BlogInstall App
HomeBlogHow to Stop Card Testing on Shopify (Complete 2026 Guide)
Guide2026-03-288 min read

How to Stop Card Testing on Shopify (Complete 2026 Guide)

Card testers hit your Shopify checkout with stolen card numbers in tight loops. Learn how to detect and stop card testing in 5 minutes.

How to Stop Card Testing on Shopify (Complete 2026 Guide)

Card testing is a specific type of automated fraud: a bot hits your checkout with stolen card numbers in tight loops to identify which cards are still valid. The bot does not care about your products — it cares about getting a green "Payment successful" response, which it uses to validate cards for bigger transactions elsewhere.

If you see clusters of small ($0.50-$5) orders, mostly cancelled or failed, you are being card-tested. This guide explains what is happening and how to stop it.

Why card testing is dangerous

Beyond the small orders themselves:

  • Processor fees charge per attempted transaction (~$0.30 each), winning or losing.
  • Stripe / Shopify Payments flags your account as high-risk if too many fail.
  • Account freezes if testing volume is high — Stripe will pause funds.
  • Reputation damage — repeated testing patterns make your domain a known fraud target.

A typical card-testing attack: 500-2,000 attempts per hour, $0.30 fee per attempt, $150-$600/hour bleed. Multiply by days.

How card testers operate

The attack pattern:

  1. Fraudster acquires a list of stolen card numbers (cheap on dark web).
  2. They write a script that submits each card to a low-friction checkout.
  3. Card details are usually wrong — they only need one valid combination of number + CVV + expiry.
  4. Successful card details are sold or used elsewhere for bigger transactions.

Your store is just the testing ground because:

  • It is cheaper to test cards in $1 transactions than to risk a $500 charge upfront.
  • Some merchants do not require AVS, CVV, or 3DS — easier targets.
  • High order volume hides the fraud in noise.

Step 1 — Block low-value orders

Most card testing uses $0.50-$5 transactions. Block these:

  1. Install Shieldy.
  2. Open Block checkout → Subtotal rule.
  3. Condition: < $5.
  4. Custom error: "This order amount is below our minimum."
  5. Save.

This single rule eliminates ~80 % of card testing because the bot is designed for low-value attempts.

Available in the Enterprise plan.

Step 2 — Block Tor and VPN traffic

Card testers run on Tor (cycles IPs every minute) or commercial VPN:

  1. Open Bot Killer.
  2. Toggle Auto block Tor → ON.
  3. Toggle Auto-block VPN/Proxy → ON.
  4. Save.

Combined with subtotal blocking, this catches 95 %+ of testing.

Step 3 — Block datacenter IPs at checkout

Card-testing scripts run on cloud infrastructure. Block them at checkout:

  1. Open Block checkout → Datacenter IPs at checkout → ON.
  2. Save.

Almost no legitimate buyer comes from AWS / GCP / OVH directly.

Step 4 — Rate limit checkout submissions

In Shieldy:

  1. Open Settings → Rate limiting.
  2. Set: Max 3 checkout submissions per minute per IP.
  3. Action: Block for 24 hours.
  4. Save.

Real buyers retry checkout once or twice. Bots retry every second.

Step 5 — Require AVS and CVV

In Shopify Payments → Settings → Fraud protection:

  • Reject if AVS mismatches
  • Reject if CVV mismatches
  • Set fraud risk threshold to Medium

This is the strongest pre-payment signal. Card-testing scripts rarely have correct AVS data because they only have card numbers.

Step 6 — Enable 3D Secure (3DS)

3DS adds a verification step that requires the cardholder's bank to authenticate. Card-testing bots almost never have this credential.

Configure in Shopify Payments → Fraud protection → 3D Secure:

  • Always require for orders <$5 (kills card testing)
  • Always require for first-time buyers
  • Always require for high-risk countries

3DS routes are automatic in Shopify Payments.

Step 7 — Auto-cancel failed-payment patterns

Card testing creates a specific pattern: many failed payments from the same IP/email in tight time.

In Shieldy:

  1. Open Fraud Order Filter → Pattern detection.
  2. Enable: Auto-block IPs with 3+ failed payments in 10 minutes.
  3. Save.

This catches the campaign at the second/third attempt.

Step 8 — Disable autocomplete in checkout

Card testers use form-fill scripts. Disable autocomplete:

In your theme's checkout extension (if you have one):

Small effect (testers can override), but worth doing.

Step 9 — Monitor for testing patterns

Open Shieldy's Visitor Analytics weekly:

  • Filter by Failed payment count > 2
  • Sort by Time descending
  • Look for IP clusters in short windows

Common patterns:

  • 50+ attempts in 1 hour from same /24 → coordinated test
  • Mixed user agents from same IP → rotating bot
  • All attempts at $0.50-$5 → classic card test

Add new patterns to your block rules.

Step 10 — Coordinate with Shopify Payments

If a card-testing attack is in progress:

  1. Email Shopify Payments support immediately.
  2. They can put a temporary hold on new transactions.
  3. They have additional anti-fraud tools at the platform level.

Faster response = less bleed.

Real-world example

A merchant we work with hit a card-testing wave:

  • 3,400 attempts in 4 hours
  • $1,020 in processor fees alone (before refunds)
  • 6 cards passed (used elsewhere by attacker)
  • Shopify Payments paused account for 48 hours

After implementing the 10 steps:

  • Next attack attempt blocked at step 2 (Tor block) in <60 seconds
  • Total losses on subsequent attempts: $0
  • Account never paused again

What does Shopify Payments do natively?

Shopify Payments has built-in card-testing protection — it learns patterns across the platform. But:

  • Activation thresholds are conservative (you bleed before it kicks in)
  • No checkout-level blocking visible to you
  • No transparency on what triggered

Layer your own controls on top.

Frequently asked questions

Will blocking $5 orders affect legitimate small orders?

Some — but real $1-$5 orders are rare. Set the threshold based on your AOV. For most stores, blocking below $5 has <0.5 % impact on legitimate orders.

Can card testers bypass 3DS?

Almost never. 3DS requires the cardholder's authenticated session with their bank. Testers do not have this.

What about gift cards?

Gift-card purchases at $5+ flow through normal checkout. Card-testing patterns rarely hit gift cards.

How fast does the block take effect?

Shieldy rules are live in <1 minute. Combine with Shopify Payments AVS/CVV setting for layered protection.

My store is getting card-tested right now — what is the fastest action?

  1. Set checkout to Manual capture in Shopify Payments (prevents charge, but logs attempts).
  2. Block subtotal <$5 in Shieldy.
  3. Enable Tor + VPN block.
  4. Email Shopify Payments to flag the incident.

Wrapping up

Card-testing attacks are predictable, automated, and stoppable with the right rules. Most successful prevention is one-time configuration that protects you long-term. The cost of inaction (account freeze, processor scrutiny, lost time) is far higher than the $4.99-$8.99/mo to enable Shieldy's full protection.

Install Shieldy free → · See pricing →

Protect your Shopify store today

Install Shieldy free — block fraud, bots, and VPNs in under 5 minutes.

Install on Shopify — Free
Continue Reading
How to Block IP Ranges on Shopify (CIDR and Prefix Guide)

How to Block IP Ranges on Shopify (CIDR and Prefix Guide)

Block IP ranges, CIDR blocks, and ISP ranges on Shopify. From single IPs to entire ASNs — complete guide with examples.

Tutorial6 min read

Related Articles

The 12 Most Common Types of Shopify Fraud in 2026
Fundamentals

The 12 Most Common Types of Shopify Fraud in 2026

11 min read
The 8 Fraud Metrics Every Shopify Merchant Should Track
Analytics

The 8 Fraud Metrics Every Shopify Merchant Should Track

9 min read
How to Allow Only One Country to Access Your Shopify Store
Tutorial

How to Allow Only One Country to Access Your Shopify Store

8 min read