PaySia Help Center

Advice and answers from the PaySia team
Resources
 / 
What Is Card Testing?
Anti-fraud

What Is Card Testing?

Fresh credit card data doesn’t come with budget information – so the fraudsters have to test it somewhere to see if they have funds on them . ……………… .

What Is Card Testing?

Card testing is when a fraudster tests whether a stolen credit card is still active (“live”) before they go on to use it – as well as if it has funds left.

Testing involves conducting card activity less likely to be flagged as suspicious, and is often done on long lists of illegally acquired card credentials, to separate the wheat from the chaff.

Card testing can be conducted on physically stolen bank cards, physical reproductions of cards from scraping, generated card information, as well as on stolen credit card credentials, also known as card fullz.

How Does Card Testing Work?

There are two primary methods used by criminals to conduct card testing: pushing through small payments and conducting authorizations.

Small payments

The fraudster attempts to use a card to make a small payment. Acceptance of the payment will show them if the card is live, but it is also likely to draw the attention of the legitimate cardholder, as it will appear on their statement.

Even rejected payments can occasionally return useful information in terms of what caused the rejection, helping the fraudster to fool the system upon their next attempts.

Method benefits: easy to find places to use it; rejections can help criminals
Method risks: more likely to be caught

Authorizations

Unlike payments, authorizations are a query sent through the payment processor to the issuer as the first step in a payment, asking whether the customer has the funds to cover the transaction. These will take much longer to appear on card statements, giving the fraudster more time to use the active card.

Method benefits: cardholder not likely to find out; subtler method
Method risks: advanced anti-fraud methods will still catch these

At this point, the legitimate card owner might notice and contact the card issuer. This is bad news for the criminal but is also unfortunate for the merchant, who will be facing chargeback requests, which require time and often money to resolve – as well as affecting their chargeback rate, which can be catastrophic.

It is estimated that each case costs merchants up to 3.60 times the money lost in that transaction.

Another thing fraudsters testing stolen debit and credit cards are wary of is causing too many declines on each card. Depending on the issuer, this can lead to the card automatically freezing, which means it can’t be used anymore.

Card testing can be done on credit cards, as well as debit cards, prepaid cards and gift cards, usually in card-non-present environments. In fact, card-not-present (CNP) fraud is projected to cause losses of USD 34.66 billion to the economy every year.

Identify Online Card Fraud Fast

Card testing & carding can be a huge pain point. Find out how to stop it at payment gateways and other touchpoints.

What Is Card Testing Used For?  

Card testing is conducted to see whether stolen cards and/or credentials (fullz) are still active. From there, fraudsters will:

  • resell live cards for a profit (verified cards sell for more than untested cards)
  • use them to conduct fraud, including chargeback fraud
  • use them to buy gift cards or cryptocurrencies
  • use them to buy goods to reship
  • use them to buy criminal or unlawful services on the dark web
  • as well as any other act that involves card payments

How Does Card Testing Fraud Harm Ecommerce?

Fraudsters tend to target digital goods and services, as well as non-profit organizations, and the donation and support pages of content creators, mainly because they provide instant feedback on whether the card is live and has funds available.

Merchants have much to lose from card testing, both repetitive and one-off:

  • They can cause chargeback requests and as such, it can affect the chargeback ratio – which can ultimately even lead to being banned as a merchant.
  • Merchant can be flagged as high risk, thus being forced to pay higher fees to payment processors.
  • Successful testing signals low anti-fraud protocols to criminals, opening a Pandora’s box of subsequent fraud attacks.
  • Additional costs: dispute fees, interchange fees, work hours spent, resolution fees.
  • Drop in employee morale, as well as reputational damage.

Of course, also at risk from card testing are payment gateways, where fraudsters spam orders using different credentials to see which will go through, as well as card issuers themselves.