Carding Explained: How to Stop a Silent Threat to Your Business
Carding is a fast-growing type of credit card fraud that can quickly and quietly wreak havoc on your business. At its core, carding involves stolen credit card details used by criminals to test and exploit payment systems, often by purchasing prepaid gift cards or attempting small online transactions to confirm a card is still active. While this might sound like petty cybercrime, the consequences are anything but small.
Between 2022 and 2023, carding attacks rose 134%[1]
For merchants, carding attacks pose serious risks: higher operational costs, financial losses, operational disruptions, and damage to customer trust. And, in the age of fast payments and e-commerce, those threats are only accelerating.
In this post, we’ll explain carding, how it impacts your customers and your business, what to do if you’re targeted, and, most importantly, what you can do right now to reduce your risk and protect your customers.
What is carding?
Carding fraud isn’t just about stealing money; it’s about systematically exploiting gaps in digital commerce.
Carding is a form of cybercrime involving the misuse of stolen credit card data. Fraudsters acquire this information through phishing, data breaches, or purchases from the dark web. Once they have the data, their goal is simple: convert it into cash or untraceable goods.
Carding: An Early Definition
While carding may sound like a new, AI-driven threat, it has been around for over a decade. One of the earliest formal definitions came from the U.S. Department of Justice in 2012:
“’Carding’ refers to various criminal activities associated with stealing personal identification information and financial information belonging to other individuals – including the account information associated with credit cards, bank cards, debit cards, or other access devices – and using that information to obtain money, goods, or services without the victims’ authorization or consent.”
Despite evolving tools and tactics, carding’s core purpose has remained the same: stealing financial data to commit fraud.
Small test transactions are typically run to see which cards are still active. From there, validated cards can be exploited to buy prepaid gift cards, digital products, or high-value items that can be easily flipped for profit. In certain instances, the information is sold to other criminals. The concept of “carding” comes from this process of manipulating or “working with” credit card data.
How Carding Works
This process often escalates into a carding attack, where fraudsters deploy bots or automated scripts to test large batches of stolen credit card numbers. When done at scale, this tactic—known as credit card stuffing—helps criminals quickly pinpoint which cards are valid and ready to be exploited.
Carding attacks are typically directed at e-commerce platforms, online donation forms, and digital marketplaces that lack strong fraud prevention tools. Their automated nature makes them efficient, hard to detect, and devastating if left unaddressed.
How to identify a carding attack
To identify a carding attack, merchants should watch for:
- A spike in failed or low-value transactions within a short time frame
- Multiple transactions originating from the same IP address
- A sudden increase in chargebacks or declined payments
- Unusually high transaction volume during off-peak hours
How does carding fraud impact customers?
Carding may start with a small, unauthorized charge, but for your customers, the consequences can quickly escalate.
Customers often don’t realize they’re cybercrime victims until they see unauthorized credit card charges on their statements. When they do, the impact goes beyond fighting the fraudulent charge. Even when banks issue refunds, the disruption, stress, and risk of identity theft can erode trust in your business. Gen Z customers are particularly skeptical about card use—63% have moved away from credit cards in favor of alternatives—and experiences with fraud can increase the risk that they will purchase from other businesses instead of yours in the future.[2]
More seriously, carding activity can expose customers to identity theft. Criminals who gain access to card information may use it to open unauthorized accounts, take out loans, or damage the customer’s credit score—all of which can take months or even years to resolve. Fraudsters who gain access to card information often use it as a gateway to steal more sensitive data, putting customers at risk of long-term financial harm.
How does carding impact merchants?
For merchants, carding is more than just a payment issue. It represents a significant business risk with far-reaching implications. Whenever a criminal utilizes stolen card information on your site, you not only need to reimburse the fraud victim but also risk fees and penalties. Carding can result in financial losses from chargebacks and refunds caused by fraudulent transactions.
Increased fraudulent activity can also raise your payment processing fees or put your merchant account at risk. Some businesses may even find themselves locked out of their accounts or blocked from completing transactions if fraud rates climb too high. Carding also places significant operational strain on your team, as they may have to spend valuable time investigating transactions, updating security, and managing customer concerns.
Possibly more damaging, however, is the reputational risk. When customers notice suspicious activity linked to your business, they’ll likely be hesitant to return and may deter others from purchasing from you. In extreme cases, carding-related issues can make their way into the media, causing broad PR damage and impacting your brand.
Don’t Let Breaches Cause Breakups
89% of customers say they would be at least somewhat likely to switch to another retailer if they lost trust in a merchant.[3]
What can merchants do in the event of a carding attack?
If you suspect your business is the target of a carding attack, time is of the essence. Respond quickly with these steps to both prevent cybercriminals from attempting another attack and also to proactively assist any impacted customers, ultimately protecting those relationships.
- Notify your payment processor and internal security team. They can help freeze suspicious transactions, investigate the pattern of activity, and provide guidance on next steps.
- Block suspicious traffic. Use your site’s firewall or fraud detection tools to block suspicious IP addresses or traffic spikes that match the behavior of a bot-driven attack.
- Communicate transparently with affected customers. If any actual customers were impacted, notify them promptly, explain what happened, and offer assistance where needed.
- Review your logs. Dig into your transaction data to determine where the attack originated, what pages were targeted, and what vulnerabilities may have been exploited. Then, take action to close those gaps.
- Report the incident. If necessary, contact law enforcement or cybercrime agencies, especially if you suspect the stolen data is being resold or used across multiple platforms.
Merchant Fraud Prevention is Ramping Up
More merchants are adopting fraud detection measures, with an average of 5 fraud detection tools used per business in 2023.[4]
How can merchants prevent carding?
When it comes to cybersecurity, an ounce of prevention is worth a pound of cure. Preventing carding begins with making checkout processes more challenging for fraudsters to exploit and easier for legitimate customers to trust. Multiple strategies can help, but no method eliminates all vulnerabilities. That’s why leaders advise merchants to follow best practices alongside targeted cybersecurity and fraud prevention measures.
- Follow general payment security best practices. Make sure your site uses HTTPS encryption, enforces strong password policies, and limits access to payment data within your organization.
- Implement multi-factor authentication (MFA). MFA adds an extra layer of security when logging into admin panels or payment systems, making it harder for criminals to access your backend.
- Use Address Verification Systems (AVS) and CVV matching. These simple checks are effective first lines of defense. AVS compares the billing address entered at checkout with the one on file with the card issuer, while CVV validation ensures the cardholder has the physical card.
- Invest in e-commerce fraud detection As e-commerce fraud continues to rise, new tools have emerged to flag suspicious patterns, such as multiple small-dollar transactions or high-velocity attempts from the same IP address using real-time analytics.
- Choose a gateway with built-in fraud merchant fraud prevention like 3D Secure (3DS). 3D Secure adds an authentication step to online transactions and can dramatically reduce card-not-present fraud.
- Regularly audit and update your payment gateway settings. Fraudsters quickly adapt to emerging technologies to exploit vulnerabilities in payment systems. Stay ahead by reviewing your fraud rules and thresholds and adjusting as your business evolves.
- Partner with your payment processor. Don’t go it alone. Collaborate with your gateway provider to ensure your setup reflects current best practices and contact them whenever you notice suspicious activity.
Prioritize Payment Protection
At Payway, payment security isn’t an afterthought—it’s a priority. Whether you’re rethinking your current setup or ready to strengthen your defenses with a more secure payment gateway, our team is here to help. Reach out to our team to start a conversation about safer, smarter payments.
The Bigger Picture: Current Card Fraud Trends to Watch
Unfortunately, carding is part of a much larger fraud ecosystem that evolves fast to outpace cybersecurity measures, making it a costly adversary for merchants. To stay ahead, businesses must understand how fraud is changing, who it targets, and where their most serious vulnerabilities lie.
Payway monitors and alerts customers to suspicious payment activity, enabling informed decisions about their operations.
Card-Not-Present Fraud Is on the Rise
One of the most pressing trends for business leaders is the rise of card-not-present (CNP) fraud, especially in e-commerce. Unlike in-person purchases, CNP transactions—where the cardholder isn’t physically present—lack many of the verification protections typically found in traditional retail, making them a prime target for fraud. In fact, experts predict that card fraud could rise to $43 billion by 2026—a 26.5% increase from 2022, primarily driven by card-not-present (CNP) transactions.[5]
Sophisticated Fraud Rings Are Scaling Up
Cybercriminals aren’t operating alone. Organized fraud rings like BidenCash are coordinating large-scale attacks, often dumping thousands of stolen credit card records at a time for free to promote their platforms and recruit more criminal participants. In one incident alone, over 556,000 compromised payment card records were released in a single batch.[6]
These groups use automated tools to test card numbers, overwhelm systems, and cash out before detection. Their operations are global, fast-moving, and hard to trace, putting merchants under growing pressure to strengthen their fraud defenses.
Fraud Isn’t Just Growing—It’s Getting More Expensive
The Federal Reserve recently reported that debit cards were the most targeted payment method for fraud in 2024, followed by checks and non-bank payment apps.[7] But it’s not just volume—it’s cost. According to a January 2025 Nilson Report, global card fraud losses are projected to reach over $403 billion in the next decade.[8] Even with improved fraud-fighting technologies, the rapid growth in digital transactions means the overall dollar amount lost is still climbing.
According to the January 2025 Nilson Report, global card fraud losses are projected to reach over $403 billion in the next decade, driven by the evolution of credit card fraud types, including card-not-present fraud, credit card skimming, and synthetic identity fraud.
Changing Attitudes Reflect the Risk
Consumers are becoming more aware of digital fraud and increasingly expect businesses to take action against it. As digital payments become the norm, the surface area for fraud is expanding. In response, nearly 75% of U.S. businesses plan to increase their investment in fraud detection and identity verification tools.[9]
At the same time, customer expectations are shifting. While over 80% of consumers say banks and card networks should resolve fraud-related issues, over 60% also hold merchants responsible for preventing and resolving credit card fraud.[10] With three-quarters of consumers saying trust is pivotal in their choice for online merchants, this further highlights the burden of cybersecurity placed on merchants. Trust plays a major role in consumers’ choices to spend their money, especially online. In fact, three-quarters of consumers say trust is a key factor in choosing a digital merchant.[11]
The message is clear: Businesses can’t afford to treat fraud prevention as someone else’s problem. Customers expect action and are willing to walk away if that trust is broken.
Carding is a growing threat. Don’t wait to act.
Carding may fly under the radar, but it’s one of the most persistent and costly threats facing merchants today. As fraud tactics evolve and digital payments continue to grow, businesses must stay aware of emerging trends like card-not-present fraud, large-scale criminal networks, and changing consumer expectations that are turning payment security into a brand differentiator.
Now is the time to take a proactive stance. Investing in prevention, updating your fraud tools, and staying informed about threats like carding isn’t just about avoiding losses—it’s about protecting your customers and strengthening your business for the long haul.
At Payway, we believe security is a shared responsibility—and a competitive advantage. With our expertise in card-not-present payments, we provide one of the most secure payment gateways available. Reach out to our team for answers to your payment security questions and to learn more about our trusted solutions and standout features.
Sources:
[1] Human (2023). 2023 Enterprise Bot Fraud Benchmark Report.
[2] Afterpay (2025). Why Credit Cards Give Gen Z the Ick.
[3] Riskified (2022). Satisfaction in the Age of eCommerce: How Trust Helps Online Merchants Build Customer Loyalty
[4] MerchantSavvy (2024). Payment Fraud Statistics, Trends & Forecasts 2024.
[5] Clearly Payments (2023). Credit Card Fraud in 2023.
[6] PaymentsDive (2024). How Visa handled ‘BidenCash’ card fraud incident.
[7] The Federal Reserve – Financial Services (2024). Key Findings from the Annual Federal Reserve Financial Services (FRFS) Financial Institution Risk Officer Survey (2024).
[8] Nilson Report (2025). Payment Card Fraud Losses Approach $34 Billion.
[9] Experian (2024). Global Identity & Fraud Report 2024.
[10] PYMNTS (2024). Credit Card Fraud Fears Can Drive Customers to Switch Banks.
[11] PYMNTS (2024). The Online Features Driving Customers to Shop with Brands, Retailers or Marketplaces.