Few metrics impact merchant revenue as directly as payment authorization rates. Approval rate is the percentage of transaction attempts that are approved by a customer’s bank, and even a small dip can mean significant lost sales. One of the biggest invisible threats to these fees is card testing. This is a tactic where fraudsters leverage merchant checkouts to verify stolen credit card numbers.
Card tests don’t always result in chargebacks, but they do result in failed transactions and reduce the merchant’s confidence in their bank. This often leads to long-term declines in acceptance rates and means legitimate customer payments are unfairly denied long after the attack has stopped.
To solve this, Shopify has implemented a unique platform-level machine learning model that detects and blocks these attacks before they reach banks.
By roughly blocking 90% Considering the rate of card testing attacks on guest credit card checkouts (the primary attack vector for card testing), this model suggests that merchants 13% More of your legitimate sales will be approved by your bank. Learn how Shopify’s unique approach to fraud intelligence protects approval rates without burdening actual buyers.
Important points
- The damage from testing cards is indirect, but costly. The real cost is not the failed transactions, but months of declining trust in banks and a slow decline in the number of legitimate customers.
- Platform-wide signals matter. Attacks that appear to be distributed across individual processors are evident when patterns can be seen across millions of merchants.
- Smart interventions preserve conversions. By targeting high-risk attempts before they reach your network, Shopify blocks 90% of card testing attacks and increases authentication rates by 13%. This protects the seller’s bottom line without burdening the actual buyer.
Why traditional defenses aren’t enough
Even as payment networks deploy increasingly robust card testing models, attackers are evolving. They abandoned easily detectable brute force tactics, such as hundreds of attempts per minute from a single IP address, in favor of sophisticated decentralized campaigns.
Today’s attackers distribute small-volume attacks across thousands of individual sellers and route traffic through residential proxies. These networks of real home internet connections, often everyday consumer devices, make automated fraudulent traffic appear to originate from legitimate shoppers, rather than from data centers or known fraudulent IPs. The result: Each attempt looks like a plausible customer, meticulously mimicking real trading patterns.
Payment networks are at a structural disadvantage to these tactics. They only become involved in the matter at the moment of approval, the last step in the buyer’s long journey. This means you don’t know how shoppers arrive at the checkout, what they do in-store, or how their behavior compares to regular buyers. With only transactional payloads to process, networks must rely on aggregated and delayed signals that take time to materialize (e.g., spikes in decline rates, patterns in BIN levels, chargeback feedback loops). By the time these signals trigger a response, the damage to the seller’s approval profile has already been done.
Shopify Advantage: Platform-Level Discovery
Shopify takes a unique, holistic view of commerce. We know everything about the traffic that flows through your store, from the moment a visitor lands on your site to the moment they click “pay.”
To combat decentralized card testing, we designed a unique machine learning model that scores every payment attempt before it touches a processor.Available only to merchants using Shopify Payments. This preemptive system uses supervised machine learning models trained on historical network-level fraud patterns to analyze signals across three deep and unique dimensions:
- behavior pattern. How does this effort compare to the behavior of legitimate buyers? The speed, timing, and interaction patterns that distinguish well-intentioned commands from malicious attacks.
- network level signals. Patterns that only appear at Shopify’s scale – infrastructure indicators that reveal cross-seller and cross-processor activity, device fingerprinting, and coordinated attacks.
- transaction context. A combination of payment method, seller category, and buyer history that helps distinguish between first-time customers and fraudster test cards.
If the model flags a high-risk attempt, it intervenes before the transaction reaches the payment network, stopping malicious activity while providing legitimate customers with a path to complete their purchase.
Results: Increased authentication rates and protected GMV
Stopping these attacks early ensures that only the safest and highest quality traffic is sent to processors and customer banks.
- Blocks 90% of attacks. Our model catches 90% of card test attacks. This means far less fraud reaches a level that can damage a seller’s risk profile.
- Approval rates increased by 13%. Increased legitimate payment success rate by 13% by maintaining high merchant trust with the bank.
For legitimate buyers, the impact is invisible. Malicious traffic is effectively mitigated without negatively impacting legitimate business or primary revenue.
