WooCommerce Card-Testing Attack: How to Know You’re Under Attack Right Now and Stop It

The first sign is usually an email from your payment gateway. Or a Slack notification. Or you open WooCommerce orders and see a column of red “Failed” statuses that wasn’t there an hour ago. Five failed payments. Then twenty. Then fifty — all within the same fifteen minutes, from addresses you don’t recognize, for small amounts, using cards you’ve never seen before.

That’s a WooCommerce card-testing attack. It’s not a hacker trying to buy something from your store. It’s a bot — or a coordinated group of bots — using your checkout as a validation service for stolen card numbers. Every decline tells the attacker whether a card number is live. Your gateway pays the processing cost. You eventually pay the fraud and chargeback costs when the validated cards get used elsewhere.

This guide is structured for two readers: someone actively watching this happen right now, and someone who wants to understand it before it happens so they’re ready. If you’re in the middle of an attack, skip to Panic Freeze and come back to the explanation later.

What a WooCommerce Card-Testing Attack Actually Is

Card-testing attacks — sometimes called carding or BIN attacks — are a specific type of payment fraud. A criminal buys or steals a batch of card numbers. Before they can use those cards for high-value fraud, they need to know which ones are still active and what their limits are. The easiest way to find out is to run small authorization attempts through a real merchant’s checkout.

Your WooCommerce store is the perfect tool for this. Automated bots submit payment attempts with minimal real purchase intent — often for the cheapest item in your catalog, or sometimes for $0.00 or $1.00 test amounts. Each attempt that gets declined tells the attacker: this card number is dead. Each attempt that succeeds tells them: this card is live, active, and worth using for a larger crime.

The attack costs you in several ways even before any fraud completes:

• Gateway processing fees on declines. Most payment gateways charge a fee per transaction attempt — not just successful ones. A hundred declined attempts during an attack adds up quickly.
• Chargeback ratio inflation. When validated cards get used for actual fraud and the cardholders dispute the charges, those chargebacks get attributed to merchants. Your ratio can climb without you ever knowingly processing a fraudulent order.
• Gateway account risk. Payment processors monitor decline ratios and chargeback rates. Sustained high rates can trigger monitoring programs (Visa VDMP, Mastercard ECP) or, in serious cases, account suspension. For more on how chargebacks can escalate into payment processing problems, see how WooCommerce chargebacks can trigger a payment gateway ban.
• Server load. Large-scale attacks generate real HTTP traffic. On shared hosting, this can affect frontend performance for legitimate customers.

How to Recognize You’re Under Attack Right Now

The signals are usually obvious once you know what to look for, but they can be easy to dismiss as “something broken” rather than “someone attacking” if you haven’t seen it before.

If two or more of those signals are present at the same time, you are almost certainly looking at a card-testing attack rather than a technical problem with your checkout.

Why It Matters Beyond the Declined Payments

The immediate damage from a card-testing attack is visible: gateway fees on declines, time spent investigating, and the stress of watching failed orders pile up. But the downstream damage is often worse.

When the attacker successfully validates a card through your checkout, that card gets used for fraud somewhere else. The cardholder disputes the charges. Depending on how the fraud is attributed, those chargebacks can reach merchants in the card’s transaction history. Your store may see dispute filings from orders it didn’t even know were connected to the attack.

More directly: Stripe and other gateways track your monthly decline ratio and chargeback rate. If either crosses the monitoring thresholds set by Visa (VDMP), Mastercard (ECP), or Amex, your gateway account enters a monitoring program. The consequences range from additional fees to being placed on a terminated merchant list — which makes processing payments very difficult to arrange with any new processor. A single concentrated attack can move the needle enough to matter.

The fraud-and-discount connection also runs deeper than most store owners realize. Promotions that attract heavy traffic — especially flash sales or steep welcome discounts — also attract attack bots looking for a high-volume cover. For more on how promotions and fraud risk interact, see how WooCommerce promotions create fraud exposure.

How TrustLens Card-Testing Defense Responds Automatically

TrustLens’s Card-Testing Defense module is part of the free version of the plugin. It ships enabled on new installs with sensible default thresholds — no configuration is required to get basic protection running.

The defense works at the checkout layer, before payment requests reach your gateway. When a device crosses the decline or submission thresholds, TrustLens blocks that device from completing checkout. The gateway never sees the request, so the decline fee is never incurred and the decline never hits your ratio.

The defense operates on device fingerprints, not customer accounts. A device fingerprint is a pseudonymous hash of signals the browser provides — canvas rendering, screen dimensions, timezone, language, platform, and WebGL. This matters because it means the block targets the attacking bot’s device, not an email address. New accounts using the same device remain blocked; legitimate customers on different devices are unaffected.

The three states the defense can be in are IDLE (no attack detected), TARGETED (one or more device fingerprints are locked out), and PANIC (global freeze — all checkout halted). You can see the current state on the TrustLens → Card-Testing Defense admin page, which also shows the 24-hour decline count and any active targeted fingerprints.

The 60-Second Velocity Window and 90-Second Lockout

The core detection logic watches each device fingerprint’s behavior in rolling time windows. The 60-second window is the primary detection surface: TrustLens counts how many payment declines and checkout submissions that fingerprint has generated in the last 60 seconds.

The default thresholds (which you can adjust in TrustLens → Card-Testing Defense → Settings) are:

• 3 declines in 60 seconds from the same device fingerprint triggers a targeted block
• 10 checkout submissions in 60 seconds from the same fingerprint also triggers a block, even if most submissions didn’t reach the decline stage

When either threshold is crossed, TrustLens immediately locks that fingerprint out of checkout for 90 seconds. During those 90 seconds, any checkout attempt from that device — regardless of what email address or card is used — is blocked before the payment request reaches the gateway.

Ninety seconds sounds short. In practice, it is long enough to break the attack loop. Automated bots probe in rapid bursts. Blocking the device for 90 seconds disrupts the sequencing, and the attack typically either stops, slows significantly, or tries to rotate — at which point the detection fires again on the new fingerprint.

The fingerprint also has a server-side fallback: a stable hash of IP address, User-Agent, and Accept-Language headers. This matters for bots that rotate their JavaScript-generated fingerprint on every request to avoid per-fingerprint velocity limits. TrustLens tracks decline history under both the client-generated hash and the server-fallback hash. An attacker who rotates their client fingerprint still accumulates declines under the server-fallback hash, which stays stable across the rotation. When the server hash crosses threshold, the block fires regardless of what client hash the bot is using at that moment.

VIP Bypass: Why Real Customers Stay Protected

One of the practical anxieties around any checkout-level defense is the collateral damage question: what happens to legitimate customers during an attack? A repeat buyer who has ordered from your store a dozen times should never find themselves unable to check out because a bot happened to share their IP range.

TrustLens handles this through the VIP bypass — a setting that is enabled by default and that most stores should leave on. The bypass works like this: before applying any velocity-based block, TrustLens checks whether the email address on the checkout request belongs to a customer who meets two conditions:

1. They have completed at least as many orders as your minimum-orders threshold (default: 3 orders)
2. They are not in the Risk or Critical segments

Customers who meet both conditions are never blocked by the velocity rules — even if a bot happens to share a device fingerprint with them, or if their checkout triggers a submission-rate check. The bypass protects your real customers from false positives during an active attack.

The segment check is important. A customer in the Risk or Critical segment — based on their order history, return rates, chargeback exposure, or other behavioral signals — does not benefit from the VIP bypass even if they have enough orders. TrustLens does not grant unlimited bypass to high-risk customers, because a fraud actor who completed a small number of orders to gain bypass status would otherwise sail through card-testing velocity checks indefinitely.

Panic Freeze: The One-Click Emergency Stop

The automated velocity detection handles most attacks before you even see them. But some attacks are large enough, fast enough, or use enough rotating fingerprints that the per-device blocks don’t contain the damage fast enough. That’s what Panic Freeze is for.

Panic Freeze is a single button on the TrustLens → Card-Testing Defense page. When you click it, TrustLens immediately halts all checkout completions for 15 minutes. No payment requests reach your gateway during that window. No declines accumulate. The attack’s ability to validate cards through your checkout stops immediately.

The page shows you the current defense state — IDLE, TARGETED, or PANIC — and a countdown if a freeze is active. You can deactivate it early if you determine the attack has stopped. The maximum duration for a single activation is 30 minutes (you can reactivate if you need more time).

After the Attack: What to Check

Once the immediate attack is contained, a few things are worth reviewing — not just to document what happened, but to close any gaps for next time.

Check your gateway’s failed payment log. The gateway usually provides more detail than WooCommerce’s order list: which cards were declined, the decline codes, the IP addresses of the attempts. This can help you understand the attack’s scale and whether any transactions succeeded.

Review the TrustLens customer profiles for any orders that completed during the attack. If an order completed while the defense state was TARGETED or PANIC, TrustLens logs a during_attack_window event on that customer’s profile. This is not proof of fraud — legitimate customers do complete orders during attacks — but it’s a signal worth reviewing for any unusually high-value orders in that window.

Adjust thresholds if necessary. If the attack generated significant declines before the automated blocking fired, consider lowering the default thresholds (3 declines per 60 seconds) for a period until you’re confident the threat has passed. Go to TrustLens → Card-Testing Defense → Settings. Be aware that tighter thresholds can increase the chance of a false positive on a legitimate customer who has a genuine payment method failure.

Contact your gateway if fees or ratios were affected. If the attack was large enough to move your decline ratio or incur meaningful fees, some gateways will waive or credit fees associated with documented fraud attacks — especially if you can show you took active steps to stop it. It’s worth asking.

Pro: Auto-Escalation for Recurring Attacks

The free Card-Testing Defense covers most attacks: per-device velocity windows fire quickly, device fingerprints get locked out for 90 seconds, and Panic Freeze is available as a manual override. For stores that see recurring attacks — or attacks coordinated across many devices simultaneously — TrustLens Pro adds automatic escalation.

Pro’s auto-escalation triggers a global Panic Freeze automatically when the attack spreads across multiple device fingerprints within a short window. The default threshold is 3 distinct device fingerprints triggering velocity blocks within 10 minutes. Before escalating, TrustLens also checks whether the decline burst is geographically distributed across many countries with no single country dominating — this is the geographic-diversity safeguard, which prevents a flash sale or viral moment from being mistaken for a coordinated attack.

Pro also adds an Attack History tab with a 24-hour decline count, decline-code breakdown, the top attacking fingerprints, an hourly timeline chart, and CSV export — useful for documenting attacks for gateway disputes or insurance. Slack and email alerts fire when an attack is detected, when auto-escalation triggers, or when Panic Freeze is activated.

For stores where manual monitoring isn’t practical — overnight, weekends, or high-volume periods — Pro’s auto-escalation means a coordinated attack gets contained within seconds rather than waiting for someone to notice and log in. The detailed attack intelligence in TrustLens Pro is also the foundation for the auto-escalation feature covered in the companion post on WooCommerce card-testing auto-escalation.

Frequently Asked Questions