RD Virtual Card
RD Virtual Card

What Is Card Testing? Definition, Payment Flow, and Examples

Quick answer

Card Testing is fraudulent probing of batches of card credentials with small or automated transactions and should not be confused with legitimate verification. This guide focuses on Card Testing's real role, boundaries, and common points of confusion.

Last updated: 2026-07-14 · RDVCC Payments Research

Key points

  • Definition: Card Testing is fraudulent probing of batches of card credentials with small or automated transactions and should not be confused with legitimate verification.
  • Flow position: Card testing uses low-value attempts to learn whether an account works; PAN enumeration systematically guesses account details; account takeover gains control of a legitimate user's account.
  • Do not confuse: Card Testing / PAN Enumeration

How it fits into the payment flow

For Card Testing, the relevant process is as follows: Card testing uses low-value attempts to learn whether an account works; PAN enumeration systematically guesses account details; account takeover gains control of a legitimate user's account. Payment fraud is broader, while a risk score is only a probability or decision input built from signals.

A practical review of Card Testing should account for this: effective defenses combine rate limits, device and network signals, behavioral anomalies, stronger verification, and investigation. Decline responses should not reveal which guessed field was correct.

Practical example

An attacker submits a series of low-value card tests at checkout, and the platform detects the abnormal failure pattern and rate-limits it. Generic errors avoid revealing which credential field was valid.

How it differs from related terms

TermDefinition
Card Testingis fraudulent probing of batches of card credentials with small or automated transactions and should not be confused with legitimate verification
PAN Enumerationsystematically guesses PANs and related fields and uses response differences to identify valid combinations
Account Verificationchecks whether a card account or credential is usable without completing a normal purchase charge

Card Testing focuses on the fact that it is fraudulent probing of batches of card credentials with small or automated transactions and should not be confused with legitimate verification. PAN Enumeration, by contrast, systematically guesses PANs and related fields and uses response differences to identify valid combinations. They can appear in one transaction while answering different questions.

Use cases and limits

A key limit of Card Testing is the following: one small transaction or a high score is not proof of a crime. Response should block attacks, limit false positives, preserve evidence, and provide safe recovery for legitimate users.

Frequently asked questions

These answers address two common search questions about Card Testing.

Is it the same as PAN Enumeration?

No. Card Testing is fraudulent probing of batches of card credentials with small or automated transactions and should not be confused with legitimate verification. PAN Enumeration systematically guesses PANs and related fields and uses response differences to identify valid combinations. Compare the object, processing stage, and responsible party.

Does a high risk score prove that a user committed fraud?

For Card Testing, no. It is a model and signal-based input that needs rules, context, and investigation. Thresholds also vary by business and loss tolerance.

Primary sources

These primary sources support the definition and process for Card Testing. Current product, network, and local rules still control a real transaction.