It’s a scenario every high-risk merchant dreads. You wake up one morning, check your dashboard and see a massive spike in transaction volume. For a fleeting moment, you’re excited at the premise that something went viral — but then reality sets in. You find thousands of transactions, all for $0.50 and all declined.
Instead of crushing it with high sales, you’ve experienced a card-testing attack. While you were sleeping, a botnet was running thousands of stolen credit card numbers through your checkout page to identify ones that work. While you didn’t get scammed out of actual goods, your standing with your processor just took a hit and you are likely facing thousands of dollars in authorization fees.
“You cannot rely solely on your payment processor to catch every single carding attempt. By the time a request hits the gateway, you may already be liable for the authorization fee. You need to stop bots before they strike.”
Below is a guide explaining how these attacks work, the impact of AI, how processors respond and strategies for protecting your business.
Hijacking Your Checkout Page
Card testing, or “carding,” happens when fraudsters purchase raw credit card data on the dark web. They don’t know which cards are active or which have been cancelled by the issuing banks. To filter the “live” cards from the “dead” ones, they target online businesses — especially those in high-risk sectors like the adult industry. Why? Because fraudsters know that high-risk merchants often optimize their gateways for maximum approval to reduce friction. Unfortunately, this tactic sometimes has the unwanted side effect of leaving the front door slightly ajar.
The bot attempts a microtransaction on your site. If the transaction is approved, the fraudster knows the card is valid and uses it elsewhere for big-ticket items. If the transaction is declined, they move on to the next card. For them, your checkout page is just a handy validation tool. For you, this is a disaster waiting to happen.
AI: The Threat Evolves
In the past, these bots were clumsy. They slammed a server with requests from a single IP address, making them relatively easy to identify and block. You could simply blacklist the offending IP and the problem was solved.
Enter artificial intelligence.
Modern AI-driven bots don’t just spam requests; they mimic human behavior. They rotate through thousands of residential IP addresses to bypass standard firewalls. They can simulate mouse movements, keystroke pauses and even solve basic CAPTCHAs. They don’t look like robots anymore; instead, they look like customers.
This increased sophistication means that traditional “set it and forget it” security filters are no longer sufficient. The enemy has upgraded their arsenal and if you are relying on security protocols from five years ago, you are bringing a knife to a gunfight.
‘Silent’ Costs: It’s Not Just About Chargebacks
When most merchants think of fraud, they think of chargebacks — the headache of losing product and then getting hit with a dispute fee. Card testing is different. It harms your business in ways that may not show up on a profit-and-loss statement until it is too late. The damage is threefold:
- The authorization fee drain. Every time a card is run through your gateway, often even if the transaction is declined, you pay an authorization fee. This can range from $0.10 to $0.30 per attempt. If a bot runs 20,000 cards in a single hour, you could owe thousands of dollars in fees before you’ve even had your morning coffee — and you are paying for the privilege of being attacked.
- The decline ratio red flag. Card networks like Visa and Mastercard monitor your decline rates closely. To a bank, a high decline rate is a primary indicator of illegal activity or poor risk management. If your decline rate spikes above acceptable thresholds, often around 10%, you are immediately flagged. For high-risk merchants already under the microscope, this often leads to an immediate freeze of your processing funds — or worse, termination of your account.
- The ‘death penalty’: TMF. If a processor shuts you down due to excessive fraud attempts, they may place your business and your personal name on the dreaded MATCH (Member Alert to Control High-Risk Merchants) list, formerly known as the TMF. Once you are on this blacklist, obtaining a new merchant account becomes nearly impossible.
For high-risk merchants, any one of these issues can be fatal. This is why card testing is a silent killer. It doesn’t just steal money; it attacks the very infrastructure that allows you to accept payments.
Unfortunately, you cannot rely solely on your payment processor to catch every single carding attempt. By the time a request hits the gateway, you may already be liable for the authorization fee. You need to stop bots before they strike. Below are some methods for protecting your checkout against AI bots without killing your conversion rates.
Velocity Checks: The First Line of Defense
Velocity checks limit the number of transactions allowed within a specific time frame. Think of this as a digital bouncer at the door. You should implement this on two levels:
- IP-based velocity. Limit the number of attempts from a single IP address. For instance, a maximum of three attempts per hour.
- Device fingerprinting. Since AI bots rotate IPs to evade bans, they often reuse the same virtual device. Use a fingerprinting tool to identify the device ID and block it after failed attempts, regardless of which IP address it switches to.
The ‘Invisible’ CAPTCHA
Merchants hate CAPTCHAs because they add friction and lower conversion rates. However, modern solutions like reCAPTCHA v3 or hCaptcha operate entirely in the background. They analyze user behavior such as mouse movements, navigation history and time on page to assign a “risk score” to every visitor, and only trigger a visible puzzle — like “click on all fire hydrants” — a if the risk score is high. Legitimate customers flow through seamlessly; bots hit a wall.
Honeypot Fields
This classic developer trick is surprisingly effective. Add a hidden form field to your checkout page that is invisible to human users, but visible to bots scanning the code. If a bot fills out this “honeypot” field, you know immediately it is not a human. Your site can then block the submission instantly, ensuring the request never reaches the banking network.
Enforce AVS and CVV Matching
Ensure that your gateway settings are configured to require a match for the address verification system (AVS) and the card verification value (CVV). Many card testers buy data that lacks the correct billing zip code. If you reject transactions where the AVS doesn’t match, you stop the fraudster from validating the card, making your site a useless target for them.
In the high-risk world, your merchant account is your lifeline. Don’t let a silent bot attack sever it. Implementing smart client-side security fixes can help inoculate your business against these revenue killers — so you never have your precious morning coffee time ruined again.
Jonathan Corona has two decades of experience in the electronic payments processing industry. As chief operating officer of MobiusPay, he is responsible for day-to-day operations as well as reviewing and advising merchants on a multitude of compliance standards mandated by the card associations.
