E-commerce Merchant Account Fraud

October 30, 2020

With Covid on the rise so is e-commerce merchant account fraud. Merchants need to be aware of BIN and Credit Card testing that could take place on their e-commerce  website and should protect their website from this costly fraud.

Credit card testing and BIN attacks are greatly on the rise and can leave merchants having to pay the transactions fees incurred if their e-commerce website is hit with credit card testing. Card testing is common, but both of them are not always an easy form of fraud to spot because it usually takes place in the middle of the night with automated bots when most e-commerce website owners are sleeping and may not be actively monitoring their website activities.

Credit card testing is when fraudsters obtain, steal, or purchase stolen credit card data. Of course, the credit card data is not any good if the fraudsters do not know which cards are still active. To see what which credit card numbers are still active and have available credit they will test them on unsuspecting merchant’s e-commerce websites via their payment gateway and checkout pages.

Credit card testing is done by placing multiple small orders all at once and sometimes this can run in the hundreds of thousands of transactions within a very short timeframe. Usually the fraudsters deploy some type of a bot to automate the process and the transactions usually come from just a few similar IP addresses.


A BIN attack involves using a known BIN (Bank Identification Number) number, and systematically generating and testing the remaining numbers of a credit card number usually deploying the use of a BOT as well. These numbers are usually tested by making small transactions of less than $1. Small credit card amounts are hard to be detected by fraud detection systems, and most consumers do not even notice them. The valid numbers are then later used to make much larger transactions, with merchants and issuers bearing these losses.

T1 Payments strongly encourages merchants to use iSpyFraud to fight credit card testing which is a value-added service that can be enabled via their NMI payment gateway.