What is carding and why is it relevant for merchants?
Carding is a type of cyber fraud in which criminals (carders) use stolen credit or debit card information to make unauthorized purchases, most often from online stores. This isn't just data theft, but the systematic exploitation of vulnerabilities in merchant payment systems (those who accept online payments). As of 2025, carding remains one of the leading threats to e-commerce, leading to billions of dollars in losses due to chargebacks, fines, and reputational damage. For example, in 2024, "card-not-present" (CNP) fraud accounted for approximately 73% of all card fraud cases, with losses exceeding $10 billion.For educational purposes, it's important to understand that carders often use automated tools (bots) to test cards — this is known as "card testing" or "card cracking." They try thousands of card combinations on vulnerable websites to verify their validity, then sell working cards on the darknet or use them for large purchases. Merchants who ignore security unwittingly facilitate this by becoming "testing grounds." Below, I'll discuss common merchant mistakes, how carders exploit them (at a high level, without actionable details), and recommendations for prevention. This is based on an analysis of common practices and advice from cybersecurity experts.
Typical mistakes merchants make and their consequences
I'm structuring the information in a table for clarity, with a focus on the educational aspect: understanding the mechanism of vulnerability helps in prevention.| Vulnerability | How carders are used | Consequences for merchants | Recommendations for prevention |
|---|---|---|---|
| Lack of or weak protection against bots (e.g. no CAPTCHA or bot management) | Carders use bots to test cards en masse: thousands of attempts per second, simulating real users. The bots change IP addresses through proxies, bypassing simple blocking. | Server overload, rising chargebacks, and fines from payment systems (up to 5-10% of transactions) are all contributing to the majority of carding attacks in 2025. | Implement CAPTCHA (e.g., Cloudflare Turnstile) or AI-based bot detection to analyze behavior (click rate, IP reputation). Monitor traffic for anomalies, such as spikes in small transactions. |
| Lack of 3D Secure (or similar protocols such as EMV 3-D Secure 2.0) | Without additional authentication (password, biometrics), carders can easily use stolen data for purchases, as there is no verification of the card owner. | There's a high risk of CNP fraud, where the merchant is held liable for losses (shift liability). In the EU, this is mandatory under PSD2, with fines for non-compliance reaching up to 2-4% of turnover. | Be sure to integrate 3D Secure through payment gateways (Stripe, PayPal). This reduces fraud by 70-80% thanks to two-factor verification. |
| Weak transaction and pattern monitoring (velocity checks) | Carders conduct a series of small test payments (for example, $1) to test cards without raising suspicion. Ignoring the speed and volume of transactions allows this. | Chargebacks accumulate, and accounts are blocked by the payment processor. Attacks intensify during peak periods (holidays). | Implement velocity checks: limit transactions per minute/hour (by IP, device). Use AI for analysis: flag orders with high delivery times or from risky regions. |
| Non-compliance with PCI DSS (storing card data in an unprotected form) | Carders exploit vulnerabilities such as SQL injections to steal databases containing card numbers and CVVs. | Massive data breaches, fines of up to $500,000+ from the PCI Council. Encryption requirements will be tightened in 2025. | Achieve PCI DSS compliance: don't store CVVs; use tokenization. Conduct regular penetration testing and update your software. |
| No additional checks (AVS, CVV, geolocation) | Carders use fake addresses and data because they can pass without verification. For example, a mismatched IP and billing address is ignored. | Increase in fraud rate, loss of customer trust. | Activate AVS (address verification) and CVV in the gateway. Add geolocation: block transactions where the IP address does not match the card region. |
| There is no requirement for user registration or verification. | Anonymous purchases allow carders to create fake accounts en masse, without email or MFA. | Ease of testing maps, increase in spam. | Require registration with email confirmation and MFA. Limit accounts from a single IP address. |
| Weak website protection (lack of WAF, outdated software) | Carders use injections (SQL, XSS) to introduce scripts to steal data on checkout pages. | Complete site compromise, leaks. WooCommerce is often vulnerable due to plugins. | Install a Web Application Firewall (WAF), keep your CMS (WordPress, Magento) updated, and use SSL/TLS for encryption. |
| Dependence on weak payment gateways | Gateways without built-in fraud scoring allow suspicious transactions to go through. | High losses from chargebacks. | Choose gateways like Stripe with AI-based fraud detection. Integrate authorization holds for verification. |
Additional educational insights
- Staff training: One of the key mistakes is the lack of training for employees. Carders can use social engineering (phishing) to access systems. Regular threat recognition training is recommended.
- 2025 Trends: With the rise of AI, carders are using bots for BIN attacks (guessing card numbers based on bank information). Regulations (EU AI Act, PSD3) require enhanced security, including mandatory fraud monitoring.
- Economic aspect: Chargebacks can cost merchants 2-3x the transaction amount (fees + goods). Prevention pays off: implementing multi-layered protection reduces fraud by 50-90%.
To prevent attacks, it's recommended to consult with experts (such as PCI SSC) and use tools like Solid Security or DataDome. This not only protects your business but also builds customer trust. If you're a merchant, start with a website vulnerability audit.
