Card Testing

A type of fraud where attackers attempt to determine the validity of stolen card information by making small transactions on a merchant's site.

Updated March 1, 2026•3 min read

Card testing (or "carding") is an automated attack where fraudsters use a merchant's checkout flow to check if a large batch of stolen credit cards is still active. These attacks typically involve a high volume of small, rapid transactions or "round-number" charges.

Card testing is a high-severity signal for platforms like Stripe because it suggests the merchant's site has weak security controls. Even if the individual transactions are small, the aggregate volume of declines and subsequent disputes can lead to an immediate account block or permanent payout hold.

The best defense against card testing is a combination of CAPTCHA, rate-limiting, and stricter fraud filters like CVC and AVS checks.

Why this term matters for Stripe account risk

Card Testing is not only a vocabulary item. It is a live risk signal that influences how Stripe evaluates dispute exposure, payout predictability, and verification confidence for your account. When this signal appears together with abnormal refund velocity, delivery uncertainty, or weak policy disclosures, account controls can become stricter. Treat Card Testing as an operational metric that should be monitored, documented, and explained with evidence.

Diagnostic signals to review weekly

Track trend direction, not just a single snapshot. A persistent rise is more important than one isolated spike.
Compare this signal with fulfillment timing, support response speed, and billing clarity to identify root causes.
Document the exact trigger conditions so your team can reproduce, audit, and resolve the issue consistently.
Escalate early when this term appears alongside dispute-heavy reason codes or repeated verification requests.

Practical actions to improve confidence

Define an internal threshold and owner for this signal so actions are not delayed.
Link this signal to a checklist in your operations workflow (checkout, fulfillment, support, and evidence retention).
Update website disclosures and receipts so customer expectations match real delivery and billing behavior.
Keep a short incident log with timeline, root cause, and remediation to support future platform reviews.

Where This Appears

Card Testing commonly appears in the following Stripe risk scenarios:

Problems linked to this term

Stripe Behavioral Anomaly Detection
Why Stripe flags behavioral anomalies and how merchants should isolate the abnormal cohort behind the signal.
Stripe Failed 3DS Authentication Spike
Why failed 3DS spikes matter, what they usually indicate about traffic quality, and how to diagnose the affected cohort.
Stripe High Decline Velocity
Why a rapid rise in declines often signals attack traffic, poor acquisition quality, or unstable checkout risk controls.
Stripe Multiple Cards Same Device
Why many cards on the same device often look like fraud pressure and how to separate attack clusters from legitimate edge cases.

Guides using this term

Stripe Payout Holds Explained
A practical guide to Stripe payout holds, what they usually mean, and how to reduce the uncertainty that keeps funds delayed.
High-Risk MCC Explained
How Merchant Category Codes (MCC) determine your risk profile and why some industries face higher scrutiny from Stripe.
How to Handle Card Testing
A step-by-step guide to identifying, blocking, and reporting automated card testing attacks on your Stripe account.
Stripe Fraud Prevention Stack
How to configure Stripe Radar, 3D Secure, and custom metadata to build a high-confidence fraud defense.

Topic hubs

Fraud Signals and Risk Patterns

How traffic quality, device behavior, and transaction anomalies combine into stronger fraud and account-risk signals.

Related glossary terms

CAPTCHA

A type of challenge-response test used in computing to determine whether or not the user is human.

BIN Analysis

The process of analyzing the Bank Identification Number to detect fraud and routing patterns.

AVS (Address Verification Service)

A security tool used to verify that the billing address provided by a customer matches the address on file with their card issuer.

CVC Check

A security verification that checks if the Card Verification Code provided during a transaction matches the code on file with the bank.

3D Secure (3DS)

An additional security layer for online credit and debit card transactions that provides explicit customer authentication.

Risk Confidence

A measurement of how certain a payment platform is that a business will operate predictably and cover its reversal liabilities.

Move from definitions to diagnosis

Once the term makes sense, use the problem library and operational guides to see how it creates real Stripe account pressure.