Protecting Your Business from Card Testing Scams
Learn more about keeping your business safe from Card Testing Fraud in 2026. Valuable information about CVV, AVS, CAPTCHA, and more methods to keep your digital storefront safe.
Jaime Di Paolo
6/8/20263 min read
What is Card Testing Fraud?
Card testing is a type of fraud in which a criminal tries to determine whether stolen card information is valid so that they can use it to make purchases. A fraudster will use a script to test a large amount of stolen card information at once to identify which ones work, which they can then use to make fraudulent transactions.
Negative Effects of Card Testing
Card testing has multiple negative effects on your business as a whole. First and foremost, you will have to deal with disputes on the cards that go through, costing you valuable time and money. This also includes additional fees that can be charged for each fake transaction, such as authorization fees and interchange fees. Card testing can also dilute your real customer data, as it can seem like you have an influx of new customers that are actually just the stolen cards. This can make the actual growth of your business harder to see beneath all of the fake data. Additionally, since card testing usually involves numerous transactions over short periods of time, it can cause significant strain on your network and disrupt legitimate business activity.
Identifying and Preventing Card Testing
The best way to identify if your business is being used for card testing activities is a spike in failed or declined transactions. Since a majority of the stolen card information that the criminals will be testing is going to be invalid, a large spike in failed transactions should indicate that your business is being used for card testing. Mobile and web merchants are the biggest target of this fraud because they are susceptible to scripts that can run hundreds of cards per hour through the online payment page.
One method of verification for preventing fraud in cases where the card is not present is the Card Verification Value (CVV) which is a three or four digit security code on the back of the card. Since the CVV is a number that can only be found by looking at the card, traditional card skimming (a way card numbers are stolen electronically) will not obtain the CVV value. Additionally, since merchants are prohibited from storing CVV numbers, they are data-breach proof. Enabling CVV verification is an easy way to help protect your business from card testing fraud.
Building card testing prevention measures into your checkout experience is a must if you want to avoid becoming an easy target. Having a CAPTCHA to prevent bot attacks can create very minor friction in the purchasing process, but if you are a likely target for attacks, CAPTCHA slows the scammer’s workflow down by stopping automated card testing. A similar option to CAPTCHA is Velocity Checking, which limits the number of individual transactions from one location within a timeframe (e.g., no more than 1 attempt/minute) to prevent bots from testing cards rapidly using your storefront. Another method that can help prevent fraud of all types is Address Verification Service (AVS).
How Does AVS Work, and What Does it Accomplish?
Address Verification Service (AVS) is offered by payment processing providers to minimize fraud. When a customer checks out using an AVS system, they are prompted to provide a billing address. The processor then checks that the billing address matches the address on file for the card and returns a code that can be used to validate or decline the transaction. This is an extra verification step that can help prevent credit card theft. For card testing purposes, this is extra information that the scammer has to obtain and build their script around in order to test the card. This is often enough of a deterrent to keep your system safe from card testing fraud without significantly altering the user experience in most cases.
AVS is not perfect, however. There are a few things to know before implementing AVS in your system. Not every AVS mismatch will be fraudulent, as sometimes a customer may move or have dual residences and not know the correct address to fill in the billing information. This means that AVS mismatches should be reviewed carefully, as legitimate customers may occasionally enter an outdated address or use a secondary residence. However, AVS is standard for most payment processors at this point and the benefits outweigh the downsides for the business and for the customer.
MPI’s Tips for Avoiding Card Testing Fraud
Be Vigilant: Monitor your sales for suspicious amounts of low-cost purchases.
Be Informed: Know the signs and mechanisms behind card testing fraud.
Be Proactive: Enable anti-fraud systems such as AVS and Velocity Checking before you become a target.
