Skip to content
Pricing
Log InStart Free TrialBook a Demo
Fraud Types

Carding

Carding is the practice of testing and using stolen credit card numbers to confirm which are valid and then extracting value from them. It usually begins with automated low-value transactions that verify a card before it is used for larger fraud.

How it works

How Carding works

Carding starts with a supply of stolen card data, typically bought in bulk from breach dumps or phishing operations. Much of this data is stale or already cancelled, so the fraudster's first problem is figuring out which numbers still work. This validation step is what distinguishes carding from other payment fraud: rather than gambling on a big purchase, the attacker probes each card cheaply first.

To test at scale, carders use automation against checkout or authorization endpoints, submitting small charges or zero-value authorizations and watching for an approval response. Merchants with weak checkout protections, charities, and donation forms are favored targets because they accept small arbitrary amounts. The bots rotate through cards rapidly and distribute requests across many IP addresses, often residential proxies, so the flood of attempts does not obviously originate from one place.

Cards that come back approved are sorted as live and either used directly or resold at a premium. The fraudster then monetizes them through card-not-present purchases of resellable goods, gift cards, or other easily liquidated value, frequently shipping to reshipping addresses or buying digital items that deliver instantly. Because the whole pipeline is automated, a carding operation can churn through thousands of numbers in a short window.

Why it matters

Why Carding matters for fraud prevention

Carding is damaging even before any large fraudulent purchase occurs. The testing phase alone generates a storm of authorization attempts that inflates processing costs, triggers issuer alarms, distorts analytics, and can degrade site performance. The small test charges lead to disputes and chargebacks, and a high volume of declines can harm the merchant's risk standing with acquirers. For platforms that accept flexible payment amounts, being used as a free card-checking service is a reputational and financial liability.

With TRACIO

How TRACIO handles it

TRACIO detects carding by focusing on the automation and velocity that define it. Bot Detection identifies the headless browsers and automation frameworks driving high-speed card tests, and the Identification product links attempts back to a single device even as the card numbers and IP addresses change, exposing the tell-tale pattern of one environment cycling through many cards. IP Intelligence highlights the data-center and residential proxy pools used to spread requests. With velocity checks over the device graph, a burst of distinct-card attempts from one device or device cluster can be flagged and throttled in real time, cutting off the testing phase before valid cards are found.

FAQ

Frequently asked questions

Identify every device with confidence

Start with a free plan of 2,500 API calls per month. No credit card required.