Carding
What is carding fraud?
Carding is a type of card fraud that involves obtaining, verifying, and using stolen credit or debit card data to make unauthorized purchases or resell that information on the dark web. Criminals, known as carders, exploit the card‑not‑present (CNP) channel because they do not need the physical card to operate.
Unlike other fraud types, carding works in stages. First, the data is tested with low‑value purchases (card testing), and if the card responds, higher‑value transactions are executed. Periods of high commercial activity (sales season, Black Friday, Christmas) are especially critical because the volume of legitimate transactions hides fraudulent charges.
How carding works
The process follows a well‑defined chain that combines social engineering, automated tools, and underground markets:
- Data acquisition.Carders obtain card information through phishing, skimming on physical terminals, malware that captures keystrokes, or by purchasing batches directly on dark‑web forums.
- Automated verification (card testing). Specialized bots launch micro‑transactions (often €0.01–€1.00) against payment gateways with weak controls. Each successful attempt confirms that the card is active and that the CVV is correct.
- Exploitation. Once validated, the data is used to make high‑value purchases, buy gift cards or prepaid cards that are hard to trace, or fund cryptocurrency wallets.
- Monetization. The acquired goods are resold at a discount, and remaining card data is redistributed through encrypted channels.
According to the Federal Trade Commission (FTC), in 2024 more than 449,000 identity‑theft cases linked to credit cards were reported in the United States, a 7% increase compared to the previous year.
Regulatory impact and applicable security in carding
The European regulatory framework provides several layers of defense against carding that every merchant must understand:
PCI DSS v4.0 requires any entity that stores, processes, or transmits card data to comply with 12 core requirements. The most relevant against carding are Requirement 3 (protect stored account data with strong cryptography), Requirement 6 (maintain systems protected against malware), and Requirement 9.5.1 (protect POI devices against tampering and skimming).
PSD2 and Strong Customer Authentication (SCA) require at least two authentication factors for most electronic payments within the European Economic Area. The 3D Secure 2 protocol is the technical standard that implements this requirement and shifts fraud liability to the issuer when authentication is successfully completed. In Spain, this obligation is transposed through Royal Decree‑Law 19/2018 on payment services.
Additionally, card schemes impose fraud and chargeback monitoring programs. Visa and Mastercard penalize merchants that exceed a 0.9–1% chargeback rate, and may include them in restrictive lists (such as MATCH) that block card acceptance indefinitely.
Operational advantages and disadvantages
| Aspect | Advantage for the merchant | Risk if not managed |
|---|---|---|
| SCA/3D Secure | Shifts liability to the issuer for authenticated transactions | Checkout friction may reduce conversion if exemptions are not applied correctly |
| Tokenization | Replaces the real PAN with a token that has no value outside the system, reducing PCI DSS scope | If not implemented end‑to‑end, sensitive data remains exposed at some point |
| Velocity checks and blocklists | Stop card testing before it escalates by limiting attempts by IP, BIN, or device | Overly aggressive rules block legitimate customers and create false positives |
| Real‑time monitoring | Detects anomalous patterns (multiple cards from one device, spikes in micro‑transactions) | Without human review, automated models may miss sophisticated fraud |
The operational key is balancing security and user experience. An e-commerce business that applies 3D Secure intelligently—only when risk justifies it and using low‑risk exemptions under PSD2—protects its chargeback ratio without sacrificing conversion.
Was this term useful?
Leave a Comment