Best Practices - Prevent Card Testing (AKA Card Cracking)

Table of Contents

  1. In-house strategies for preventing card testing
  2. External anti-fraud tools
  3. How to measure anti-fraud effectiveness
  4. Get help with fraud if you need it
  5. What are BIN attacks?

Card testing fraud—also referred to as card cracking—is one of the fastest-growing types of fraud out there. Stolen credit card numbers are readily available for purchase on the dark web, and with EMV chips increasing the security of credit cards themselves, more fraudsters are moving to the world of eCommerce.

Here’s how it works: a thief gains access to a stolen credit card number (or maybe tens, hundreds or thousands of them). Then, in order to find out which cards have expired or been reported stolen and which are still active, they attempt to make a small test purchase with each and keep track of which transactions are approved. For cards that are approved, the fraudster then moves on to making larger purchases in order to get as much value from the card as possible before the fraud is detected.

New call-to-actionIn all, this type of fraud accounts for about 16 percent of all e-commerce fraud, or 7 percent for larger e-commerce merchants. Fraudsters often target smaller merchants when card testing, since they're less likely to have the best and most current anti-fraud measures in place. It’s particularly dangerous in that it can be easily done en masse, resulting in thousands of small purchases all at once—purchases that, when added up, equate to serious financial trouble for the merchant.

Want to keep this type of fraud from hurting your bottom line? Here are some in-house strategies and external tools that can help you do it.

In-house strategies for preventing card testing

There are lots of small tweaks you can make internally to reduce your card cracking vulnerability.

For one, you can activate any AVS and CVV matching features in your online payment gateway.

This will give fraudsters an error message when attempting to use a stolen card, thus dissuading them from multiple attempts with other stolen cards as well.

It's important to note, however, that CVV matching alone won't deter most fraudsters. With software capable of attempting thousands of purchases in mere seconds, and only 1,000 possible CVV numbers for a given card, a fraudster can easily brute force the CVV number if you don't have the anti-fraud measures in place to prevent it.

The easiest method of prevention here is to have a system in place to automatically reject any further attempted transactions using a particular card number after it has been declined a certain number of times. Five or ten attempts should be more than enough for any confused customers, but too few for a brute force attack to work most of the time.

Of course, the best way to prevent not only card testing but fraud in general is to take advantage of all the anti-fraud tools available to you. While CVV matching may not do much by itself, when you add AVS and 3-D Secure 2.0 into the mix, you've made a pretty good start on making life difficult for any fraudsters targeting your business. Unfortunately, no method of fraud prevention is perfect, which is why you want as many anti-fraud tools as possible at your disposal.

Some other strategies you can try include:

  • Monitoring small order activity. Card testing fraudsters typically place multiple small orders at once or within a very short period of time. These purchases may be on the same card or dozens of different ones. Keep an eye on orders of small amounts and analyze any out-of-the-ordinary spikes in them. It very well could be card cracking at work.
  • Giving foreign IP addresses extra scrutiny. The majority of card cracking fraud comes from outside the U.S., so be wary of small orders coming from foreign locations—especially if the shipping costs more than the product itself. If you’re not looking to run a global business, you might even consider blocking all foreign IP addresses just to be safe.
  • Building a blacklist. If you expect someone has been testing cards with your business, put their information on a customer blacklist and ban them from future purchases. Stats show that card cracking fraudsters are often repeat offenders, usually committing fraud an additional 3 to 4 times.

Manage Chargeback In-House Or OutshoreFinally, be on your toes during the holidays. Many fraudsters bank on merchants being too busy to spot inconsistencies, and they’ll use the season to take advantage of that. Be extra skeptical of foreign orders, rush orders or a high number of small-dollar purchases. Don’t be afraid to make a quick phone call or send an email to verify a purchase.

External anti-fraud tools

If you want to fight card cracking fraud, the best external tool you can invest in is a PCI-compliant payment gateway.

It should come with fraud screening features, as well as AVS and CVV matching.

Various automated fraud prevention tools can also help. These should do one or more of the following:

  • Flag suspicious orders or IP addresses
  • Allow for customer blacklisting/blocking
  • Enable automatic blocking of potentially fraudulent orders

A chargeback prevention company can also assist with reducing this type of fraud, as they often have proprietary tools designed to spot fraud and prevent it at every level.

How to measure anti-fraud effectiveness

Naturally, if you’re going to invest time and energy into reducing card testing fraud, you want to verify that your efforts are working. To do that, you’ll want to track the number of card cracking instances each year.

Tracking the chargebacks that result from this type of fraud is also important, as it can threaten your merchant accounts (and your ability to accept payment).

Keep in mind that even with high-end fraud prevention tools in place, you’ll need to tweak and manage your efforts as the year goes on. eCommerce fraud—and the methods thieves use to commit it—is constantly evolving, and that requires regular evolution in our prevention strategies as well

Get help with fraud if you need it

Internal changes and external tools can make a dent in your card testing fraud problem, but don’t be afraid to get help if they’re not moving the needle enough.

Card cracking fraud can lead to chargebacks, which mean lost time, money and maybe even merchant accounts.

If you’re not seeing the results you want, download our eCommerce Fraud Prevention Guide or let a professional chargeback prevention team provide you more customized guidance.


What are BIN attacks?

A BIN attack is when a fraudster copies the first six numbers of a credit card, the BIN, and uses a computer program to generate other possible card numbers with that BIN. They then test these numbers to see if any are active cards.


Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to:

Get the guide, Chargebacks 101: Understanding Chargebacks & Their Root Causes

Ready to Start Reducing Chargebacks?