What is card testing?

Card testing—also known as card enumeration or card validation—is when fraudsters attempt to validate stolen card details by making $0 or low-dollar transactions.

Fraud tactics are evolving, and card testing attacks are increasingly targeting e-commerce and mobile checkout. You can help protect your business by strengthening checkout controls, monitoring for early warning signs and reducing the information attackers can learn from declined transactions.

How it works

Card testing typically follows three steps:

  • Acquire: Fraudsters obtain stolen card details (full or partial) from illegitimate sources, such as compromised data or dark web listings.
  • Test: They run $0 or small-dollar attempts at real merchants to confirm a card is active and may retry to fill in missing details (like CVV or expiration date).
  • Sell or use: Once a card is confirmed, fraudsters may sell it, use it quickly before it’s shut down or move to merchants whose decline messages make it easier to keep testing.

Card testing can be manual (a few attempts) or automated (bots testing large volumes quickly). Automated testing is the most common.

Important: Card testing doesn’t begin when someone lands on your payment page. Instead, it takes advantage of weak spots during checkout—such as unlimited retries, card-verification steps that can be triggered repeatedly (for example, $0 authorization checks) or limited bot controls. 

Signals to look out for

Card testing often appears as high-volume, low-dollar activity at checkout.

  • Sudden spikes in unique cards per minute: Many different card numbers attempted in a short time—often from the same IP address, device or small set of sessions.
  • A spike in declined payments (high decline rate): More failed payments than usual, including repeated CVV or expiration date mismatch errors.
  • Rapid retries with small changes: Multiple attempts on the same card or session where only one field changes each time (for example, cycling CVV or expiration date values).
  • Repeated $0 or small-dollar attempts across many cards: A wave of $0 authorizations or low-dollar transactions used to test cards with minimal cost and attention.

Who is at risk?

You may be more exposed to card testing if:

  • You run an e-commerce site with lower fraud rates. Card testing may be harder to spot until you see a sudden increase in failed payment attempts.
  • You sell through mobile web or an app. Without strong bot detection and retry controls, attackers can test cards quickly across devices and sessions.
  • You’re newer to digital. If online is a newer or secondary storefront, your monitoring and fraud processes may still be maturing.

When attacks often occur

Card testing attempts may increase:

  • During peak seasons (including holidays)
  • On weekends or off-hours
  • After you launch or update checkout
  • During high-traffic promotions

High traffic can make card testing harder to spot, and it may be more difficult to roll out changes quickly during peak periods.
 

Why merchants should pay attention

If you don’t catch card testing early, it can lead to:

  • Higher processing costs, including authorization, gateway/acquirer and payment network fees.
  • Checkout disruption, including more failed payments and lost legitimate sales.
  • Processing restrictions or placement in payment network monitoring programs (for example, VDMP, VFMP and EFM).
  • More downstream issues, such as false positives, reserves, chargebacks and potential fines.

Actions you can take

Monitor

Use the signals above to monitor across:

  • Checkout/purchase attempts, account creation and exception processing
  • Web, mobile web and mobile apps

Also watch for:

  • Spikes in new account sign-ups or cards added to accounts
  • Concentrated activity from specific IP addresses, devices or VPN/masked IPs

Prevent

Use layered controls to slow automated testing and reduce what attackers can learn:

  • Set retry and velocity limits. A velocity limit caps how many attempts can happen in a set time period (for example, attempts per minute) by IP address, device, email or billing details.
  • Require AVS and CVV, and act on issuer responses. AVS (address verification service) and CVV (card verification value) checks can help screen out suspicious attempts.
  • Use device fingerprinting. Device fingerprinting helps you recognize repeat devices at checkout and flag card-testing patterns (for example, one device trying many cards or rapid retries).
  • Detect bots and throttle suspicious traffic. Add controls that identify automated behavior (for example, scripted clicks) and slow or block repeated attempts.
  • Limit information leakage from decline and error messages. Avoid giving detailed clues that make it easier for attackers to adjust one field and retry.

Respond

When you see active testing:

  • Block attacking IP addresses and ranges, and consider temporary step-up controls.
  • Enable or strengthen CAPTCHA or other human verification at checkout.
  • Consider requiring account setup instead of guest checkout (balanced with customer experience).
  • Use caution with BIN blocking (the first digits of a card number). It may help in some attacks, but it can also block legitimate customers.

Review

Regularly review:

  • Decline trends and authorization data
  • Disputes and chargeback patterns
  • Where controls created friction for legitimate customers (and tune rules accordingly)

10 key controls to help prevent card testing

  • Enable address verification service (AVS) and card verification value (CVV) checks
  • Set velocity limits for email, billing address and IP address activity
  • Use device fingerprinting to recognize repeat devices and flag card-testing patterns
  • Monitor for spikes in small-dollar attempts and authorization failures
  • Require CAPTCHA or other human verification at checkout
  • Block suspicious IP addresses and ranges
  • Review decline trends and dispute activity regularly
  • Build fraud controls into account creation and checkout
  • Consider requiring account setup instead of guest checkout
  • Regularly evaluate and update your fraud detection tools

How we can help

If you believe you’ve been the target of fraud, contact your service representative and request to be connected with the GB Fraud Recovery Team.

If you suspect your J.P. Morgan account or systems have been compromised, contact your service representative immediately.