My IP Help

Carding

Also known as: Credit card fraud, Card testing

The testing, trading, and fraudulent use of stolen credit card data — including "card testing" on e-commerce checkouts to validate which stolen numbers still work.

Last updated:

What is carding?

Carding is the umbrella term for the criminal economy around stolen payment-card data: obtaining the numbers, testing whether they still work, selling validated numbers on underground markets, and ultimately using them to buy goods, load gift cards, or cash out through a money mule. The data comes from phishing, skimming devices, point-of-sale malware, e-commerce data breaches, and — increasingly — account takeover of legitimate users whose cards are already stored.

Card testing: the most visible piece

The piece that hits ordinary merchants hardest is card testing — running small charges against thousands of stolen numbers to see which ones still authorize. A typical card-testing run looks like:

  • Hundreds or thousands of transactions within minutes
  • Each transaction is a small, consistent amount ($0.10 to $5.00)
  • Cards usually decline, but a small percentage authorize
  • The successful ones get flagged for downstream fraud; the rest are discarded
  • Source traffic often rotates through residential proxies to avoid IP reputation checks

The merchant sees a sudden spike in authorization attempts, a spike in declines, and, if payments are gateway-billed per attempt, a real cost even from the rejected charges.

Defense

Payment processors apply velocity limits, bin-level risk rules, and device fingerprinting. Merchants can add CAPTCHA on checkout, require account creation for purchases above a threshold, enforce 3-D Secure on suspicious transactions, and block checkouts from known-abuse IPs. Checking the source IP against an IP abuse report checker will often return prior reports of card-testing or other fraud activity, letting the system gate the checkout before the authorization is even attempted.

Frequently Asked Questions

Card testing is when fraudsters submit thousands of small authorization attempts (often $0.10-$5.00) on stolen card numbers to learn which ones still work. Small merchants are hit because their checkouts often have weaker velocity limits, no CAPTCHA, and limited anti-fraud rules. Even when 99% of tested cards decline, the merchant pays per-transaction gateway fees on every attempt, plus chargebacks on any cards that authorize and are later disputed by the real cardholder.
Five main sources: e-commerce data breaches, point-of-sale malware that scrapes card data from retailer terminals, physical skimmers at ATMs and fuel pumps, web skimmers (Magecart) injected into checkout pages, and phishing or account-takeover that captures cards stored in legitimate accounts. Stolen numbers are then sold in batches on underground markets, typically for $5-$50 per card depending on freshness, country, and bank.
A BIN (Bank Identification Number) attack guesses card numbers by combining a known issuer's BIN — the first 6-8 digits — with generated middle digits and a calculated Luhn check digit. The generated cards are then card-tested to find combinations that authorize. BIN attacks generate huge bursts of declines (often >99%) but produce a steady trickle of valid cards. They are particularly damaging because the merchant gets the charges while the bank's customers had no involvement at all.
Modern processors layer multiple defenses: velocity limits per IP, per device, and per email; BIN-level risk rules that flag issuers with high attack history; AVS and CVV mismatches as decline triggers; device fingerprinting to spot bots; 3-D Secure step-up for risky transactions; and shared cross-merchant intelligence about IPs and patterns seen in known carding attacks. Stripe Radar, Sift, Forter, and Kount/Equifax are the major specialists.
Three layers of cost. Direct: per-attempt gateway fees (typically $0.05-$0.30 per attempt) on thousands of declines, which can add up to thousands of dollars in a single campaign. Indirect: the merchant's authorization rate drops sharply, which damages relationships with payment processors and can lead to higher rates or termination. Reputational: cards that succeed and are later charged back generate chargeback fees ($15-$100 each) and push the merchant toward the chargeback-monitoring thresholds that trigger card-network penalties.
Back to glossary