If you work in payments, you’ve probably seen this before.
A merchant calls with questions about unexpected authorization costs.
Transaction volume looks higher than normal, but nothing obvious is “broken.”
There’s no breach, no chargeback spike, no clear fraud alert.
At first, it looks like noise.
In many cases, it’s actually card testing.
What is Card Testing?
Card testing is a type of fraud where attackers run stolen card numbers through payment systems to see which cards are still valid.
Instead of making one large fraudulent purchase, attackers:
Submit many small authorization attempts
Test cards across gateways, APIs, and checkout flows
Look for cards that successfully authorize
Once valid cards are identified, they’re often sold or used elsewhere.
Card testing is sometimes also referred to as card tumbling or brute-force authorization attacks. Different names, same underlying behavior.
Why Card Testing Looks Different from “Traditional” Fraud
One reason card testing is so common and so frustrating is that it doesn’t behave like most fraud people expect.
Card testing attacks often:
Use very small transaction amounts
Run in short, high-velocity bursts designed to avoid immediate detection
Avoid triggering chargebacks
Blend into normal transaction traffic
Rather than a single obvious spike, card testing often happens in a compressed window… fast enough to cause damage, but subtle enough to delay detection.
As a result, card testing doesn’t always trigger alarms immediately. There’s rarely a single “incident” moment.
Instead, the impact builds quietly.
Why Card Testing is Easy to Overlook
Card testing flies under the radar for a few reasons:
No traditional data breach
Merchant systems aren’t exfiltrated, but attackers are abusing payment entry points to test stolen card dataLow-dollar transactions
Individual attempts (often $0.01 authorizations) look insignificant on their own.Distributed activity
Attacks can span merchants, endpoints, and time periods, affecting ecommerce and card-not-present environments alike.Normal-looking traffic
To automated systems, early card testing activity can resemble legitimate behavior.
By the time card testing is identified, a meaningful amount of cost has often already accumulated.
The Real World Impact
While card testing is often discussed as a fraud issue, its impact extends beyond fraud teams.
Financially, every authorization attempt carries a cost, even when the transaction is fraudulent. Network fees, gateway charges, and processing costs add up quickly during high-volume attacks.
Operationally, detecting and responding to card testing pulls in multiple teams. Fraud, risk, operations, support, and account managers all get involved, often on short notice.
From a merchant perspective, card testing creates confusion. Merchants may not understand what happened… only that costs increased and questions need answers.
None of this happens all at once. It unfolds gradually, which is exactly why it’s so easy to miss.
Doesn’t Prevention Stop Card Testing?
Prevention and monitoring tools play an important role in reducing exposure. Controls such as CVV and AVS checks, gateway and processor velocity thresholds, CAPTCHA, and payment script monitoring help mitigate risk.
However, card testing is difficult to eliminate entirely, especially across large, diverse payment environments.
Attackers don’t need systems to fail completely. They look for gaps, inconsistencies, and edge cases.
Why Card Testing Keeps Showing Up
Card testing persists because:
Stolen card data is widely available
Payment systems must balance security and usability
Entry points vary across merchants and platforms
As payment ecosystems grow more complex, attackers continue to look for ways to exploit them.
Card testing isn’t rare or unusual. It’s a recurring byproduct of modern payments.
What to Think About Next
If card testing sounds familiar, it may be worth stepping back and asking a few questions:
How visible is card testing activity across your environment?
How quickly would you recognize it?
Where does the cost land when it happens?
How much time and effort does response take?
Understanding what card testing looks like in practice is the first step toward managing its impact.
Card testing doesn’t announce itself.
Understanding how it shows up, and how to respond more efficiently and cost-effectively is often the hardest part.