Card Testing Fraud: How Canadian Merchants Get Hit and How to Stop It

What Card Testing Actually Is

Fraudsters acquire batches of stolen card numbers — often from data breaches sold on dark web forums. The problem is they don't know which cards still work. Card testing solves that: bots run hundreds of micro-transactions ($0 auth or $1 charges) through a merchant's checkout to validate which card numbers are live.

The merchant becomes an unwitting validation service. Every declined attempt costs processing fees. Every successful validation gets used for a larger fraudulent purchase somewhere else — often immediately. The cardholder eventually notices, files a dispute, and the chargebacks arrive.

This is distinct from friendly fraud (where a real customer disputes a legitimate charge) and from BEC fraud (which involves social engineering of staff). Card testing is pure bot automation, and it can start and end within an afternoon.

Why Canadian Merchants Are Targeted

Canada has one of the highest Shopify merchant densities in the world — thousands of small e-commerce stores, many running light fraud controls. Digital product sellers are especially vulnerable: downloads, gift cards, and subscriptions have no shipping delay, so a validated card can be immediately used to purchase something of real value.

Gift card stores and subscription box services are perennial targets. The instant digital fulfilment means fraudsters can validate a card and extract value from the same merchant in one attack. Canadian businesses selling US-market digital products are particularly exposed because card testing bots are typically calibrated against USD checkouts.

Warning Signs

Card testing attacks have a recognizable signature. Watch for:

• Sudden spike in declined transactions — dozens or hundreds within a short window, often all failing at the same step (CVV mismatch or AVS fail)
• Many identical or sequential billing addresses — bots often use randomized but patterned address data
• International billing for locally-targeted products — US or European billing addresses on a Canadian-market store
• $0 authorization holds accumulating — if your gateway supports $0 auths, these show up as a flood of zero-dollar pending holds
• Multiple cards from the same IP — velocity on IP address is a tell, though sophisticated attackers rotate through proxies

Your processor's decline reports will show these patterns clearly. Check your Stripe Dashboard or Moneris Merchant Direct reports if transaction volume suddenly spikes — even if your sales dashboard looks flat.

Stripe Radar: Step-by-Step Response

Stripe has the most accessible fraud tooling for Canadian merchants. Radar is built into every Stripe account, and the default rules are a starting point — not a complete defence. Here's what to configure.

Step 1: Log into Stripe Dashboard → Radar → Rules.

Step 2: Add a rule to block if CVV check fails. Default Radar may only review failed CVV — change this to block for any card-not-present transaction where CVV is not provided or fails.

Step 3: Add an AVS rule: block if AVS fails AND the billing country is not CA. This catches most international bot traffic while preserving the ability to accept legitimate Canadian cards where AVS data is incomplete.

Step 4: Add a velocity rule — maximum 3 card attempts per email address per hour. Bots typically rotate email addresses too, so also add: maximum 5 card attempts per IP address per hour.

Step 5: Enable Radar's machine learning score block threshold. Start at 75 and adjust based on false positive rate over the next week.

Stripe charges approximately $0.05 per transaction for Radar evaluation on top of the standard processing fee. On a $500/month revenue store, Radar costs maybe $5–$10/month. That's cheap compared to a single afternoon of bot traffic.

Shopify Payments and Shopify Fraud Analysis

Shopify assigns a fraud risk score to every order. Medium and high-risk orders show a yellow or red badge in the Orders view. By default, Shopify doesn't hold these orders — you need to turn on fulfilment holds manually.

Go to: Settings → Payments → Risk rules. Enable automatic holds for orders flagged as medium or high risk. This won't stop the authorization from going through, but it gives you time to review before you ship or fulfil a digital product.

For stronger protection, Shopify's built-in AVS and CVV enforcement settings are under Payments → Settings → Risk rules. Enabling CVV requirement and AVS street address matching blocks most card testing attempts at the checkout level before they even hit your processing fees.

Third-party fraud apps add another layer:

• NoFraud — approximately $50/month for small merchants, provides real-time human review escalation for flagged orders, integrates natively with Shopify
• Signifyd — enterprise-tier, includes chargeback guarantee, priced based on volume; best for merchants doing $500K+/year

WooCommerce: The Highest-Risk Platform

WooCommerce has no built-in Radar equivalent. If you're running a WooCommerce store without additional fraud tooling, you're the most exposed merchant on this list. Default WooCommerce checkout has essentially no bot protection.

Install these in order of priority:

1. Google reCAPTCHA v3 on checkout — free, invisible to real users, blocks the majority of automated bot traffic. Add it via the free Google Listings & Ads plugin or a dedicated reCAPTCHA plugin. Set it on the checkout page and the "Place Order" button specifically.

2. WooCommerce Anti-Fraud plugin — the official WooCommerce extension (~$79/year) adds risk scoring, IP geolocation, and automatic order holds. Configure it to block orders with a score above 70 by default.

3. CVV enforcement through your gateway — in your Stripe WooCommerce extension settings, go to the Advanced tab. Enable AVS and CVV mismatch handling. Set CVV failures to block, not just flag. This is buried in the settings but it's critical.

4. Velocity controls — the Stripe WooCommerce extension passes order data to Stripe Radar, so your Radar rules apply. If you're on a different gateway (Square, Moneris), check their gateway-specific WooCommerce plugins for similar controls.

After an Attack

If you've already been hit, here's the immediate response sequence:

First hour: Add a CAPTCHA to checkout if you don't have one, or temporarily disable the checkout page entirely while you assess. Export all declined transaction records from your processor dashboard — you'll need transaction IDs, timestamps, IP addresses, and email addresses.

Within 24 hours: Contact Stripe or Square support directly with the batch of transaction IDs from the attack window. Both processors have fraud teams that review these cases. In genuine card testing incidents where the merchant took no suspicious action, Stripe has been known to reverse or credit processing fees — this is not guaranteed, but it's worth asking specifically.

Within 48 hours: File a report with the Canadian Anti-Fraud Centre (CAFC). This creates a paper trail for insurance purposes and contributes to national fraud pattern tracking. File a police report with your local force as well — most won't investigate individual card testing incidents, but the report number is useful for insurance claims and for any future escalation.

Block all IP addresses from the attack export at your hosting or CDN level. If you're on Shopify, use a Shopify Fraud Filter app. On WooCommerce, block IPs at the .htaccess or Cloudflare level.

The VAMP Connection

Card testing has a downstream regulatory consequence many merchants don't realize. Visa's VAMP (Visa Acquirer Monitoring Programme) framework, effective April 2026, flags merchants whose decline rates exceed 1.5% of total transactions. A single card testing attack can push a small-volume merchant well above that threshold.

If your monthly transaction volume is 500 orders and a bot runs 300 declined attempts in one afternoon, your decline rate for that billing period spikes dramatically. Exceeding VAMP thresholds triggers acquirer monitoring and potential fines passed through to the merchant.

Check your VAMP exposure after any card testing incident, especially if you're a lower-volume merchant where even a modest bot attack represents a large percentage of your transaction count.

Quick Reference: Defence by Platform