Card testing is a type of fraud in which a bad actor attempts to test stolen or contrived credit card details to gain knowledge about which credit cards are live. There are many variations of card testing, including:
Brute force CVC testing: where a bad actor attempts to guess the CVC code associated with a given card
Brute force BIN testing: where a bad actor iterates the digits succeeding the first 6 digits of a card number
The goal of card testing is to determine which cards are live and which are not. After gaining this knowledge, the fraudster may then sell the card details to other malicious actors or use them to commit fraud on your site, on other Stripe merchants, or in the broader payments ecosystem.
Card testing can happen to any business. As long as a payment form is left unprotected, a fraudster can take advantage of it by making a high velocity of attempts in a short amount of time.