Card Testing Fraud on Shopify: Detection & Prevention

Card testing (also called carding, card cracking, or BIN attacks) is a technique fraudsters use to validate stolen credit card numbers against a live payment processor. Here is the problem they are solving:

When criminals acquire stolen card data — from data breaches, dark web markets, or phishing attacks — they have lists of card numbers, but they do not know which cards are still active, have not been reported stolen, or have sufficient balance. They need to test the cards against a real payment processor to find the working ones.

Your Shopify store is their testing ground. They look for merchants with:

• Low-value products (so small transactions are less suspicious)
• Easy checkout flows with minimal friction
• No rate limiting or bot detection
• Digital goods or donations (where no physical shipment is required)

Once they identify which cards are valid, they use those cards for high-value fraud elsewhere — your store was just the testing vehicle. You are left with the damage: transaction fees, chargebacks, processor scrutiny, and potential account suspension.

A typical card testing attack unfolds like this:

1. The attacker acquires a card list. These lists contain card numbers, expiration dates, and CVV codes. They are sold in bulk on dark web markets, often for pennies per card when purchased in volume.
2. An automated bot is configured. The bot is pointed at your Shopify checkout URL. It is programmed to add a specific product to cart, fill in card details from the list, and attempt checkout — repeating this loop thousands of times.
3. Small transactions are used to avoid detection. Attackers often target your lowest-priced product, or find a way to apply discount codes to reduce the transaction to near zero. A $0.99 or $1.00 transaction is far less likely to trigger manual review.
4. The bot logs which cards succeed and which fail. Failed cards are discarded. Successful cards are noted for future high-value fraud.
5. You receive the fallout. Every attempt — success or failure — generates a payment processing transaction. Many processors charge a fee even for declined cards. Successful charges generate real orders and eventual chargebacks.

A single card testing session can involve hundreds of attempts per hour. Without detection, an attack can run for hours before you notice.

Card testing attacks have distinctive signatures. Watch for these warning signs in your Shopify admin:

• Sudden spike in declined payment attempts: Your Shopify Payments or Stripe dashboard will show a sharp increase in declined transactions within a short window. Normal fluctuation is gradual; card testing creates a sudden vertical spike.
• Multiple orders for the same low-value product: If your cheapest item suddenly generates 50+ orders within an hour, particularly with different names but similar addresses, that is a red flag.
• Similar or sequential billing information: Card testers often use the same shipping address with different card numbers, or use generated fake names that follow a pattern (John Smith, Jane Smith, John Jones).
• Orders placed at unusual hours: Automated attacks run 24/7. A cluster of orders placed at 3 AM from multiple geographic locations is suspicious.
• High rate of payment errors in your Shopify Payments report: Shopify Payments flags accounts with unusual decline rates. Check your payments dashboard for warnings.
• Unfamiliar email domains: Card testers use generated or disposable email addresses. A pattern of orders from random-character email addresses is a strong indicator.

Beyond the direct costs, card testing attacks threaten your payment processor relationship in ways that can permanently impact your ability to operate:

• Transaction fee charges for declines: Stripe charges $0.15 per failed payment when Radar blocks a card. Non-Radar declines may cost more. A 500-card testing attack can generate $75+ in fees overnight with zero revenue.
• Elevated chargeback rate: Successful card test transactions often result in chargebacks when the actual cardholder notices the charge. Even a small number of these can push your chargeback ratio above processor thresholds.
• Risk scoring and holds: Payment processors use machine learning to detect unusual transaction patterns. A sudden spike in declined transactions can trigger automatic risk flags, account reviews, or temporary holds on your payouts.
• Permanent account termination: Repeated or severe card testing attacks that result in high chargeback ratios can lead to account termination from Shopify Payments, with termination data shared with other processors through the MATCH list — making it difficult to obtain new merchant accounts.

Early detection and prevention is essential. The cost of prevention is a fraction of the cost of a single sustained attack.

Browsify addresses card testing at multiple layers:

• Bot detection before checkout: Card testing attacks rely on automated bots. Browsify identifies automation signals at the first page load — before the bot reaches your checkout — and blocks the session entirely.
• Visitor ID rate limiting: Even if a bot varies its IP and browser user-agent, Browsify's Visitor ID fingerprinting identifies when the same device fingerprint is making repeated checkout attempts. Velocity limits block the attack before damage accumulates.
• Checkout friction for high-risk sessions: Sessions identified as high risk (automation signals, suspicious Visitor ID patterns, known fraud fingerprints) can be required to complete an additional verification step before checkout proceeds, without affecting the experience for legitimate customers.
• Real-time alerts: Configure Browsify to notify you when unusual checkout velocity is detected so you can respond immediately, even if the attack begins overnight.
• Block list persistence: Once a card testing bot's fingerprint is identified, it is added to your block list permanently. Future sessions from the same device infrastructure are blocked immediately.