RankShield
RANKSHIELD NETWORK Get started

How to stop card testing attacks on your Shopify store

Card testing bots hammer your checkout with stolen card numbers, and every declined attempt still costs you fees and pushes you toward Visa’s penalty thresholds. Here is how to spot an attack, what it really costs, and how to shut it down.

July 3, 2026 · 11 min read · how to stop card testing on shopify

If your Shopify store suddenly fills with tiny declined transactions, dozens or hundreds an hour, you are almost certainly being used for card testing. Fraudsters run stolen card numbers through your checkout in bulk to find the ones that still work, and your store is just the machine they borrow to do it. The damage is not the sale, because most of these charges fail; it is the pile of gateway fees on every declined attempt, the chargebacks on the few that succeed, and the very real risk of tripping Visa’s new monitoring thresholds, which as of October 2025 can push your acquirer to act against you. This guide explains exactly what a card testing attack is, how to recognize one in progress, what it actually costs you (there is a calculator below), and the concrete steps, and the RankShield Shopify app, that reduce your exposure. One honest note up front: no tool eliminates card testing entirely, and anyone who promises that is overselling. The realistic and achievable goal is to detect it fast, block the bulk of it automatically, and keep a verifiable record of what happened.

What is a card testing attack, and why is your Shopify store a target?

A card testing attack, also called carding or enumeration, is when a fraudster runs a large batch of stolen or guessed card numbers through a real checkout to discover which ones are still valid. They are not trying to buy your product; they are using your payment form as a free validation service. A successful tiny charge or even a successful authorization tells them a card works, after which the real fraud happens elsewhere, often on a bigger purchase at another merchant. Your store is simply a convenient, automated place to test, which is why the attacks are run by bots at high speed and high volume.

Your Shopify store is a target for reasons that have nothing to do with you personally. Fraudsters look for checkouts that accept card payments, process authorizations quickly, and lack aggressive rate-limiting, and a standard ecommerce checkout fits that description by design, because it is built to make paying easy. Smaller and mid-sized stores are hit constantly precisely because they are less likely to have dedicated fraud tooling watching the checkout. The uncomfortable truth is that being a normal, functioning store is the qualification; the bots find you through automated scanning, not because you did anything wrong.

How do you know your Shopify store is being hit by card testing?

The signature of card testing is a sudden burst of many small transactions that mostly fail, and it looks different from normal traffic once you know what to watch for. The tell is volume and pattern: a spike in authorization attempts far above your usual order rate, a decline rate that jumps from normal to overwhelming, lots of attempts on low-value or identical amounts, and many different card numbers from a small number of sources in a short window. If your Shopify or payment-gateway dashboard shows dozens or hundreds of declines in an hour when you normally get a handful of orders a day, that is the attack.

A few other signals confirm it. You may see a flood of failed-payment notifications, orders that error out at the payment step, or a cluster of transactions with mismatched billing details and rapid-fire timing that no human shopper would produce. Because the goal is speed, the attempts often come in tight bursts. The important thing is to recognize it early, because the cost compounds with every attempt, and because a prolonged storm is what moves your fraud and dispute ratios toward the thresholds card networks monitor.

DOWNLOADABLE INFOGRAPHIC

Anatomy of a card testing attack

RANKSHIELD // CARD TESTING ON SHOPIFY Your checkout, used as a card-validation machine 1 · The bot Runs thousands of stolen card numbers at checkout 2 · Mostly declines Each declined attempt still carries a gateway fee 3 · The live ones A few succeed → chargebacks + rising fraud ratio WHY IT HURTS $4.61 total cost per $1 of fraud US ecommerce (LexisNexis 2025) 450,000+ test attempts in one week single documented campaign Visa VAMP (enforced Oct 2025): excessive enumeration + a combined fraud/dispute threshold dropping to 1.5% (US/EU) in April 2026 can put your merchant account at risk. rankshield.co · Sources: Visa VAMP Fact Sheet 2025 · LexisNexis True Cost of Fraud 2025
Sources: Visa VAMP Fact Sheet 2025, LexisNexis True Cost of Fraud 2025. Free to share with attribution.

Why does card testing cost you money even when every charge is declined?

The counterintuitive part of card testing is that a wall of declined transactions is still expensive, because you are billed for the attempt, not just the sale. Payment processors and card networks charge fees on authorization requests, and many of those apply whether the charge succeeds or fails, so ten thousand declined test attempts is ten thousand fees. During a sustained attack those fees add up fast, and they land on you, the merchant, not the fraudster. The calculator below makes the scale concrete, and it usually surprises store owners who assumed a failed charge was free.

The bigger cost is what the declines do to your standing with the card networks. Visa’s Acquirer Monitoring Program (VAMP), whose enforcement began on October 1, 2025, specifically targets enumeration, the bulk-testing pattern card testing produces, and flags merchants and acquirers whose activity crosses defined thresholds. On top of that, VAMP’s combined fraud-and-dispute “excessive” threshold is scheduled to drop to 1.5% in the US, Canada, and Europe on April 1, 2026, a tighter bar than before. A card-testing storm inflates exactly the ratios these programs watch, which means an attack you did not invite can push you toward penalties, higher fees, or acquirer action. And on the wider scale, US ecommerce merchants lose $4.61 for every $1 of fraud once fees, chargebacks, and labor are counted (LexisNexis True Cost of Fraud 2025), while global ecommerce fraud is forecast to climb from $56 billion in 2025 to $131 billion by 2030 (Juniper Research). Card testing is a meaningful slice of that, and it is one of the most preventable.

What does a card testing storm actually cost you?

Plug in the shape of an attack to see the illustrative monthly cost of the declined attempts alone, before chargebacks and network penalties. The point is not a precise quote; it is to show how quickly per-attempt fees compound when a bot is running your checkout at machine speed.

CARD-TESTING COST ESTIMATOR

What could a card-testing storm cost you?

  • Fraudulent card-test attempts per day
  • Cost per declined attempt (¢)
  • Illustrative monthly cost of declined attempts

How do you actually stop card testing at your Shopify checkout?

You stop card testing by making your checkout expensive and slow for bots while keeping it fast for real shoppers, and no single control does it alone, so the effective approach is layered. The goal, realistically, is to block the overwhelming majority of automated attempts, catch the rest fast, and keep your fraud and dispute ratios well under the thresholds card networks watch. Here is what actually works, in rough order of impact.

  • Velocity limits and rate-limiting: cap how many payment attempts can come from one source in a short window, so a bot firing thousands of tests is throttled long before it does damage.
  • Bot detection at checkout: distinguish automated traffic from humans and challenge or block the automated bursts, since card testing is a bot problem first and a payment problem second.
  • Fraud filtering on patterns: flag the signatures of enumeration, many cards from few sources, rapid-fire identical amounts, mismatched details, and stop them in real time rather than after the fees land.
  • Keep a verifiable record: seal what was blocked and why, so you can show your processor and acquirer you acted, which matters when your ratios are being reviewed.
  • Customer-safe by default: tune the controls so a real shopper is never turned away, because a false block on a paying customer costs more than the fraud you prevented.

How does the RankShield Shopify app reduce your card-testing exposure?

The RankShield Shopify fraud protection app is built to do exactly the layered job above, automatically, so you are not manually watching your decline rate at 2 a.m. It detects card-testing and enumeration patterns in real time, throttles the velocity of payment attempts from a source, and distinguishes automated bursts from genuine shoppers, so the bulk of an attack is blocked as it happens rather than reconciled from a fee report later. Crucially, it is designed to be customer-safe: the aim is to stop the bots without turning away the real buyer, because for most stores a lost customer costs more than a caught fraudster.

What sets the RankShield approach apart is the verifiable record. Every block and fraud decision is sealed as a tamper-evident, independently checkable receipt, which matters for a specific and practical reason: when a card-testing storm pushes your fraud or dispute ratio into the zone Visa’s VAMP program monitors, being able to show your acquirer exactly what you detected and stopped is far stronger than asserting you handled it. The honest framing is important here and it is one we hold to across the platform: the app reduces your exposure and contains attacks, it does not eliminate card testing entirely, and it does not guarantee you will never see a fraudulent charge. What it does is turn an invisible, compounding problem into one that is caught fast, mostly blocked, and provably handled. See the full product on the Shopify fraud protection app page.

Is your Shopify checkout exposed to card testing?

Run this quick check to see how exposed your checkout is right now. It scores the controls that determine whether a card-testing bot gets throttled at attempt fifty or runs unchecked into the thousands. The gaps it surfaces are the ones that turn into fee storms and rising fraud ratios.

EXPOSURE CHECK

How exposed is your checkout to card testing?

  1. Do you limit how many payment attempts can come from one source in a short window?
  2. Can you tell automated (bot) checkout traffic from real shoppers?
  3. Would you notice a card-testing spike within minutes, not on a fee report?
  4. Do you track your fraud and dispute ratios against card-network thresholds?
  5. Could you show your acquirer a verifiable record of what you blocked?

What should you do the moment a card-testing attack starts?

When you spot an active attack, speed matters more than perfection, because every minute of an unblocked storm adds fees and inflates the ratios you will later have to explain. The immediate priorities are to throttle the flood, preserve evidence, and loop in your processor. Concretely: enable or tighten rate-limiting and any bot or fraud controls you have so the volume drops right away; do not simply switch payments off if you can avoid it, because that also turns away real customers, which is its own loss. Capture what is happening, timestamps, sources, decline counts, so you have a record, and contact your payment provider or acquirer to flag the attack, since they can advise on protecting your account standing.

After the immediate storm is contained, the job is to make sure the next one is stopped automatically rather than manually. That means putting durable velocity limits, bot detection, and pattern-based fraud filtering in front of your checkout, and keeping a verifiable record of what gets blocked so your fraud and dispute ratios, and your acquirer relationship, are protected proactively. This is precisely the shift the RankShield Shopify app is designed to make: from reacting to a card-testing storm after the fees post, to catching and containing it as it happens, with proof you can show. The realistic promise, again stated honestly, is dramatically reduced exposure and fast, provable containment, not a guarantee that card testing never touches your store again.

FREQUENTLY ASKED

Questions, answered.

RankShieldAssistant · online

What is a card testing attack on Shopify?

Card testing (also called carding or enumeration) is when fraudsters use bots to run large batches of stolen or guessed card numbers through your Shopify checkout to find which cards still work. They are not buying your product; they are using your payment form as a free card-validation service, then committing the real fraud elsewhere. Because it is automated, it arrives as a sudden burst of many small transactions that mostly decline. Your store is targeted simply for being a functioning checkout that processes card payments, not because of anything you did wrong.

Does card testing cost me money if the charges are declined?

Yes, which is what surprises most merchants. Payment processors and card networks charge fees on authorization attempts, and many apply whether the charge succeeds or fails, so a wall of declined test transactions is still a wall of fees that lands on you. Worse, the flood of declines and the few successful charges inflate your fraud and dispute ratios, which can push you toward Visa’s VAMP monitoring thresholds (enforcement began October 1, 2025). And across US ecommerce, merchants lose $4.61 for every $1 of fraud once fees, chargebacks, and labor are counted (LexisNexis, 2025). Declined does not mean free.

How do I know if my store is being card-tested right now?

Look for a sudden spike in authorization attempts far above your normal order rate, a decline rate that jumps from normal to overwhelming, many attempts on low-value or identical amounts, lots of different card numbers from a few sources, and rapid-fire timing no human would produce. In practice, if your Shopify or gateway dashboard shows dozens or hundreds of declines in an hour when you normally get a handful of orders a day, that is card testing. Recognizing it early matters because the fees and the ratio damage compound with every attempt.

Can I fully stop card testing on my Shopify store?

No tool eliminates card testing entirely, and any vendor that promises that is overselling. Card testing is driven by automated bots scanning the whole web for functioning checkouts, so new attempts will keep arriving. What you can realistically and achievably do is detect an attack fast, block the overwhelming majority of automated attempts with velocity limits and bot detection, catch the rest quickly, keep your fraud and dispute ratios well under card-network thresholds, and keep a verifiable record of what you stopped. The honest goal is dramatically reduced exposure and fast, provable containment, not zero attempts.

How does the RankShield Shopify app help with card testing?

The RankShield Shopify fraud protection app detects card-testing and enumeration patterns in real time, throttles the velocity of payment attempts from a source, and separates automated bursts from real shoppers, so most of an attack is blocked as it happens rather than reconciled from a fee report later. It is designed to be customer-safe, so a genuine buyer is not turned away, and it seals each fraud decision as a tamper-evident, verifiable record you can show your acquirer if your ratios are ever reviewed. It reduces exposure and contains attacks; it does not claim to eliminate card testing or guarantee you never see a fraudulent charge.

What is Visa VAMP and why does card testing put my merchant account at risk?

VAMP (the Visa Acquirer Monitoring Program) is Visa’s framework for flagging merchants and acquirers whose fraud and dispute activity crosses defined thresholds, with enforcement that began October 1, 2025. It specifically monitors enumeration, the bulk card-testing pattern, and its combined fraud-and-dispute “excessive” threshold is scheduled to tighten to 1.5% in the US, Canada, and Europe on April 1, 2026. A card-testing storm inflates exactly the ratios VAMP watches, so an attack you did not invite can push you toward higher fees, penalties, or action from your acquirer. That is why fast detection and containment, plus a record you can show, protect not just your fees but your ability to keep processing payments.

Try one of the suggested questions above.

References

  1. Visa — Visa Acquirer Monitoring Program (VAMP) Fact Sheet 2025
  2. LexisNexis Risk Solutions — True Cost of Fraud Study: Ecommerce & Retail 2025 ($4.61 per $1)
  3. Juniper Research — eCommerce Fraud Prevention Market 2025–2030 ($56B → $131B)
  4. OOPSpam — analysis of a 450,000+ card-testing campaign in one week
  5. RankShield — Shopify fraud protection app

Make every AI action provable.

RankShield is the verifiable, quantum-safe AI security platform — protection you can check, not just trust.