All online businesses have to manage fraud. From fraudsters using stolen cards and card numbers to customers abusing refund policies and disputes. Understanding and navigating illegitimate payments is an important aspect of accepting payments online.

Fraudsters use card testing to determine the validity of card numbers. First, they purchase or steal card details on the dark web, or via phishing or spyware software. Then, with the numbers in hand, they attempt small purchases on an unsuspecting merchant’s site to see if the card was approved .

Since cards are often stolen weeks or month prior, this process reveals which cards have been canceled by cardholders and banks—and which ones are available for use. Once the canceled or declined card numbers are weeded out, fraudsters can move on to make larger purchases, or resell the validated information.

If your business has been used for card testing you'll notice a large number of small transactions being processed through your account all at once, usually with random emails and names. If your payment gateway has done a good job of recognising the fraudulent activity, the majority of these will either be declined or on hold for review. You might see hundreds or even thousands of transactions that you'll recognise as being strange activity on your account.

There are a number of techniques and tools that payment gateways use to recognise and stop card testing in its tracks. These are dependant on the gateway that you're using, so we recommend that you reach out to your gateway directly to see what they can put in place for you. For example, Stripe have a tool called Stripe Radar, which is powered by adaptive machine learning, with algorithms evaluating every transaction and assigning a risk score, then blocking or allowing transactions based on the risk of fraud.