A business owner sits in front of a laptop.

6 ways to protect your ecommerce site from credit card validation testing

Thursday, April 13, 2023

There’s a reason why thieves and thrillseeking teens pull car handles — an unlocked car is much easier to steal. Would-be fraudsters looking to do credit card validation testing use the same method. They look for ecommerce websites with lax security to complete small card transactions to confirm that stolen card data is useable and fill in the blanks on any missing cardholder information. The thief steals the car, and the fraudster gets sensitive credit card information to use or sell.

Whether you complete some or all of your sales online, this is an issue small businesses should be concerned about. We’re going to walk you through the process to protect your ecommerce website so you’re not losing money and customers to fraud. In this article, you’ll learn:

A close up photo of a person`s hands typing on a laptop computer.

What is credit card validation testing?

Credit card validation testing, also called card testing or card cracking, is the most commonly used fraud tactic worldwide. Thieves use bots, scripts and computer programs that enable their users to quickly test large batches of stolen card data. Stolen data could include debit card and credit card numbers, account numbers, card expiration dates or the card verification value 2 (CVV2).

Fraudsters then take the stolen data to run credit card numbers through a business’ online payment page or shopping cart. Since card testing is trial and error for the scammer, they’re going to try for as many small transactions as they can without raising any red flags to you, the merchant, or your fraud monitoring tools. If a payment goes through, they’ll know the card number and cardholder data are valid and can be used or sold elsewhere on the dark web.

Getting declined doesn’t deter them, and depending on your settings with your payment platform, you may even help them out. For example, if you provide customers with specific info about why their payment was declined — an incorrect card verification code, address, etc. — while super helpful for legitimate customers, it can also be the last piece of the puzzle for a scammer to steal cardholder information.

A retail shop owner stands at a counter, scrolling on a laptop.

How does credit card validation testing affect small businesses?

You may be thinking, with all of the tech involved, card testing only affects enterprise businesses, right? Think again. No matter your business size, card testing is a problem.

And it costs small businesses big. According to LexisNexis’ True Cost of Fraud™ Study, $1 of fraud now costs US retail and ecommerce merchants $3.75, up almost 20% from 2019 at $3.13. And when you consider the current median fraud charge is $62, you can see how getting defrauded adds up quickly.

Plus, cardholder victims of successful card testing schemes may contact their card issuers and ask for a chargeback. Since card testing is usually done in large batches, you may have to defend against multiple chargebacks at once. Those chargebacks can cause your chargeback ratio to go up and put you at risk of being placed in chargeback monitoring programs from Visa, MasterCard, American Express, including other consequences from card brands, up to losing the ability to accept credit cards entirely.

Those are just the ramifications of “successful” card testing fraud. The rash of declines will get you, too. Processing too many declines can cause your payment processor to reclassify you as a high-risk merchant, which usually comes with higher fees and other unpleasant changes. Plus, the automated bots can overwhelm your page’s network traffic which can mean that legitimate customers can’t complete their transactions — causing you to lose out on sales.

And if that’s not enough, to add insult to injury, your business’ reputation will likely take a hit with customers. Whether or not the cardholder was actually a customer of your business, it won’t keep them from leaving a negative review or publishing their story on social media.

A person reads the security code on the back of a credit card as they make a purchase with an iPhone.

How to protect your business from credit card validation testing

Protecting your business from credit card validation testing comes down to having secure payments systems, period. Let’s take a deep breath and look at the tech and processes that can help you keep would-be scammers away from your payment page.

Home address icon

1. Use address verification service (AVS) matching

AVS is one of the most widely used fraud prevention tools in your toolbox for card-not-present transactions. While originally developed for mail-order transactions, AVS is now mostly used for ecommerce. The service works by verifying the address entered by the customer is associated with the cardholder’s credit card account.

During checkout, the customer enters their address and it’s then compared against the address on file with the card-issuing bank. Once the comparison is complete, the card issuer returns and AVS code. You can use the code to decide how you’d like to proceed with the transaction — accept or deny.

Credit card icon

2. Use card verification value (CVV) matching

The card verification value (CVV), also called card verification value 2 (CVV2) or card security code (CSC), is the three- or four-digit number usually on the back of the card (it’s on the front of Amex cards). It’s a security number that authenticates the card as legitimate and in the possession of the cardholder. The “2” in CVV2 just means that it is a second-generation CVV number that was designed to give additional protection against fraud.

Like AVS, the card validation code should match the one on file with the cardholder’s issuing bank. If the CVV code matches, it can be approved. If it’s not a valid CVV, it’s either a customer error or potential fraud, depending.

Login page icon

3. Require usernames and passwords to purchase

Requiring customers to use a login and password to make payments on your site offers an extra layer of security to your page. Requiring strong passwords, ones that include a mix of numbers, symbols and capital letters, can help keep card-testing bots away. Keeping an eye on failed logins to your page can also help you prevent fraud.

World internet IP address icon

4. Monitor IP addresses

Geolocation allows you to track the exact location of a computer or networking device via an IP address. Like AVS, geolocation compares the billing address (likely where your products will be sent) to the IP address of the customer. If the customer is in a completely different place than the billing address, it can clue you into a potentially fraudulent transaction. For example, if the cardholder has an address in Texas, and the order is coming from an IP address in Nigeria, it might be fraud, particularly if any other fraud factors are present.

Email icon

5. Require email address verification

Verifying email addresses is one way to outsmart and weed out card-testing bots. Email verification is the simple process of having the customer verify their email address. That way, you have confirmation that your customer received and interacted with your email. Card-testing bots usually provide disposable emails that have odd formatting, characters and domains.

Block list of user icon

6. Blacklist suspected bad actors

If there is a “customer” you suspect is card testing, you can block them from making purchases. Studies show that scammers will almost always retarget businesses they’ve hit successfully.

A coffee shop owner looks at a laptop in their business.

Kick scammers to the curb

If you’re feeling overwhelmed, you’re not alone. Savvy business owners who know these risks often work with a payment processor to get the security they need to help keep fraud at bay.

When it comes to the hardware and software you need to mitigate all types of fraud, Heartland Secure™ delivers EMV, encryption and tokenization, and comes standard for payment acceptance devices. Our POS and payment processing solutions make it easy to comply with PCI and practically eliminate the risk for fraudulent in-person transactions.

Heartland’s secure payment processing helps keep you, your business and your customers safe from online fraudsters and thieves. And our robust reporting capabilities make it easy to monitor transaction activity and spot suspicious entries.

Ready to protect your business? Contact us today.


Heartland is the point of sale, payments and payroll solution of choice for entrepreneurs that need human-centered technology to sell more, keep customers coming back and spend less time in the back office. Nearly 1,000,000 businesses trust us to guide them through market changes and technology challenges, so they can stay competitive and focus on building remarkable businesses instead of managing the daily grind. Learn more at heartland.us