Are you seeing more declined transactions than expected or receiving small donations that don’t look legitimate?

You may be the latest victim of card testing spam.

Online payment processor Stripe gives an excellent definition on their website:

Card testing is a type of fraudulent activity where someone tries to determine if stolen card information can be used to make purchases. Other common terms for card testing are “carding”, “account testing”, and “card checking”.

It’s an unfortunate reality that credit card information is sold on the dark web every day. Verified card numbers are worth more to buyers, so generally get verified before being used sold.

Smaller web stores and donation forms are a low-risk way for criminals to test these cards in bulk, as they often lack the sophisticated fraud and abuse detection systems larger merchants employ.

Countermeasures you can take

There are strategies you can use to limit your risk of being a victim of this type of attack:

  • Enable/increase the fraud detection settings at your credit card processor
    • Enable AVS if not enabled, and ask for a Zip/Postal Code on your payment form
    • Stripe offers Radar – which uses Machine Learning to block attacks
  • Add a captcha
    • Google offers recaptcha for free, and many plugins offer support for it
  • Add an anti-spam plugin
    • Akismet integrates with many plugins and offers crowd sourced spam detection
  • Add rate limiting
    • Most attacks are bulk verification attacks: plugins like WordFence, reverse proxies like Cloudflare and Web Application Firewalls (WAF) can detect abusive behavior and block attacks by IP
  • Require a login
    • Disable guest checkout or guest donations

A combination of approaches is often best — just make sure you don’t block legitimate users or add hurdles that hurt conversions.

Need help?

Our experts can help you determine the best countermeasures to put into place for your business, and can configure them for you. Let’s talk!


Photo by Dylan Gillis on Unsplash

Nick Ciske

Nick Ciske – CTO / CISO

Nick has a degree in Multimedia Design and over 20 years of experience working in web development and digital media. In his career he’s built or rebuilt just about every kind of website, including many content management systems (before WordPress), several custom e-commerce systems, and hundreds of websites.