Card Testing
Card testing is fraud where attackers run many small charges against stolen card numbers to find which ones still work before using them.
Card testing (also called carding) is a form of payment fraud where attackers use scripts or manual attempts to check whether stolen card numbers are still active. The goal isn't to buy anything — it's to validate cards so they can be sold or used elsewhere. Testing charges are typically small and come in rapid succession at high velocity.
How a card-testing attack looks
Fraudsters point automated scripts at any endpoint that will attempt a charge — a checkout form, a donation page, a payment API. Telltale signs include:
- A sudden spike in payment attempts, often from one source.
- Many
$1or other tiny charges or authorizations. - A high declined-payment rate as most stolen numbers fail.
- Bursts against sequential card numbers sharing a BIN range.
The few cards that succeed are the attacker's real prize; the rest are noise.
Why card testing hurts even when charges are tiny
Even small successful charges carry cost. Each attempt can incur processing fees, and successful test charges often turn into chargebacks once the real cardholder notices — each one carrying a dispute fee. A flood of declines and disputes can also damage your standing with card networks and, in extreme cases, get your account flagged.
How it's prevented
Processors fight card testing with layered controls. Stripe Radar evaluates payments holistically — spotting velocity and pattern signals a single-transaction check would miss — and assigns each attempt a risk score. Common defenses include rate limiting, CAPTCHA on payment forms, blocking after repeated failures, and requiring authentication. Because card testing arrives as a burst, catching the spike early is what limits the damage.
Related terms
Updated July 6, 2026