Beat The Numbers Game: Guard Against Card Testing Fraud

Posted on

Card-testing fraud has gone from nuisance to nonstop swarm—supercharged by cheap bots and off-the-shelf artificial intelligence (AI). In 2025, fraud teams report that card testing (aka enumeration) remains one of the most common attacks online, hitting roughly 45% of merchants worldwide even as some other fraud types cooled this year. At the same time, nearly half of financial institutions say monthly bot attacks are rising, underscoring how automation is amplifying low-value, high-volume probes that quickly cascade into chargebacks and network monitoring trouble.

For merchants, that “pennies at scale” behavior isn’t harmless: enumeration drives ecosystem losses in the billions and can push businesses toward acquirer/network programs when thresholds are crossed—especially under 2025’s tighter Visa monitoring rules. If your checkout, APIs, or account pages aren’t rate-limited and bot-mitigated—and if you’re not leaning on tools like velocity controls, AVS/CVV with intelligent retries, 3-D Secure 2.x, and network tokens—you’re inviting attackers to find valid PANs and move up the value chain.

Payment solutions can play a major role in protecting businesses from card testing-related losses. But does yours have the right capabilities? Read on as we explain card testing and some fundamental ways to reduce its impact on your customers and your bottom line.

 

What is card testing?

Card testing is a payment fraud technique where cybercriminals use automation or bots to guess valid credit card numbers. It’s literally a numbers game. Fraudsters submit a barrage of small transactions of just a few cents each, testing to see if a card number is valid. Once they’ve identified a set of card information that works, they then use it either to make larger unauthorized purchases or sell the card info on the dark web.

For merchants, falling victim to card testing can disrupt operations and generate costly chargebacks. But it means more than revenue loss: there’s also reputational damage to consider. According to a PYMNTS survey, 21% of consumers said that losing money due to fraud would be the most important factor that would erode their trust in a merchant.

 

5 layers of protection against card testing attacks

In the battle against card testing fraud, your strongest line of defense is a modern payment solution. It can safeguard your transactions and customer data in multiple ways. Here’s how:

1. Spot it early

As we all know, the earlier fraud is spotted, the better. Modern fraud detection platforms are doing this better than ever by engaging machine learning and sophisticated, dynamic rules that identify suspicious transactions and evolving patterns as they happen. These systems flag and report suspicious activity before bad actors “crack the code” and make a successful unauthorized charge, or before they can go on to do significant damage with the stolen card information.

  • Tell-tale signs: sudden bursts of tiny or $0/$1 authorizations, many declines in a short window, the same card BIN showing up repeatedly, or a spike in traffic with few real checkouts
  • Why it’s happening: fraudsters now use cheap bots—and increasingly AI—to run thousands of quick tests to find a “live” card number before moving on to bigger purchases elsewhere

2. Boost your tokenization technology

Modern payment solutions typically replace sensitive card data with unique tokens—randomly generated values that are unrelated to the original card data. This adds an extra layer of security. Even if bad actors intercept the merchant’s card data, the tokens render that data useless for making unauthorized transactions.

3. Make testing harder

  • Add a light “are you human?” check on payment and account pages when activity spikes.
  • Slow rapid-fire attempts with simple limits (e.g., only a few tries in a short period).
  • Turn on AVS and CVV checks for first-time payments so obviously bad attempts fail fast.

4. Get 3DS authentication

Modern payments solutions often integrate 3D-secure protocols, or “3DS,” which stands for 3 Domain Secure. This is an authentication method for online transactions that relies on three domains:

  • Issuer domain — The bank or financial institution that issued the card
  • Acquirer domain — The bank or financial institution processing the payment on the merchant’s behalf
  • Interoperability domain (card scheme) — The payment card network (e.g., Visa, MasterCard) that connects the issuer and acquirer domains

If you’re using 3DS, a cardholder making an online purchase undergoes an additional authentication step. This typically involves redirecting them to a page hosted by their card issuer or having them provide a one-time authentication code that is sent to their phone. And it’s this extra step that adds another strong barrier against card testing attempts.

5. Update and monitor regularly

Payment fraud techniques evolve, and so should your defenses. Your SaaS provider should provide regular updates and enable round-the-clock monitoring, making sure your payment system is always equipped with the latest security features.

  • Watch for patterns, not just single declines: Unusual spikes in small authorizations, odd geographies, or “many cards/one device” should trigger a closer look.
  • Have a short playbook: Pause the affected page or endpoint, tighten limits for an hour, review the attempts, and notify your payments partner if thresholds were hit.
  • Clean up quickly: Void/refund test charges, update blocklists and, if needed, rotate any exposed credentials.

 

Act today

Safeguarding your organization against card testing is a must. Do you know if your payment ecosystem has all these protections in place for you and your customers? Talk to us at CSG Forte, and we can help you ensure your payments security is up to task—even as fraudsters put it to the test.