Card Testing
Fraudsters run small test transactions on stolen card numbers to verify which are still active before using them for larger purchases.
Also known as: account testing, card verification fraud, carding check
Last reviewed: 10 June 2026
Card testing (also called carding verification or account testing) is a preparatory step in payment card fraud. After obtaining a batch of stolen card numbers—usually through data breaches, dark-web purchases, or phishing—criminals make tiny transactions, often just a few cents, on merchant sites to identify which cards have not yet been blocked or reported stolen.
Merchants with low-friction checkout processes, particularly charities accepting micro-donations or digital-goods sellers with instant delivery, are frequently targeted because small amounts raise fewer fraud flags. Once valid cards are confirmed, criminals use them for larger purchases, sell the verified numbers at a premium, or deploy them in carding operations.
Merchants can defend against card testing by implementing CAPTCHA, velocity checks (flagging many small transactions from the same IP or device), requiring CVV and AVS matching, and deploying machine-learning fraud scoring. Unusual spikes in small-value transactions are a reliable signal of an active card-testing attack.
Examples
- A nonprofit noticed hundreds of 1-cent donations in rapid succession from varying IP addresses—a card-testing sweep using their donation form.
- A digital-music platform found its checkout flooded with 10-cent single-track purchases that resolved into a confirmed list of active stolen cards.