This article explains what card testing is, what you may notice on your account, and how our teams respond to protect your giving form.
What is Card Testing?
Card testing is a type of attempted payment fraud that affects online payment forms across the internet.
In a card testing event, a bad actor uses stolen credit or debit card numbers and attempts small-dollar transactions on an online payment form to see which cards are still valid. If a transaction is approved, they know the card number works and may attempt to use it elsewhere or resell it.
These attempts are typically automated using software that submits multiple transactions in a short period. They are not targeted at your organization specifically and do not indicate that your account or donor data has been breached.
Important: Your online giving account and donor information remain secure during card testing activity.
What might you notice?
During card testing activity, you may see:
- A spike in small-dollar transactions (often $1–$5)
- Multiple declined transactions in a short time
- Fictitious donor records created from failed or test attempts
- In some cases, short-term limits are placed on card payments
How we mitigate card testing
Stopping card testing without shutting down giving requires a layered security approach. Our teams actively monitor for this activity and may apply one or more of the following protections:
- Enhanced CAPTCHA on your giving form
- Donors may be asked to verify images or numbers before submitting a gift
- IP address controls
- Blocking or limiting transactions from high-risk locations
- Geolocation filtering
- Restricting transactions from high-risk, non-U.S. regions
- Address Verification Service (AVS)
- After repeated failed attempts, billing addresses must match those on file with the card issuer.
- Transactions that approve but fail address verification may be automatically voided.
- Temporary card restrictions
- If testing persists, card payment types may be temporarily disabled
- Other methods like ACH, PayPal, Venmo, Google Pay, and Apple Pay may remain available
Once the suspicious activity subsides, full card functionality is restored.
When to contact us
If suspicious transactions are approved:
- Refund the transaction(s).
- Contact our Support team so we can apply additional protections.
If transactions are declined:
- You may contact Support to enable additional security measures.
After reporting:
- We continue to monitor your account.
- You do not need to notify us again unless there is a spike in suspicious activity or card testing transactions are approved.
Steps you can take
We are working to protect you, but you can also take some account-level steps to help during card testing events. Note that in some cases, we temporarily take some of these steps for you.
Update the giving form URL
- Go to Forms. Find your giving form, and click the tri-dot, then copy the form.
- Use the new form URL on your website, and unpublish the old form
- If you use the personalized URL, you may also go to the cog gear, then the Giving Portal to update the URL there.
Turn on enhanced CAPTCHA for your giving form.
- Navigate to your form, click Form Properties, then click Submission. Turn on the CAPTCHA option.
Temporarily remove cards as an option.
- Recurring donations will still run, and eWallet and ACH options can remain on the form.
- Navigate to your form, and click on Form Properties, then Payment. Remove cards as an option.
- In a few days to a week, you may turn cards back on.
- OTC Verification sends a code via text or email to the donor and requires the code to be entered before completing the transaction.
- To enable, go to the cog gear, then Settings.
- PRO TIP: As you talk to your donors, encourage them to create an account and sign in!
How we support you
Our Payments Risk & Compliance and Giving Development teams actively monitor for card testing activity across our platform. When detected, we apply appropriate safeguards to protect your organization, donors, and giving experience.
We can also assist with reviewing suspicious transactions and removing fictitious donor profiles created during the event.
Frequently asked questions
Is my account compromised?
No. Card testing is an attempt to validate stolen card numbers—not a breach of your account or donor data.
Why am I seeing new donors or very small transactions?
Automated testing attempts can create donor and transaction records using small amounts.
Will donors still be able to give?
Yes. In some situations, card payments may be temporarily limited, but other payment methods can remain available.
When will everything return to normal?
Once the suspicious activity stops, your giving form is restored to full functionality.
Updated