The Recurring Donor Report is available now! Click here to get your copy.

Understanding and Combating Credit Card Testing Attacks

Neon One Staff
Last updated March 17, 2026
7 min read

Have you ever seen a huge influx of unusual-looking transactions on one of your forms? You may have been the target of a card testing attack.

But what does that actually mean? And what steps is Neon One taking to protect you from similar attacks?

What’s a Credit Card Testing Attack?

A card testing attack is a situation when an individual acquires a list of stolen credit cards and attempts to validate whether or not they’ll work. Most stolen cards are inactive, which means the thief needs to use some kind of testing process to identify the valid ones. 

Attackers need to use a legitimate payment terminal or merchant account to conduct these tests. Setting up a payment processing account of their own would require identity verification and getting past a ton of other requirements. Instead, these people will often test stolen cards using online forms with existing merchant accounts like those used by nonprofits. 

During an attack, someone will submit lots of small transactions on a form. They’ll pay attention to which cards can process those transactions—those are the active cards. Once they’ve identified which of the stolen cards are still valid, they can use them for other fraudulent purchases.

Nonprofit organizations are increasingly targeted by credit card testing attacks due to the nature of online donation forms. Unlike typical e-commerce sites, donation forms often require less information (e.g., no shipping address), making them easier for attackers to repeatedly exploit.

Credit card testing is not a new phenomenon, and these attacks have evolved in sophistication. While Neon One has long provided services to the nonprofit sector, the methods employed by attackers have become more advanced over time. That means our preventative measures have needed to evolve, too.

Your Guide to Credit Card Processing for Nonprofits (2026)
Blog

Your Guide to Credit Card Processing for Nonprofits (2026)

Read More

What’s the Difference Between Card Testing and a Data Breach?

It is important to understand that a card testing attack is a type of fraud and a cybersecurity incident, but it is not a data breach or a “hack.” 

The attackers’ goal is only to validate stolen credit cards. They are not attempting to damage or steal information from your organization. 

A card testing incident does not mean that your system’s security has been compromised or that you’re more susceptible to a data breach. Both are entirely distinct categories of cybersecurity events.

Impact of Card Testing Attacks

Card testing attacks can significantly impact nonprofit organizations in a few different ways:

  • Financial Impact: When someone tests cards on one of your forms, each transaction they process incurs processing fees. On top of that, successful fraudulent charges often lead to chargebacks (disputes), which typically carry an additional fee (e.g., $20 per chargeback). These fees can add up rapidly.
  • Data Cleanup: Attacks frequently generate large amounts of “junk data” within CRM systems or web applications. Cleaning up that data can take up significant staff time.
  • Lost Time & Resources: Staff members often have to dedicate valuable time to managing and resolving issues stemming from these card attacks. That means diverting resources from mission-critical activities.

These drawbacks are just a few of the reasons why protecting yourself from credit card testing attacks is important and why companies like Neon One are always working to prevent them.

Identifying a Card Testing Attack

You can usually identify a card testing attack by looking for several key characteristics in your CRM or in your merchant processor’s data. Look for:

  • High Volume of Charges: If you’ve experienced a card testing attack, you’ll notice a large number of charges that are all submitted within a short period. They’ll probably be for smaller amounts, too—attackers generally submit transactions that are less than $5.
  • High Decline Rate: The majority of these transactions will fail or be declined.
  • Consistent Amounts: Most or all charges will be for the same dollar amount (though some attackers do choose to randomize this).
  • Repeated Information (Sometimes): In some cases, attackers may use the exact same name or other contact information for multiple charges.

Once you’ve identified that you’ve been targeted in a credit card testing attack, you can determine which next steps to take. 

What to Do If You Suspect Card Testing

If you believe you have identified evidence of credit card testing, the first thing you need to do is to contact the support team at your fundraising platform or merchant account (if you’re using Neon CRM, Neon Fundraise, or Neon Pay, that’s us!).

Getting help quickly is important, especially if the testing appears to be ongoing. Even if you think your service provider is already aware of the situation and is taking action, the information you have can be invaluable as they address the issue.

What happens after you contact your platform about the card testing attack will vary from provider to provider. At Neon One, we’ll keep you safe by implementing additional security measures to stop the activity. Once the attackers stop the card testing, we can help you with:

  • Data Cleanup: We’ll help you remove any fraudulent data generated by the attack.
  • Reconciliation: We’ll give you guidance on refunding and reconciling payment information affected by the attack.

Recovering from a credit card testing attack can be time-consuming. But you don’t have to do it alone—we’re here to help!

This is a .gif that shows a reCAPTCHA at the end of a donation form. It's a simple reCAPTCHA that requires a user to check a box to prove they're not a robot. This is a useful way to protect yourself against a credit card testing attack!
Neon One’s platform includes a number of different security measures designed to keep you safe from credit card testing attacks

How Neon One Keeps You Safe with Multi-Layered Security

Fraudulent actors constantly evolve the methods they use to launch carding attacks. Because there is  no single solution that entirely prevents credit card testing, our strategy is to make it so difficult and time-consuming to attack our customers that they abandon their efforts.

We layer these protections to keep Neon One a streamlined, secure place for nonprofits to fundraise, while also keeping safety at the forefront.

We won’t get detailed about specific defense mechanisms (we don’t want to let attackers know what we’re doing!), but we can share some general ideas.

Our approach to keeping you safe includes:

  • Active Monitoring and Adaptive Defenses: We use automated systems to monitor payment processing for suspicious activity. When our systems detect the patterns of a carding attack, we immediately trigger stricter security defenses. Our system dynamically changes how it processes transactions behind the scenes, which breaks the methods attackers rely on to test stolen cards quickly while still allowing legitimate donors to give. Whenever protections kick in, we’ll always let you know with an email notification.
  • Web Application Firewall (WAF): Our infrastructure  uses evolving sets of rules to filter malicious traffic before it reaches our customers. Every organization using Neon One benefits directly from these built-in protections.
  • Verification and Rate Limiting: We use tools like reCAPTCHA to prevent automated scripts from filling out forms. We also use rate limiting to prevent a single user from submitting a donation form too many times within a short period.

Neon One customers can read more about our carding protection here.

Balancing Security and Donor Experience

As we protect you from card testing attacks, we balance the need to prevent fraud while also creating a seamless experience for legitimate donors. When we notice an active attack, we prioritize your security, while mitigating any impacts on real donors.

Sometimes, these temporary protections briefly change the typical donation experience. For example, your donors might encounter a reCAPTCHA challenge to verify their humanness or see a slightly different payment processing screen. While this adds a small step, these proactive tweaks have a big impact on keeping your organization safe.

Maintaining this balance is critical. If you notice that legitimate donors are experiencing issues or being blocked during an attack, please contact us. We want to work with you to keep you safe and to help you give your community the best possible experience!

Our security protocols for preventing, stopping, and recovering from credit card testing attacks are only part of how we keep you safe. Our PCI compliance program is another (very different but still important) way we keep both you and your supporters secure. Here’s where you can learn more.

Announcing Our Free Nonprofit PCI Compliance Program
Blog

Announcing Our Free Nonprofit PCI Compliance Program

Read More

Latest From The Blog
Lapsed Donor Reactivation: 8 Ways to Reconnect
Blog Lapsed Donor Reactivation: 8 Ways to Reconnect
Fundraising KPIs Every Nonprofit Should Track
Blog Fundraising KPIs Every Nonprofit Should Track
Donor Data Migration for Nonprofits: Explained
Blog Donor Data Migration for Nonprofits: Explained
View All Blog Posts

Join the 84,000+ nonprofit pros getting industry news, tips, and resources sent straight to their inbox.

Get the Newsletter

Need a one-stop shop for nonprofit tips, trends, and events?

You just found it. The Neon One newsletter connects you to timely and impact-driven research, tools, insights, and events—without overwhelming your inbox.