credit cards

A non-technical founder's guide to the payment fraud that can sink your business in a weekend

You wake up Monday morning to find your Stripe account frozen. There are 427 transactions you don't recognize. Your bank account shows pending chargebacks totaling $18,000. And somehow, you now owe Stripe $6,405 in dispute fees.

Welcome to card testing fraud—the payment scam that's destroying small businesses and platforms every single day. (According to one survey, nearly 90% of businesses now lose up to 9% of revenue to payment fraud—and for marketplace founders who only keep 10–20% commission, one weekend of card testing can erase months of legitimate earnings.)

If you're a founder running a marketplace, SaaS platform, service booking site, or any business that processes payments online, this is the hidden risk nobody tells you about.

Let me walk you through what card testing actually is, why it can bankrupt you even when you're doing everything "right," and—most importantly—how to protect yourself starting today.

What Is Card Testing Fraud? (In Plain English)

Here's the simple version:

Criminals have massive databases of stolen credit card numbers—millions of them, purchased on the dark web or stolen in previous breaches. But they don't know which cards are still active and which have been canceled or frozen. They can sell the active ones for more money.

So they use your payment system as a free testing service.

Here's how it works:

  1. Bots make hundreds or thousands of small test purchases on your platform (usually $1–$10 transactions)
  2. If the charge goes through, the card is active and valuable → they can sell it at a premium or use it for bigger fraud
  3. If the charge fails, the card is dead → they move to the next one
  4. Your platform processes thousands of these tiny transactions in minutes while you sleep

This isn't a person sitting there manually typing in card numbers. It's automated, industrial-scale fraud using professional tooling.​

And here's the kicker: It's your problem, not Stripe's (or other payment platforms).

Why This Can Destroy Your Business (Especially Marketplaces)

Let me show you the math that kills founders.

Scenario: You Run a Marketplace Platform

  • You take a 10% commission on every transaction
  • A service costs $100 → you keep $10, pay out $90 to your vendor/service provider

What happens when card testing hits:

  1. Fraudsters test 100 stolen cards at $10 each = $1,000 in fake transactions
  2. You earn $100 in commission (10% of $1,000)
  3. You pay out $900 to your vendors (they already have it; it's gone)
  4. Stripe charges you processing fees (often around 2.9% + $0.30 per charge and not refundable in cases of fraud) -$30

So far you've "made" $70.

Then, 2–4 weeks later, the chargebacks hit:

  1. Real cardholders see unauthorized $10 charges on their statements and dispute them
  2. You must refund 100% of each transaction = -$1,000
  3. $15 per chargeback in the US (plus a possible additional $15 if you formally challenge/counter it, depending on your account/region and outcome).

Your total loss: -$2,430 + counter fees if you countered disputes and lost (proactively refunding/voiding suspicious payments quickly can sometimes reduce downstream dispute volume—but you may still eat processing fees)

You processed $1,000 in fake transactions, earned $70, and lost $2,430.

And that's before Stripe freezes all your payouts—including legitimate customer payments—while they investigate.

Why Marketplaces Get Hit Harder

If you run a traditional e-commerce store, you at least keep 100% of the transaction revenue before refunds hit.

But if you're running a marketplace, platform, or service booking site, you only keep 10–20% and you've already paid out the rest to vendors. When chargebacks arrive, you're refunding money you never actually had.​

Business models at highest risk:

  • Freelance marketplaces (Upwork, Fiverr model)
  • Service booking platforms (TaskRabbit, Calendly with payments)
  • Membership/creator platforms (Patreon, Substack model)
  • Event ticketing platforms
  • Rental/lodging platforms

If your chargeback rate exceeds 10% of your commission rate, you lose.​

Real Stories: What Card Testing Looks Like in the Wild

The Reddit Founder: "Stripe Is About to Sink Our Startup"

A startup founder posted to Reddit in July 2025 after their platform was hit by card testing bots. Here's what they wrote:

"Stripe is holding us responsible for all chargebacks and dispute fees, freezing all our payouts... We have not spent the money, but we only take 10% commission, meaning if more than 10% of the people being scammed dispute we will go underwater financially. On top of that every charge that Stripe put on us is $15 per dispute, which is doubling the original disputed amount already."​

Their business was about to close. Not because they had bad security. Not because they made a mistake. Because automated bots used their payment system as a testing ground.

The WooCommerce Store: 450,000 Attacks in One Week

In September 2025, security researchers documented over 450,000 card testing attempts targeting WooCommerce stores in just seven days.​

The attacks exploited newer checkout flows that bypassed traditional security plugins. Store owners woke up to thousands of failed orders, payment processor warnings, and—for those where tests succeeded—chargebacks arriving 30 days later.​

One Reddit store owner described the panic:

"reCAPTCHA doesn't stop them. I tried v2 and v3. The bots use the instant payment buttons that bypass everything. If I turn off instant payments, my conversion rate tanks and I lose legitimate customers."​

Welcome to the impossible choice: security or sales.

The Healthcare Worker: $825,000 in Card Testing Over 6 Years

In a 2024 case, a California woman working at a healthcare facility stole patient PII from over 125 files. She opened thousands of fraudulent credit cards, then used card testing to validate which ones were active before making hundreds of thousands of dollars in purchases.​

She was sentenced to 5 years in federal prison—but the businesses whose payment systems she used as testing grounds? They absorbed the chargebacks, dispute fees, and operational chaos.​

Why You Didn't Know About This (And Why Fraudsters Count On That)

Card testing thrives in the gap between what founders think they know about payments and how payment fraud actually works.

Here's what most founders believe:

  • "Stripe/Square/PayPal handles fraud detection for me"
  • "If a transaction is fraudulent, the payment processor will catch it"
  • "I'm too small to be a target"
  • "I have reCAPTCHA, so I'm protected"

Here's the reality:

  • By default, you’re typically liable for card-not-present fraud/chargebacks—unless you use mechanisms like 3D Secure that can shift liability in some cases
  • Card testing transactions look legitimate (real cards, small amounts, no obvious red flags)
  • Small businesses are preferred targets because you have fewer monitoring tools and smaller teams
  • reCAPTCHA can be bypassed via instant payment buttons, API calls, and express checkout flows​

Fraudsters aren't targeting you specifically—they're targeting every payment form they can find with automated bots that run 24/7.

And they hide in your busiest times. The 2025 Holiday Fraud Report showed that card testing attacks spike during peak shopping seasons because high transaction volume makes the attacks harder to spot.​

How to Protect Your Business (Starting Today)

Okay, deep breath. Now let's talk about what you can actually do about this.

1. Turn On Stripe Radar (It's Takes 10 Minutes)

Turn on Stripe’s built-in Radar protections. Set up basic rules:

  • Block prepaid cards (if your business model allows it—fraudsters love prepaid cards)​
  • Set velocity limits: Max 3 transactions per card per hour, max 10 attempts per IP per hour
  • Geographic restrictions: If you only serve the US, block international cards
  • Decline on CVC/ZIP failures: Require exact matches for card security codes and billing ZIP

These settings catch 60–70% of automated card testing.​ Consider Radar for Fraud Teams if you need custom rules/advanced controls. 

2. Set Up Real-Time Alerts (So You Catch Attacks in Hours, Not Weeks)

Create alerts for:

  • Transaction volume spike: Email/SMS if hourly transactions exceed 2× your normal rate
  • High decline rate: Alert if >10 failed transactions from same IP in 30 minutes
  • Chargeback rate: Notify immediately if disputes exceed 1% of transactions

You can do this through Stripe webhooks or tools like Zapier. Do not rely on weekly dashboard reviews—card testing happens in minutes.​

3. The 2-Step Money Rule for Marketplaces

If you run a platform/marketplace where you pay out funds to vendors:

Rule: Don't pay out vendor earnings for 45–60 days after the original transaction.

Yes, this creates cash flow friction. Yes, vendors will complain. But here's the alternative:

  • You pay out vendor earnings immediately
  • Chargebacks hit 30 days later
  • You must refund customers from your account
  • You've already given the money to vendors (and can't get it back)
  • You absorb 100% of the loss​

Better option: Hold funds in reserve for the chargeback window, then pay out. Explain to vendors: "This protects both of us from payment fraud."

4. Budget for Fraud as a Cost of Doing Business

This is the mindset shift nobody teaches you:

Payment fraud is like shoplifting for retail stores or refunds for e-commerce. It's not an "if," it's a "when."

Budget accordingly:

  • Assume 0.5–2% of transaction volume will be fraud/chargebacks
  • Maintain 30–60 days of transaction volume as cash reserves
  • Factor $15 per chargeback into your unit economics
  • Don't spend commission revenue for 45 days – hold a reserve long enough to absorb common dispute delays and your historical dispute window (many disputes arrive within 30–60 days, but rules can allow longer).

If you can't absorb a $5,000 fraud hit without closing, you don't have enough runway.​

5. Red Flags to Watch For

If you see these patterns, pause and investigate immediately:

  • Sudden spike in low-value transactions ($1–$10) overnight or on weekends
  • Multiple transactions from different cards but same IP address or email
  • High volume of "card declined" errors (bots testing invalid cards)
  • Orders showing up as "Origin: Unknown" in analytics​
  • Transactions at unusual times (2am on Tuesday when your traffic is normally 10am–6pm)

Don't wait for Stripe to tell you. By the time they freeze your account, you've already processed thousands of fraudulent transactions.

6. Know What to Say to Stripe (Before You Need To)

If you get hit by card testing:

  1. Contact support immediately—don't wait for them to reach out
  2. Document your prevention efforts: "We have Radar enabled, velocity limits set, and geographic blocks in place"
  3. Request fee waivers: "This was an obvious automated bot attack we couldn't have fully prevented. Can you waive dispute fees?"
  4. Ask for payout release timeline and get it in writing

Reality check: Stripe's default position is "you're responsible for all fraud." They may waive fees if you can prove it was a clear bot attack, but don't count on it. Your backup plan is your bank and cash reserves, not Stripe's mercy.​

The Bottom Line: This Isn't Optional

Here's what I want you to take away from this:

Card testing fraud is not a "cybersecurity problem" you can patch with better passwords or firewalls. If you outsource IT, their scans aren’t going to catch it. It's a business risk that comes with processing payments online.

Think of it like:

  • Shoplifting for retail stores (budget for 1–3% shrinkage)
  • Refunds for e-commerce (assume 2–5% return rate)
  • Bad debt for B2B services (some customers won't pay)

For payment platforms, card testing is your version of that cost.

The businesses that survive are the ones who:

  1. Expected it (not shocked when it happens)
  2. Had alerts set up (caught it in hours, not weeks)
  3. Had cash reserves (didn't go under from one bad week)
  4. Understood their liability (knew Stripe wouldn't save them)

Your Card Testing Protection Checklist

  •  Turn on Stripe Radar fraud filters
  •  Block prepaid cards (if your model allows)
  •  Set velocity limits: max 3 transactions/card/hour, max 10/IP/hour
  •  Enable real-time alerts for transaction spikes
  •  Budget 1–2% of transaction volume for chargebacks + dispute fees
  •  Maintain 30–60 day transaction reserve fund
  •  If you're a marketplace: Hold vendor payouts for 45–60 days
  •  Monitor high-risk patterns weekly (low dollar + high volume + unusual times)
  •  Have Stripe support contact process documented before you need it
  •  Review your checkout for express payment bypasses (PayPal buttons, Apple Pay)

Sources & Further Reading

Reddit: "Stripe is About to Sink Our Startup Over Credit Card Fraud We Didn't Commit"

Chargebacks911: "Real-World Card Testing Examples for 2025"

​OOPSpam: "Defending WooCommerce: How we blocked 450,000 card testing attacks"

​Stripe: "Chargeback fraud 101: What businesses need to know"

​Follow me on LinkedIn for practical security tips.