Card testing fraud: What it is, how it works, and more

Criminals may steal or buy credit card and debit card information to commit card fraud. They often conduct small payment tests to see if the cards are valid before trying to make larger fraudulent purchases or withdrawals.

Learn about card testing fraud and possible things to do if credit card information is stolen.

What is card testing?

Card testing fraud — sometimes called card checking, carding, or account testing — refers to the process that criminals may use to determine whether debit and credit cards work, typically by attempting small transactions with the card details.

Generally, criminals are testing card account information that they stole or bought online to determine whether the card has already been canceled or locked. They may also be guessing card details and using the test to check their guesses.

If a cardholder notices that their credit or debit card was stolen and locks the card or reports the theft, a card test will likely fail. Similarly, deactivated accounts and guessed card details that don't correspond with a real card will typically fail card testing.

If the card passes a test and the card is still active, criminals could go on to commit substantial card fraud — using the card to make larger fraudulent purchases, unauthorized withdrawals, or selling the stolen card's details to other criminals.

How does card testing work?

There are two common methods for testing stolen credit card details:

  • Small payments. Fraudsters may try to make a purchase to see if the card is valid. Generally, fraudsters make small purchases because cardholders are less likely to notice if their balance changes by a few dollars.
  • Authorizations. Rather than initiating transactions, fraudsters may try to use a pre-authorization that verifies that the card is active and the cardholder has sufficient funds. It's similar to how hotels often put a temporary charge on a credit card when someone checks in. Fraudsters may use this method because people could be less likely to question small pending transactions than completed purchases.

Criminals may steal or buy thousands of card details and test them all to see which cards are still valid. Manually going card by card would likely take too long. It’s possible for criminals to use large networks of compromised computers to quickly test thousands of stolen cards at a time.

What is the impact of card testing?

For cardholders, an unexpected payment or authorization could be an indication that their card's details have been stolen. If they don't notice, they may wind up paying the credit card bill or allowing the fraudsters to get away with using their debit card.

Some card issuers may not hold consumers liable for unauthorized transactions that are reported immediately. This means people could have to request a new card and update payment details, but there won't necessarily be financial repercussions if the card issuer offers fraud protection.

It all starts in the app

Save cash back offers from top brands. Plus send money, track packages, and more.

Scan the code or enter your number to get the app.

By clicking 'Send Link' you agree to receive a text message with a link to the PayPal app. Message and data rates may apply.

Common ways credit card numbers may be stolen

Some of the common ways credit card numbers are stolen include:

  • Data breaches. Hackers may break into a large company's system and find the details for thousands of cards. They then test the cards to see which ones still work. Or they sell the data from the breach, and the buyers test the cards.
  • Phishing. Criminals may send phishing emails or texts (sometimes called smishing) that look like they come from legitimate companies. The recipient may click on a link in the message and enter their card details to “verify” an account or transaction — but they're actually sending the details directly to the criminal. Alternatively, the link may install malware on the device that can steal the victim's personal and financial information.
  • Guessing. Fraud groups may use software to guess various combinations of card details and then test the cards to see if any of their guesses work. Cards from the same issuer share a bank identification number (BIN) — which are the initial digits on the card — so criminals may use that as a known starting point.
  • Skimming. Card skimming devices can copy information when a card gets inserted or swiped. Fraudsters may place these devices on top or inside ATMs and card readers. There may also be cameras or touchpad overlays that are used to record consumers' PINs. The criminals can then come back and collect all the stolen card information to sell or create counterfeit cards.

Consumers can help protect themselves from some of these methods by learning how to identify fake messages and using safe payment options. For example, tapping a card or using a digital wallet can help keep a card's details hidden from skimming devices.

However, even the best protections may not protect cardholders from every type of attack. That's why monitoring accounts for fraudulent activity is important. Some companies, such as PayPal, also provide fraud monitoring for card testing by detecting and alerting customers to unusual activity so they can take quick action to secure any compromised accounts.

What to do if credit card information is stolen

When someone suspects that their card is lost, stolen, or compromised, it's important to report the loss or theft as soon as they’re able and freeze their card account. Card issuers can then work to keep criminals from fraudulently using stolen card numbers, while cardholders can take steps to get a replacement card.

The process to report fraudulent activity or stolen card numbers will depend on the card issuer. Some methods to do so may be:

  • Call the phone number on the back of the card. Most cards will have a phone number listed on the back of the card. Cardholders may be able to call and speak with a representative to report potential fraud or a stolen card. If a card has been physically stolen or lost, cardholders may be able to find contact information online via search or the card issuer’s official website.
  • Use the card issuer’s website or mobile app. Many card issuers offer online account services. If a card has been compromised, a cardholder may be able to report fraud using the website or app. Cardholder’s may also have the option to freeze their account immediately to prevent further fraudulent transactions.

Make security a priority with PayPal.

Was this content helpful?

Related content

We use cookies to improve your experience on our site. May we use marketing cookies to show you personalized ads? Manage all cookies