Protecting Your Business from Card Testing Scams
Learn more about keeping your business safe from Card Testing Fraud in 2026. Valuable information about CVV, AVS, CAPTCHA, and more methods to keep your digital storefront safe.
Jaime Di Paolo
6/8/20264 min read
What is Card Testing Fraud?
Card testing is a type of fraud in which a criminal tries to determine whether stolen card information is valid so that they can use it to make purchases. A fraudster will use a script to test a large amount of stolen card information at once to identify which ones work, which they can then use to make fraudulent transactions.
Negative Effects of Card Testing
Card testing has multiple negative effects on your business as a whole. First and foremost, you will have to deal with disputes on the cards that go through, costing you valuable time and money. This also includes additional fees that can be charged for each fake transaction, such as authorization fees and interchange fees. Card testing can also dilute your real customer data, as it can seem like you have an influx of new customers that are actually just the stolen cards. This can make the actual growth of your business harder to see beneath all of the fake data. Additionally, since card testing usually involves numerous transactions over short periods of time, it can cause significant strain on your network and disrupt legitimate business activity.
Identifying and Preventing Card Testing
The best way to identify if your business is being used for card testing activities is a spike in failed or declined transactions. Since a majority of the stolen card information that the criminals will be testing is going to be invalid, a large spike in failed transactions should indicate that your business is being used for card testing. Mobile and web merchants are the biggest target of this fraud because they are susceptible to scripts that can run hundreds of cards per hour through the online payment page.
One method of verification for preventing fraud in cases where the card is not present is the Card Verification Value (CVV) which is a three or four digit security code on the back of the card. Since the CVV is a number that can only be found by looking at the card, traditional card skimming (a way card numbers are stolen electronically) will not obtain the CVV value. Additionally, since merchants are prohibited from storing CVV numbers, they are data-breach proof. Enabling CVV verification is an easy way to help protect your business from card testing fraud.
Building card testing prevention measures into your checkout experience is a must if you want to avoid becoming an easy target. Having a CAPTCHA to prevent bot attacks can create very minor friction in the purchasing process, but if you are a likely target for attacks, CAPTCHA slows the scammer’s workflow down by stopping automated card testing. A similar option to CAPTCHA is Velocity Checking, which limits the number of individual transactions from one location within a timeframe (e.g., no more than 1 attempt/minute) to prevent bots from testing cards rapidly using your storefront. Another method that can help prevent fraud of all types is Address Verification Service (AVS).
How Does AVS Work, and What Does it Accomplish?
Address Verification Service (AVS) is offered by payment processing providers to minimize fraud. When a customer checks out using an AVS system, they are prompted to provide a billing address. The processor then checks that the billing address matches the address on file for the card and returns a code that can be used to validate or decline the transaction. This is an extra verification step that can help prevent credit card theft. For card testing purposes, this is extra information that the scammer has to obtain and build their script around in order to test the card. This is often enough of a deterrent to keep your system safe from card testing fraud without significantly altering the user experience in most cases.
AVS is not perfect, however. There are a few things to know before implementing AVS in your system. Not every AVS mismatch will be fraudulent, as sometimes a customer may move or have dual residences and not know the correct address to fill in the billing information. This means that AVS mismatches should be reviewed carefully, as legitimate customers may occasionally enter an outdated address or use a secondary residence. However, AVS is standard for most payment processors at this point and the benefits outweigh the downsides for the business and for the customer.
MPI’s Tips for Avoiding Card Testing Fraud
Be Vigilant: Monitor your sales for suspicious amounts of low-cost purchases.
Be Informed: Know the signs and mechanisms behind card testing fraud.
Be Proactive: Enable anti-fraud systems such as AVS and Velocity Checking before you become a target.
Frequently Asked Questions about Card Testing Fraud
1. What is card testing fraud?
Card testing fraud occurs when criminals use stolen credit or debit card information to determine which cards are still active and valid. Fraudsters often use automated scripts to submit numerous small transactions until they identify working cards for future fraudulent purchases.
2. Why do fraudsters make small purchases during card testing?
Small transactions are less likely to trigger fraud alerts and can help criminals verify card validity without drawing attention. These charges are often for low-cost products or services.
3. How can I tell if my business is being targeted by card testing?
Common warning signs include:
A sudden increase in declined transactions
Multiple small-value purchases
High volumes of transactions from the same IP address
Numerous payment attempts within a short timeframe
Increased chargebacks or customer complaints about unauthorized charges
4. Which businesses are most vulnerable to card testing attacks?
Online businesses, mobile merchants, subscription services, and e-commerce stores are the most common targets because automated bots can quickly test large volumes of card information through online checkout pages.
5. What is CVV verification and how does it help prevent card testing?
CVV verification requires customers to enter the three- or four-digit security code printed on their card. Since this code is typically not obtained through traditional card skimming methods and cannot be stored by merchants, it adds an important layer of protection against fraudulent transactions.
6. What is Address Verification Service (AVS)?
AVS compares the billing address entered during checkout with the address on file with the card issuer. If the information doesn't match, the transaction can be flagged, reviewed, or declined, helping reduce fraudulent activity.
