OWASP Automated Threats

Multiple payment authorizations attempts used to verify the validity of bulk stolen payment card data.

What is Carding?

Lists of full credit and/or debit card data are tested against a merchant’s payment processes to identify valid card details. The quality of stolen data is often unknown, and Carding is used to identify good data of higher value. Payment cardholder data may have been stolen from another application, stolen from a different payment channel, or acquired from a criminal marketplace.

When partial cardholder data is available, and the expiry date and/or security code are not known, the process is instead known as OAT-010 Card Cracking. The use of stolen cards to obtain cash or goods is OAT-012 Cashing Out.

Carding is also known by terms such as card stuffing, credit card stuffing and card verification.


The symptoms of Carding

  • 1
    Elevated basket abandonment
  • 2
    Reduced average basket price
  • 3
    Higher proportion of failed payment authorizations
  • 4
    Disproportionate use of the payment step
  • 5
    Increased chargebacks
  • 6
    Multiple failed payment authorizations from the same user and/or IP address and/or user agent and/or session and/or device ID/fingerprint


Sectors targeted by Carding

  • Entertainment
  • Retail


Can InfiSecure prevent Carding?

InfiSecure’s advanced bot protection technology can block all carding fraud activities by identifying and restricting automated usage by fingerprinting the user agent for its unique characteristics. Apart from basic techniques like rate limiting the number of card authorization attempts per session/user / IP address/device/fingerprint, InfiSecure can identify and block the most advanced persistent bots engaged in carding fraud.