Addressing Suspected Credit Card Testing on Donation Forms

This article outlines the steps you should take to address and prevent credit card testing.

What is credit card testing fraud?

Credit card testing, or carding, is a type of credit card fraud where a person attempts transactions using stolen credit card numbers on an online form. This is often done using a script or bot. This fraudulent activity can often be identified by the quick velocity of transaction attempts, a large number of declines, or transactions using repeated information (same amount, cardholder name, email address, IP region, etc).

What options to do we have to prevent or stop this type of fraudulent activity?

  • Enable email notifications within the CardPointe Portal

The CardConnect Risk Mitigation team will notify you as soon as credit card authorization velocity peaks outside of a normal range and your merchant account will be disabled. Click to HERE review how to set this up.

  • Enable CVV and AVS Protection
    • The Card Verification Value (CVV or CVV2) ensures the submitter possesses the physical credit card. 
    • Address Verification Service (AVS) check matches the cardholder’s credit card billing address with the address on file at the credit card company.
    • Click HERE to review steps for configuring these settings.
  • Increase Minimum Donation Amount

Setting a minimum donation amount on a donation form can help prevent fraudsters from testing credit card numbers for validity by making small, inconspicuous charges. Click HERE to review steps for setting this up.


For any transactions that were processed, we recommend refunding them to avoid any potential fees from the processor. However, before issuing any refunds for fraudulent sales, please check the Chargebacks tab in CardPointe to ensure the cardholder has not already been refunded through the Chargeback process. Click HERE for steps on how to refund a donation.

What does iDonate already have in place?


By using advanced risk analysis techniques, reCAPTCHA blocks malicious bots while allowing legitimate users to access your site without unnecessary friction. Click HERE to learn more about reCAPTCHA and the different versions.


Risk Tolerance Score - Transactions with the greatest risk get the highest score and those that exceed the risk threshold are automatically rejected. iDonate rejects transactions based on certain risk factors, such as when:

  • Account Velocity - The credit card number, card type, and expirationdate occur frequently within a short duration.
  • Bank Identification Number Country Match:Cardholders rarely have a billing address in a country different than their credit cards' issuing banks, so a match of the BIN and the billing country is verified.
  • Proxy Detection: Anonymous or open proxies associated with the IP address would increase the risk score. Fraudsters may use anonymous proxies to hide their true locations and bypass geolocation filters or they may use open proxies to simulate transactions from the highjacked computers to bypass IP geolocation tools.
  • Free email domains: Statistically, free email addresses double the likelihood of fraud so if the domain used for the email address is from a free email provider such as or it will increase the risk score.
  • Carder email: Since fraudsters often use the same email address multiple times, the email address is checked for previous fraudulent transactions or chargebacks.
  • Distance: The distance between the IP address and billing address is evaluated as a greater distance between them indicates a greater risk of fraud.
  • High-risk countries: Due to a statistically high rate of fraudulent transactions originating from IP addresses located in specific geographic locations, transactions with a billing or IP address in these locations result in higher risk scores.

For even more information, please take a peek at our blog:

Protecting Your Nonprofit: How to Prevent Donation Page Credit Card Testing Fraud