Beat The Numbers Game: Guard Against Card Testing Fraud

Card not present (CNP) fraud has been on the rise: it’s projected to account for nearly 75% of all payments fraud by 2024, which is up from 57% in 2019. As merchants shift their focus to protect against this growing share of CNP fraud, they find themselves tackling a specific type: card testing attacks.

Payment solutions can play a major role in protecting businesses from card testing-related losses. But does yours have the right capabilities? Read on as we explain card testing and some fundamental ways to reduce its impact on your customers and your bottom line.

What Is Card Testing?

Card testing is a payment fraud technique where cybercriminals use automation or bots to guess valid credit card numbers. It’s literally a numbers game. Fraudsters submit a barrage of small transactions of just a few cents each, testing to see if a card number is valid. Once they’ve identified a set of card information that works, they then use it either to make larger unauthorized purchases or sell the card info on the dark web.

For merchants, falling victim to card testing can disrupt operations and generate costly chargebacks. But it means more than revenue loss: there’s also reputational damage to consider. According to a PYMNTS survey, 21% of consumers said that losing money due to fraud would be the most important factor that would erode their trust in a merchant.

4 Layers of Protection Against Card Testing Attacks

In the battle against card testing fraud, your strongest line of defense is a modern payment solution. It can safeguard your transactions and customer data in multiple ways. Here’s how:


As we all know, the earlier fraud is spotted, the better. Payment solutions may employ machine learning algorithms that identify suspicious transaction patterns in real time. These fraud detection features can flag and report suspicious activity before bad actors “crack the code” and make a successful unauthorized charge, or before they can go on to do significant damage with the stolen card information.


Modern payment solutions typically replace sensitive card data with unique tokens—randomly generated values that are unrelated to the original card data. This adds an extra layer of security. Even if bad actors intercept the merchant’s card data, the tokens render that data useless for making unauthorized transactions.


Modern payments solutions often integrate 3D Secure protocols, or “3DS,” which stands for 3 Domain Secure. This is an authentication method for online transactions that relies on three domains:

  • Issuer Domain — The bank or financial institution that issued the card
  • Acquirer Domain — The bank or financial institution processing the payment on the merchant’s behalf
  • Interoperability Domain (Card Scheme) — The payment card network (e.g., Visa, MasterCard) that connects the issuer and acquirer domains

If you’re using 3DS, a cardholder making an online purchase undergoes an additional authentication step. This typically involves redirecting them to a page hosted by their card issuer or having them provide a one-time authentication code that is sent to their phone. And it’s this extra step that adds another strong barrier against card testing attempts.


Payment fraud techniques evolve, and so should your payments solution. Your SaaS provider should provide regular updates and enable round-the-clock monitoring, making sure your payment system is always equipped with the latest security features.

Take Action Today

Safeguarding your organization against card testing is a must. Do you know if your payment system has all these protections in place for you and your customers? Talk to us at CSG Forte, and we can help you ensure your payments security is up to task—even as fraudsters put it to the test.