Why do fraudsters test cards instead of just using them?

Testing validates which stolen cards are still active before committing larger fraud. Fraudsters buy card lists where many cards are already canceled or expired. Testing identifies valid cards worth using or selling. Small test transactions attract less attention than large purchases that might trigger fraud alerts immediately.

How can I tell if a transaction is card testing?

Card testing shows specific patterns: multiple transactions for small amounts (often $1 or less), many declined transactions followed by successful ones, rapid sequential transactions from the same IP, transactions using similar card numbers, purchases from suspicious IP addresses like data centers or known fraud sources.

Should I accept $1 authorization holds?

Authorization holds are legitimate for subscription services and account verification. However, monitor patterns carefully. Multiple $1 authorizations from the same IP or in rapid succession indicate testing. Use IP Risk Score to evaluate whether authorization requests come from legitimate users or fraudsters testing cards.

Payment Fraud

What is Card Testing & How to Prevent It?

7 min read Last updated: Dec 2025

Definition

Card testing (also called card validation or card verification fraud) is a technique where criminals test stolen credit card numbers by making small purchases or authorization attempts to verify the cards are still valid before using them for larger fraudulent transactions. These tests help fraudsters identify which stolen cards are worth using or selling.

How Card Testing Works

Fraudsters obtain stolen credit card numbers from data breaches, dark web marketplaces, or phishing attacks. These card databases often contain thousands or millions of card numbers, but many are already canceled, expired, or reported stolen. IP Risk Score helps merchants detect card testing attempts by identifying suspicious transaction patterns and connections from known fraud infrastructure.

To determine which cards still work, fraudsters make small test transactions—typically $1 or less, or simply authorization holds that never complete. They target merchants with automated checkout systems and minimal fraud detection. E-commerce sites, donation platforms, and subscription services become common testing grounds.

The Testing Process

Attackers use automated tools to rapidly test multiple card numbers. A bot might attempt dozens or hundreds of transactions in minutes, trying each stolen card against your payment system. Successful authorizations indicate valid cards. Failed transactions get discarded.

The automation is critical. Manually testing thousands of cards would be impossible. Bots can run 24/7, testing cards across multiple merchants simultaneously. They rotate IP addresses to avoid detection and use proxy services to appear as legitimate traffic.

Why Fraudsters Test Cards

Testing validates inventory before larger fraud. A fraudster with 10,000 stolen card numbers might find only 1,000 still work. Those validated cards get used for high-value fraud or sold on dark web markets at premium prices. Valid cards command higher prices than untested ones.

Small test amounts avoid immediate fraud alerts. A $1 charge rarely triggers bank fraud systems or customer attention. Cardholders might not even notice small charges on their statements. By the time anyone investigates, fraudsters have already used or sold the validated cards.

You're Not the Target—You're the Tool

Merchants suffering card testing attacks aren't the fraud victims—cardholders and banks are. But you bear the costs: processing fees for failed transactions, chargebacks from angry customers, payment processor penalties, and potentially losing your merchant account if testing volumes get too high.

Detecting Card Testing

Transaction Volume Spikes

Card testing generates abnormal transaction volumes. Your checkout suddenly processes dozens or hundreds of attempts in minutes. Most legitimate stores don't see this velocity except during major sales or launches.

High Decline Rates

Failed transaction rates spike dramatically during testing. Fraudsters test many invalid cards for every valid one. Your approval rate might drop from 90% to 20% during active attacks. Hundreds of declined transactions in short periods indicate testing.

Small Dollar Amounts

Multiple transactions for $1, $0.50, or similar tiny amounts suggest testing. Some fraudsters use authorization-only attempts that never settle. Look for patterns of small-value transactions especially when combined with high decline rates.

Sequential Card Numbers

Stolen card databases sometimes contain sequential or patterned card numbers from the same breach. You might see multiple transactions where card numbers differ by only a few digits. This pattern indicates systematic testing.

IP Address Patterns

IP Risk Score identifies suspicious transaction sources. Card testing often originates from data centers, VPN services, or proxy networks rather than residential IPs. Multiple transactions from the same IP address or IP range in rapid succession indicate automated testing.

Geographic patterns also reveal testing. Transactions suddenly come from countries where you have few legitimate customers. Or you see rapid sequential attempts from IPs across different countries—impossible for real shoppers but typical of bot networks.

Same Billing Information

Fraudsters often use the same billing address, email, or phone number across multiple card tests. They're not trying to hide their identity during testing—they just want to validate cards quickly. Watch for multiple different card numbers using identical customer information.

Preventing Card Testing

IP Risk Scoring

IP Risk Score evaluates every transaction in real-time. High-risk IP addresses—data centers, proxies, VPNs, or IPs with fraud history—get blocked or challenged before processing payments. This stops automated testing bots before they can validate cards.

Risk scoring adapts to patterns. A single transaction from a VPN might be legitimate travel. Ten transactions in five minutes from rotating VPN IPs indicates testing. Contextual analysis catches patterns that simple rules miss.

Rate Limiting

Limit transaction attempts per IP address, email, or billing address. Allow 3-5 failed payment attempts before temporarily blocking further attempts. This slows automated testing while having minimal impact on legitimate customers who occasionally mistype card numbers.

CAPTCHA for Suspicious Checkout

Deploy CAPTCHA challenges for checkouts from suspicious IPs or after failed payment attempts. Automated testing bots can't easily solve CAPTCHAs. Legitimate customers can complete the challenge and proceed normally.

CVV and AVS Verification

Require CVV (card security code) and enforce AVS (Address Verification System) for all transactions. Stolen card databases often lack CVV codes. AVS mismatches indicate fraudulent use. These basic checks stop many testing attempts.

Minimum Transaction Amounts

Set minimum purchase amounts if your business model allows it. A $5 or $10 minimum makes your site less attractive for card testing since fraudsters prefer testing with $1 charges. This won't work for all merchants but can effectively deter testing when applicable.

Monitor and Alert

Implement real-time monitoring for card testing patterns. Alert systems should trigger when decline rates spike, transaction volumes surge, or multiple small-value attempts occur. Quick detection enables rapid response before massive volumes accumulate.

IP Blocklist

IP Blocklist proactively blocks known fraud sources before they can attempt testing. As testing operations get identified, their IP addresses and infrastructure get added to blocklists. This prevents repeat attacks from the same sources.

🛡️ Stop Card Testing with IP Intelligence

Fraudlogix IP Risk Score detects card testing attacks by identifying suspicious transaction sources, bot activity, rapid transaction patterns, and connections from known fraud infrastructure. IP Blocklist proactively blocks testing operations before they can validate stolen cards. Protect your checkout from automated card validation fraud.

Explore IP Risk Score

Work with Payment Processors

Your payment processor has fraud tools and data you don't. They see patterns across many merchants. Many offer card testing detection services, velocity rules, or real-time blocking. Leverage their expertise and tools to supplement your own defenses.

Block Known Testing Patterns

Create rules that automatically decline transactions matching common testing patterns. Multiple sequential failures from the same IP. Transactions for exactly $1.00. Same billing information with different card numbers. These rules catch obvious testing without impacting legitimate customers.

Balance Security and Experience

Aggressive fraud prevention can frustrate legitimate customers. Use risk-based approaches that scrutinize suspicious transactions while allowing trusted customers to checkout smoothly. Don't CAPTCHA everyone just because of one testing attack.

Business Impact

Processing Fees

Every failed transaction costs money. Payment processors charge fees even for declined attempts. A major testing attack with thousands of failed transactions can cost hundreds or thousands of dollars in fees alone, with zero revenue to offset those costs.

Chargebacks

Successful test transactions lead to chargebacks. Cardholders notice unauthorized charges and dispute them. Each chargeback costs $20-$100 in fees, plus you lose the transaction amount. High chargeback rates can result in fines or losing your merchant account.

Merchant Account Risk

Payment processors monitor fraud and chargeback rates. Excessive card testing can push you over acceptable thresholds. Processors may place your account under review, impose higher fees, withhold funds, or terminate your merchant account entirely.

Infrastructure Costs

Massive testing attacks strain your infrastructure. Payment API calls, database queries, and server resources all get consumed processing thousands of fraudulent attempts. This can degrade performance for legitimate customers or require infrastructure upgrades.

Operational Burden

Card testing creates work. Your team investigates suspicious activity, reviews transactions, handles chargebacks, and communicates with payment processors. This operational overhead diverts resources from productive activities.

Frequently Asked Questions

Act immediately: Contact your payment processor to alert them and discuss emergency measures. Implement rate limiting or temporarily require CAPTCHA for all checkouts. Block IP addresses showing testing patterns. If possible, temporarily disable guest checkout to force account creation. Monitor decline rates and adjust blocks as needed. Document everything for your payment processor.

Yes. Card testing exploits legitimate checkout processes—fraudsters use your payment system exactly as designed. Strong security reduces success rates and detects attacks faster, but determined fraudsters can still attempt testing. The goal is detection and prevention, not making attacks impossible. Layered defenses catch what individual measures miss.

Proactively refunding obvious test transactions can reduce chargebacks. If you identify clear testing patterns—$1 transactions from suspicious IPs with high decline rates—refund them immediately. This prevents chargebacks and shows good faith to payment processors. However, don't refund legitimate-looking transactions without investigation.