March 1, 2025
In a recent report from the US Census, eCommerce growth reached 22%, making up a record 17.9% of all commerce in the United States in Q4 2024.
This growth in eCommerce has fueled a similar expansion of financial fraud. Malicious actors are increasingly targeting eCommerce apps and websites to steal gift or stored value cards, pilfer account details, process fake returns, and commit a host of other fraudulent activities.
hCaptcha Fraud Protection is specifically designed to target this kind of transaction-level abuse, whether automated or human. It extends the base hCaptcha Enterprise service with fraud-specific models and features, making it effective even against low-and-slow distributed attacks.
One of the lesser-known but growing attacks is card testing.
Card testing happens when a fraudster uses a merchant’s website to “test” stolen credit card information to determine if the card is still valid. This is typically done via automated bots running stolen credit numbers through a merchant’s checkout page. If the merchant approves a transaction, the fraudster knows that the card is valid and that it can be used to make fraudulent high-value purchases elsewhere.
When this happens, the merchant is left with a high number of disputes, chargeback fees, and interchange or authorization fees.
Card testing has become such a problem that all companies with eCommerce capabilities need to guard against it, especially SMBs.
Card testing attacks are similar to a Primary Account Number (PAN) enumeration attacks although there are significant differences which make Card Testing dramatically more damaging than PAN attacks.
A PAN attack begins when a malicious actor identifies an eCommerce website with unsophisticated rate limiting measures in place. Having found such a site, the attacker attempts to make low-dollar purchases to avoid triggering alerts. The attacker systematically inserts enumerated payment card values such as Primary Account Number (PAN), card verification value (CVV2), and expiration dates, hoping to derive valid numbers. Unless the attacker is detected and blocked, this process repeats until a working set of numbers are generated and the purchase succeeds. Using this procedure, an attacker can potentially obtain valid credit card credentials.
In card testing attacks, malicious actors steal, or more often, purchase stolen credit card credentials from other cybercriminals or via the dark web. Armed with allegedly working credentials, attackers don’t need to systematically guess valid payment card numbers. They just need to see if the card is still operational, and card testing does exactly that.
Once an attacker confirms that the credentials are valid, they can use the card to purchase high-end merchandise, or sell the credentials to other cybercriminals at a high price.
Sadly, a merchant that experiences a payment card testing attack is often left with an infuriating amount of payment disputes to resolve and chargeback fees to pay.
Malicious actors frequently target small and medium-sized businesses (SMBs) as their primary card testing victims. Such smaller organizations often lack rate limiting measures and other technologies to protect against automated attacks (bots), or other attacks. An organization’s failure to implement appropriate protection may be the result of limited resources. Or, it might be due to a lack of awareness or believing that they’re not large enough to be targeted.
However, SMBs aren’t the only card testing targets. Any organization that fails to implement adequate protection is at risk, including the largest of enterprises.
There are a number of telltale signs and key indicators that show fraudulent card testing is occurring. Some of these key indicators include:
To spot these warning signs, organizations must apply protection technology and gateway solutions that can detect anomalies in these and other areas, and raise appropriate alerts.
Because a high percentage of fraudsters use automated attacks or bots to carry out their attacks, deploying advanced bot detection is also extremely important.
hCaptcha offers advanced machine learning for fraud detection solutions to protect online properties from sophisticated, automated attacks including card testing.
Unlike other solutions, hCaptcha maintains broad privacy and security compliance for its customers and their users while leveraging a rapidly deployable, modern and scalable architecture to deliver security with minimal friction.
Click here to learn more about hCaptcha Enterprise Fraud Protection.
