Card testing is a type of fraudulent activity where someone tries to determine whether stolen card information is valid so that they can use it to make purchases. A fraudster may do this by purchasing stolen credit card information, and then attempting to validate or make purchases with those cards to determine which cards are still valid. Other common terms for card testing are “carding”, “account testing”, and “card checking.”
Fraudulent activity such as card testing is an unavoidable part of online commerce. Card testing, however, has consequences for the entire payments ecosystem, so merchants, card networks, and payment partners like Stripe share responsibility to prevent it. Stripe is constantly improving tools and systems to detect and reduce fraud, but you must remain vigilant with respect to fraud.
How card testing works
Card testers use both authorizations and payments to determine whether the stolen or generated card information they have is valid or not.
- Authorizations—This is the recommended method to test cards, as authorizations don’t typically show up on cardholder statements. This also makes it less likely the cardholder will notice or report the fraudulent activity.
- Payments—Card testers prefer smaller payments, which are less likely to be noticed by cardholders and reported as fraudulent. This makes donation pages and businesses that facilitate small-value purchases ideal targets for card testers.
Consequences
Card testing has many negative outcomes, some of which get worse over time as card testing continues:
- Disputes—Many types of card testing involve payments, some of which succeed. Customers notice successful payments and report them as fraud, which will result in disputes that cost you time and money.
- Higher decline rates—Card testing usually causes a large number of declines to be associated with your business. A high decline rate damages the reputation of your business with card issuers and card networks, which makes all of your transactions appear riskier. This can result in an increased decline rate for legitimate payments, even after card testing stops.
- Additional fees—Card testing activity can result in additional fees, such as authorization fees for custom pricing plans, and dispute fees.
- Infrastructure strain—Card testing usually results in numerous network requests and operations. This additional traffic can overburden your infrastructure and disrupt legitimate activity.
- Damages ecosystem health—Card testing has negative impacts on the financial system as a whole, so we want to help you stop it.
Active card testing checklist
If your integration is being exploited by card testers, we recommend that you take the following actions immediately:
- Identify the card testing activity.
- Refund fraudulent payments to avoid disputes.
- Contact your platform's support team to ask about adding additional mitigations to your account to mitigate card testing.
- Monitor your account to ensure any mitigations taken are effective.
Identify card testing
You can identify most card testing activity by a significant increase in declines. Payments that were blocked due to card testing will be indicated as such when you view Payment Details on blocked transactions.
Prevent card testing
Card testers employ a wide variety of techniques to make their fraudulent activity difficult to block. As a result, simple firewall rules or filters based on things like user agent strings are usually not sufficient to prevent card testing on their own.
Your platform's partner Stripe has many automated and manual controls in place to mitigate card testing, including rate limiters, alerts, machine learning models, ongoing reviews, and more. When it is first detected that you’re under a card testing attack, Stripe will apply as many controls as we can to mitigate the attack.
However, also including the following information with your payments can have a significant impact on the performance of card testing models.
- IP address
- Customer email
- Customer name
- Billing address