2026-06-13 · 7 min read
Protecting Checkout Flows from Carding Attacks
How carding attacks work against e-commerce checkout and the layered defenses that make bulk card testing economically unviable.
What a carding attack looks like from the server side
Carding attacks test stolen payment card numbers against a checkout flow to identify which cards are valid and have available balance. Attackers typically test small amounts — often $1 or less — and discard cards that fail.
From your server, a carding attack appears as a surge of checkout attempts with different card numbers, often with minimal other order variation. The damage is chargeback fees, payment processor penalties, and potential suspension of your merchant account.
Payment processors are not your only line of defense
Payment processor fraud tools evaluate the card transaction, not the request that initiated it. By the time a processor flags a transaction, your application has already processed the request, consumed server resources, and potentially triggered downstream logic.
Stopping carding attempts before checkout logic executes — at the middleware layer — is more efficient and prevents the request from ever reaching your payment integration.
Raising the cost of each probe attempt
Carding is an economics problem. Attackers test cards in bulk because each test is cheap. Defenses that increase the cost — in time, compute, or human intervention — per test attempt make bulk testing uneconomical.
Challenge flows on checkout, silent rate limiting per session rather than per IP, and requiring demonstrated browser capability before payment forms load all raise per-probe cost without adding meaningful friction to genuine purchases.