Card testing is when fraudsters validate stolen card details (e.g., card numbers, expiry dates, and CVCs) by running small transactions through payment systems to confirm the card is active.
This kind of fraud uses legitimate transaction processes to prevent detection. Fraudulent actors often target websites known for processing a high volume of low-value transactions because those are less likely to trigger alerts. Once a card passes this initial “testing” phase and is deemed active and unblocked, its value to the fraudulent actor drastically increases. They might then use the card themselves to make more substantial purchases, or they might sell the card details on the black market.
Card fraud is accelerating—and card testing is one of its most common entry points. In the first three quarters of 2025 alone, more than 500,000 cases of credit card fraud were reported to the Federal Trade Commission—that’s nearly 180,000 more than the same period in 2024. Global card fraud losses are expected to reach $41.06 billion by 2030. The digital nature of these transactions also means they can be conducted from anywhere, complicating law enforcement efforts and increasing the challenge for businesses and financial institutions trying to protect their customers’ financial information.
Below, we’ll explain what businesses need to know about this type of fraud and how to protect themselves against it.
What’s in this article?
- What is card testing?
- How does card testing fraud work?
- How card testing fraud affects businesses and customers
- Signs of card testing fraud attacks
- What does Stripe watch for?
- How to protect your business against card testing fraud
- How to respond to card testing fraud attacks
- How Stripe Radar can help
What is card testing?
Card testing is when bad actors attempt to validate stolen card details—such as card numbers, expiry dates, or CVCs—by using them on payment systems that lack proper verification controls. If a charge goes through (or even if it's declined with a specific reason code), they know the card is real.
How does card testing fraud work?
Card testing fraud operates through a relatively simple process. There are two main ways card testing fraud is conducted:
Manual testing: A fraudulent actor tries card details by hand, adjusting based on decline codes. It’s low volume, low impact, but still a signal.
Enumeration: More sophisticated bad actors use automated scripts and bots to identify many credit cards at once. This is especially dangerous.
Fraudulent actors get stolen card numbers, test them to make sure they work, and then use them. Here’s more detail about how this unfolds:
Fraudulent actors acquire stolen card numbers: Bad actors acquire stolen credit card numbers sourced from data breaches, phishing scams, or dark web marketplaces.
They run low-value test transactions: The testing phase involves making small-value transactions on websites. Bad actors often target platforms known for microtransactions (e.g., digital services or charitable donation pages) where fraud detection is less stringent.
They confirm which cards are active: The key for fraudulent actors is to confirm the credit card is active and not yet reported as stolen, and approved transactions signal that. On websites where additional information such as billing addresses is not strictly verified, this process becomes easier.
They use or sell verified cards: Once a card is verified, it becomes more valuable on the black market. The fraudulent actor can now confidently use it for larger, unauthorized purchases or sell the card details to others.
Card testing is typically a leading indicator of a broader fraud attack, but the actual fraudulent activity may not occur or be detected until months later, and often at a completely different merchant. This makes it especially difficult to trace.
How card testing fraud affects businesses and customers
Card testing poses a range of challenges for businesses. Here’s where the damage is most often experienced:
Impact on businesses
Financial losses: Businesses absorb chargeback costs when customers dispute unauthorized charges.
Increased operational costs: Maintaining fraud detection systems and dealing with fraud’s aftermath involve additional expenses.
Reputational damage: Repeated incidents erode customer trust and can reduce sales.
Increased scrutiny from card issuers and processors: High fraud levels can lead to increased scrutiny and sanctions from credit card issuers and processors, higher processing fees or, in extreme cases, loss of the ability to process credit card payments.
Impact on customers
Financial inconvenience: Victims of card testing fraud face the hassle of disputing charges and getting new cards issued. Though customers are typically not liable for fraudulent charges, resolving these issues can be time-consuming.
Privacy concerns: The realization that one’s card details have been stolen and misused can cause anxiety about privacy and security.
Potential for greater financial harm: Though card testing involves small amounts, it can be a precursor to larger unauthorized transactions that could affect a customer’s credit score. Once card details are verified as active, they can be used for more substantial fraud or sold on the black market.
Signs of card testing fraud attacks
Recognizing and responding to card testing attacks is important for businesses to protect themselves and their customers. Being aware of the signs and implementing effective monitoring systems are key steps in this process. Here are some indicators your business might have been affected by this type of attack:
Multiple small transactions: A series of small-value transactions, often in quick succession, can be a strong indicator of card testing. These are typically amounts low enough to avoid detection. Stripe monitors for verification charges like these.
Use of multiple cards: Multiple attempts to use different card numbers from the same IP address or device are a red flag. It suggests someone is testing a batch of card numbers.
Failed transactions: A high number of declined transactions can also signal card testing because fraudulent actors often use invalid or expired card numbers. Stripe monitors for high decline rates on merchants with no prior Stripe history. Stripe also watches for declines due to incorrect expiry dates or unrecognized primary account numbers (PAN) that don’t occur at the end of a monthly billing cycle when these declines are more typical. These factors suggest a bad actor is cycling through combinations.
Inconsistent billing information: Transactions in which the billing information provided does not match card details can indicate fraudulent activity.
Early detection depends on knowing what to look for, and acting quickly when signals appear.
What does Stripe watch for?
Stripe uses a range of signals to identify occurrences of card testing. Here are some of the critical indicators we monitor:
Surge in declines: Fraudulent actors validating cards frequently enter incorrect information, leading to a rise in declined authorizations. Certain specific decline reasons usually indicate a card testing attack:
- No card record: While attempting to identify card details, bad actors may input card details that are not assigned to any cardholder but are linked to a bank identification number (BIN) and available in our system. Users are not able to see this information as the cards aren't linked to them. The onset of declines on these cards can suggest ongoing card testing.
- Incorrect expiry date: More often, fraudulent actors lack precise details like expiry dates and CVC, leading them to try various combinations. These declines indicate the bad actor has identified a valid PAN—and they know this based on the decline reason.
- No card record: While attempting to identify card details, bad actors may input card details that are not assigned to any cardholder but are linked to a bank identification number (BIN) and available in our system. Users are not able to see this information as the cards aren't linked to them. The onset of declines on these cards can suggest ongoing card testing.
Spike in account verifications: Account verification is a process through which businesses confirm that the credit card being used for a transaction is valid. During this process, a small, often temporary, “verification charge” is made to ensure the card is active and has an available balance. A sudden spike in account verifications can be indicative of card testing.
Authorizations and declines across new acquiring merchants: We monitor activity across acquiring merchants that have not been seen across Stripe in the past. If we see a new merchant with a very high volume of declines due to expiry date mismatch or cards that do not exist, we take action to prevent good businesses from being exploited, and bad businesses from committing fraud.
How to protect your business against card testing fraud
Protecting your business against card testing attacks involves a blend of effective security measures, advanced tools, best practices in payment processing, and making sure your staff is aware of how to respond to card testing when they recognize signs of it. These strategies are designed to identify and mitigate the risk of fraudulent activities while allowing for a smooth experience for legitimate customers.
Effective security measures and tools
Address Verification Service (AVS): AVS compares the billing address provided by the user with the one on file with the credit card company. Inconsistencies can flag potential fraud.
CVV verification: Requiring the CVV for transactions helps make sure the person making the purchase has physical access to the card, reducing the risk of fraudulent use of card numbers obtained online.
Setting transaction limits: Establish limits for the number of transactions or total dollar amount allowed per card within a certain time frame to prevent multiple fraudulent attempts. Block transactions in countries where you don’t expect your users to interact and transactions within categories your users aren’t expected to use, such as digital goods or ad platforms. If a card is compromised, immediately cancel or freeze it using the Cards API or Tokens API.
Installing advanced fraud detection tools: Invest in tools that use machine learning (ML) and artificial intelligence to analyze transaction patterns and flag anomalies indicative of card testing.
Multifactor Authentication (MFA): For transactions that appear suspicious, implementing an additional layer of authentication can deter fraudulent actors.
Best practices in payment processing
Monitor spikes in declines and low-dollar approvals: Watch for declines that occur due to an incorrect expiry date or CVC at unexpected points in the month or billing cycle. Increases in these types of declines are typical at the end of the month for cards associated with subscriptions, but they raise flags if they occur at other points. Often, fraudsters will follow a decline spike with an increase in low-dollar transaction approvals.
Watch for spending pattern changes: High-dollar purchases, sudden spending in foreign countries, and multiple purchases at one merchant within seconds are worth investigating.
How to respond to card testing fraud attacks
When card testing fraud is detected, act fast.
Steps to take when card testing fraud is detected
Freeze suspicious transactions immediately: As soon as card testing is suspected, review the transactions in question. Freeze any ongoing transactions related to the suspected fraud to prevent further unauthorized activity.
Apply enhanced verification to borderline transactions: If some transactions raise suspicion but aren’t conclusively fraudulent, implement enhanced verification processes. This might include contacting the customer for confirmation or requiring additional authentication.
Analyze the scope of the attack : Conduct a thorough analysis of the transaction patterns to learn the scope and method of the attack. This helps in identifying the source and potential weaknesses in the system.
Tighten your fraud detection parameters: Based on the analysis, adjust your fraud detection parameters to be more sensitive to the kind of activity observed during the incident. This could involve tightening transaction limits or modifying alert triggers.
Reporting procedures and recovery actions for affected businesses
Notify your financial partners: Immediately inform your financial partners, including banks and card processors, about the incident. They can help monitor for further suspicious activity and take necessary actions on their end.
Report large-scale incidents to law enforcement: In cases of large-scale fraud, reporting to law enforcement is advisable. Authorities can initiate an investigation and work toward apprehending the perpetrators.
Bring in cybersecurity expertise if needed: If the attack is sophisticated or if there are concerns about system vulnerabilities, engaging with cybersecurity experts can help identify how the attack happened and how to prevent incidents.
Communicate with affected customers promptly: Communicate with affected customers transparently. Inform them about the incident, and advise them on steps they should take, such as monitoring their credit reports or replacing their cards. Keep them up to date on security measures and encourage them to report any suspicious activity related to their transactions.
Review and strengthen your defenses after the incident: After the incident, conduct a comprehensive review of your security measures. Strengthening your defenses might involve updating software, revising protocols, or training staff on new security practices.
Document what happened and adapt: Use the incident as a learning opportunity. Analyze what happened, what was effective in your response, and where improvements are needed. Adapt your strategies accordingly to better prepare for threats.
Learn more about how Stripe helps protect businesses against card testing fraud.
How Stripe Radar can help
Stripe Radar uses AI models to detect and prevent fraud, trained on data from Stripe’s global network. It continuously updates these models based on the latest fraud trends, protecting your business as fraud evolves.
Stripe also offers Radar for Fraud Teams, which allows users to add custom rules addressing fraud scenarios specific to their businesses and access advanced fraud insights.
Radar can help your business:
Prevent fraud losses: Stripe processes over $1 trillion in payments annually. This scale uniquely enables Radar to help detect and prevent fraud, saving you money.
Increase revenue: Radar’s AI models are trained on actual dispute data, customer information, browsing data, and more. This enables Radar to identify risky transactions and reduce false positives, boosting your revenue.
Save time: Radar is built into Stripe and requires zero lines of code to set up. You can also monitor your fraud performance, write rules, and more in a single platform, increasing efficiency.
Learn more about Stripe Radar, or get started today.
The content in this article is for general information and education purposes only and should not be construed as legal or tax advice. Stripe does not warrant or guarantee the accurateness, completeness, adequacy, or currency of the information in the article. You should seek the advice of a competent attorney or accountant licensed to practice in your jurisdiction for advice on your particular situation.