Enumeration fraud is the act of establishing valid card details, by testing them on an ecommerce website. It is also known as carding or card testing.
It can have devastating consequences for both businesses and consumers. If an online firm fails to take steps to identify and prevent their site from being used in this manner, it could result in lower authorisation rates; increased transaction fees because of repeated declined transactions; and additional fees from Visa or Mastercard for excessive retry attempts
But even more alarmingly, if someone tests and confirms stolen card details are valid using your site and then commits further fraud with those valid card details, you could be liable for that fraud. It could result in fines and fees and business-ending reputational damage.
Find all our security advice and solutions
Security breaches aren’t a problem - until they are. Protect your time, money and reputation by making payment security a top priority.
How to avoid phishing attacks
Phishing scams are nothing new, but they have come a long way since the days of emails announcing you have inherited millions from a royal benefactor.
Using AI to tackle fraud
Advanced technology solutions provide a formidable defence against the insidious threat of ecommerce fraud.
Meanwhile your customers face emotional distress, loss of trust in your company and payments in general, financial hardship or identity theft.
Brian Kinsella, Senior Regional Fraud Manager at Elavon, said: “We often see that the types of businesses that fall victim to carding attacks are small companies that may not have invested heavily in website security.
“By taking a few simple, low-cost steps, you can prevent your business from falling foul of carding and any card fees for excessive declines.”
What is enumeration fraud, and how can you stop it?
Cyber-criminals acquire a collection of card details, either through theft, hacking, phishing, buying a list from the dark web or other nefarious means.
But they don’t know if they will work. Has the owner already cancelled the card? Did the card issuer already spot that the details have been cloned? Or perhaps the details are old and expired.
They need to authenticate the details without alerting the owner of the card that they are a victim of fraud. They find an ecommerce site with a low bar for security.
Once the criminals have identified a site, computer scripts can then test potentially thousands of card details over and over again until one is found that works.
If your site is being used for this kind of carding, you might see a steep rise in declines or cards registered to an address in one country being used from an IP address in another.
What are BIN attacks
Your ecommerce site may also be targeted in a similar type of fraud called a BIN attack. The BIN or Bank Identification Number, is the first six to eight digits on a debit or credit card. This is the part of the card details that identifies the issuing bank, card scheme and the type of card being used.
Cyber-criminals acquire genuine BINs, through theft, buying lists on the dark web or using publicly available data. They then randomly generate the extra digits needed to make a complete card number, combining expiry dates and CVV numbers.
Computer scripts can generate thousands of these card numbers and then test them against ecommerce sites to find one that works. It’s known as a brute force attack as it’s fairly low tech, but it can be effective.
Again, cyber-criminals will often target websites that take low value transactions or services that don’t require an actual transaction.
As reported above, once a valid card has been identified, it can be used to make fraudulent transactions and purchases until the fraud has been spotted by the cardholder or the issuing bank.
But don’t panic. There are some relatively simple and cost effective methods to protect yourself.
Securing ecommerce payments
There are two main ways to take payments on your own website; either build your own connection to a payment gateway or use a hosted payment solution.
Using a hosted payment solution means your customers’ sensitive card information is handled by the payment gateway and never touches your servers.
Because it’s hosted by the gateway provider, security is improved and it is much simpler for you to meet PCI-DSS compliance requirements.
Improvements in technology now mean the hosted components can look and feel like your website and brand, meaning the customer is much less likely to abandon their purchase at the point of checkout.
The alternative is to fully integrate the gateway into your website, which requires a team of skilled engineers, developers and constant maintenance.
It might give you more flexibility but you will be handling sensitive card data, increasing the risk of a breach and meaning your PCI-DSS compliance requirements will be much higher.
Steps to take to stop carding on your website
You should speak to your developer about introducing security measures across your entire site, not just at the point of payment.
- Remove the copy and paste function will make it harder for a fraudster to run an automated script to generate these test transactions
- Introduce machine learning tools or other security methods that track customers behaviour and spotting suspicious activity early in the process
- Bot detection: Having a complex ‘CAPTCHA’ test on your website could frustrate a fraudster's carding attempts. A ‘CAPTCHA’ is a computer program or system used to determine the difference between a human and a robot.
For Authorisation based carding attacks:
- 3-D Secure: This is the umbrella name for card issuer authentication services like Visa Secure and Mastercard SecureCode, which have been implemented by the card brands to add an additional level of security for online shopping. By implementing 3-D Secure for your ecommerce site, you can fully authenticate the cardholder. This may mean a shift in the liability for chargebacks arising on transactions under certain circumstances, even where the cardholder is not enrolled for 3-D Secure. While 3-D Secure cannot and does not eliminate chargebacks entirely, it does vastly reduce the incidence of fraud
- Seek out other fraud-management products that your payments gateway provider may have available, which will help identify and block such attacks from happening
- Address verification service (AVS): Compare the billing address for the transaction with the one registered to the card
- CVS or CVC: Card verification value or the card verification code is the three or four digit code on a card. Making customers enter this helps check the buyer is in possession of the card
For 3DS Authentication based carding attacks
- Ask your gateway provider to ensure there are session limits on the 3DS authentication server
- Velocity checks: Implementing a BIN level velocity check can restrict the number of transactions or attempts from one IP address
- Enable an IP blocklist and proactively manage the list with your gateway provider. This can stop cybercriminals accessing your site from an IP address associated with fraud
Speak to your gateway provider about what fraud prevention and detection products they have or partners they recommend. If you are ever in doubt over your payment security, speak to your gateway provider for more information and help.
Helping thousands of customers around the world grow their business through payments
Customer service and support
We’re here to help!
Customer service: 0818 20 21 20
Telephone: 8am to 6pm, Monday to Friday
Chat: 8am to 4pm, Monday to Friday
Elavon technical support: 0818 30 31 30
24 hours a day, 365 days a year
Opayo product support: 01 240 8731
24 hours a day, 365 days a year
Copyright© 2025 | U.S. Bank Europe DAC. Registered in Ireland – Number 418442. Registered Office: Block F1, Cherrywood Business Park, Dublin 18, D18 W2X7, Ireland.
U.S. Bank Europe DAC, trading as Elavon Merchant Services, is regulated by the Central Bank of Ireland.
Helping thousands of customers around the world grow their business through payments
Customer service and support
We’re here to help!
Customer service: 0818 20 21 20
Telephone: 8am to 6pm, Monday to Friday
Chat: 8am to 4pm, Monday to Friday
Elavon technical support: 0818 30 31 30
24 hours a day, 365 days a year
Opayo product support: 01 240 8731
24 hours a day, 365 days a year
Copyright© 2025 | U.S. Bank Europe DAC. Registered in Ireland – Number 418442. Registered Office: Block F1, Cherrywood Business Park, Dublin 18, D18 W2X7, Ireland.
U.S. Bank Europe DAC, trading as Elavon Merchant Services, is regulated by the Central Bank of Ireland.
Essential cookies enable core functionality such as page navigation and access to secure areas. The website cannot function properly without these cookies; they can only be disabled by changing your browser preferences. Please see our Cookie Policy for further information.
Performance cookies help us to improve our website by collecting and reporting information on its usage (for example, which of our pages are most frequently visited).
These cookies and similar technologies gather information about your browsing habits. They remember that you've visited a website and share this information with other organisations, such as advertisers and platforms on which we advertise. They do this in order to provide you with advertisements that are more relevant to you and your interests. These cookies and similar technologies gather information about your browsing habits. They remember that you've visited a website and share this information with other organisations, such as advertisers and platforms on which we advertise. They do this in order to provide you with ads that are more relevant to you and your interests.
Find out more about cookies on https://www.allaboutcookies.org