Card testing—also known as card enumeration or card validation—is when fraudsters attempt to validate stolen card details by making $0 or low-dollar transactions.
Fraud tactics are evolving, and card testing attacks are increasingly targeting e-commerce and mobile checkout. You can help protect your business by strengthening checkout controls, monitoring for early warning signs and reducing the information attackers can learn from declined transactions.
Card testing typically follows three steps:
Card testing can be manual (a few attempts) or automated (bots testing large volumes quickly). Automated testing is the most common.
Important: Card testing doesn’t begin when someone lands on your payment page. Instead, it takes advantage of weak spots during checkout—such as unlimited retries, card-verification steps that can be triggered repeatedly (for example, $0 authorization checks) or limited bot controls.
Card testing often appears as high-volume, low-dollar activity at checkout.
You may be more exposed to card testing if:
When attacks often occur
Card testing attempts may increase:
High traffic can make card testing harder to spot, and it may be more difficult to roll out changes quickly during peak periods.
Why merchants should pay attention
If you don’t catch card testing early, it can lead to:
Monitor
Use the signals above to monitor across:
Also watch for:
Prevent
Use layered controls to slow automated testing and reduce what attackers can learn:
Respond
When you see active testing:
Review
Regularly review:
If you believe you’ve been the target of fraud, contact your service representative and request to be connected with the GB Fraud Recovery Team.
If you suspect your J.P. Morgan account or systems have been compromised, contact your service representative immediately.