing on the account we will suspend payments to protect you from additional testing until preventative measures are in place.

One way we can help you provide a safe and secure checkout experience is with our Merchant Trust Initiative (MTI). MTI is designed to help you meet your responsibilities and obligations when handling and managing cardholder data. It gives you the tools you need to improve security within your business and enables you to meet compulsory Payment Card Industry Data Security Standard (PCI DSS) requirements. 


Want to know more about how we can help reduce fraudulent transactions and streamline your checkout experience? Talk to our team of experts today.

Related Articles