What is card testing?

Fraudsters purchase or steal card details on the dark web/via phishing or spyware software. They then attempt small purchases on an unsuspecting merchant’s site to see if the card gets approved.

Card details are often stolen weeks or months prior, so these tests reveal which cards are available for use (the ones that have not been cancelled/declined). The available cards can then be used to make larger purchases, or the data re-sold.

 

So, what happened to us?

  • We noticed a lot of transactions appear on our payment platform overnight, all small amounts, under £5 each, with the same reference: “THANK”. This is not how our platform is set up, we would expect to see specific order numbers against each transaction. On top of this, we could see that a huge number of transactions had been declined. When digging a little deeper, we had thousands of “new customers” set up -these were the poor people who had their card details stolen and were not actually customers of ours at all
  • Overnight, fraudsters had tested more than 10,000 cards on our account to determine their validity; out of these 10,000+ tests, 89 payments were successfully made. Luckily, the platform had some built-in fraud prevention rules, which flagged these transactions as a high fraud risk, and we received an email notifying us that something was not quite right with our account
  • Our bank account, linked to the payment platform, received funds from the 89 successful transactions into it, which I appreciate, sounds fantastic (free money, yes please!) Of course, we returned the funds directly to each card, incurring fees on both the payment processing and the refund processing (No free money, just additional fees!)
  • We discovered that our private key had accidentally been made public during some development on our website, which is how the fraudsters gained access. The refund process, and securing the private key took a fair amount of staff time to fix.

Card testing fraud can cause reputational damage, higher decline rates as it makes your transactions look riskier, as well as a significant cost in processing fees, staff time, and an increase in stress levels, on top of this, no one wants to be linked to criminal activity!

Luckily, there are things you can do, to help stop your organisation being the next victim…

 

Tips for protecting yourself

No single component can stop card testing, so it’s best to implement layers of protection, some of which include:

  • Setting a minimum payment threshold, especially if you accept donations/sell intangibles -cards are tested using small amounts, usually under £5 to make it harder for the cardholder to notice, so try to set the limit above this, if you can
  • Be vigilant -identify anomalies quickly, investigate any spikes in your average daily transactions
  • Add a CAPTCHA – make sure the CAPTCHA requires validation on all payments
  • Some platforms allow you to add custom fraud prevention rules, specific to your organisation, for example, you could request the platform blocks payments from a location or card outside of your country
  • Require log-in or session validation when making payments
  • Limit the number of cards that can be linked to a single customer, or limit the number of customers that can be linked to a single IP address

 

If you would like to attend a fraud safety webinar this year, please click this link!

Share This Story, Choose Your Platform!

About the Author: Charlotte Gale

Quick Links

Recent Posts

  • Deadline 2026/09/30 The Fat Beehive Foundation

    Application deadline:  Wednesday, 30 September 2026 The Fat Beehive Foundation supports a limited number of small UK [...]

  • Deadline 2026/09/30 The Triangle Trust

    Rolling applications   Grant rounds have reopened in April 2026.  The first opportunity will focus on [...]