Card Testing Attacks: What They Are and How We Keep Your Site Protected

In the last 24 hours, four different OLK9 websites were targeted by card testing bots — a noticeable spike compared to the usual 1–2 incidents we see in a month. If you’ve recently received emails about failed orders or strange payment activity, this post will help explain what’s going on — and what we’re doing about it.

What’s Card Testing?

Card testing is when scammers use stolen credit card numbers to check which ones still work. They do this by attempting small purchases — usually under $5 — on websites with online checkouts like yours. If the card goes through, they know it’s active and can use it elsewhere. If it fails, they move on to the next.

Why Your Site?

Our OLK9 websites often fly under the radar of large e-commerce fraud tools — which makes them more appealing to scammers. Your WooCommerce store allows online payments, and that’s all the bots need to attempt a series of test transactions.

Fortunately, these attempts rarely succeed.

Since most of your services are higher-ticket items, these low-dollar “test” transactions aren’t usually even an option. Card testers aren’t looking to spend $1,200 on training — they’re just trying to verify a stolen card works. So occasionally, we’ll see $100 transactions for Consultations and even more rarely, they’ll try to test something more expensive.

How We Protect Your Site

We’ve implemented several security layers to keep your site safe. One of the most effective is a custom plugin that limits each IP address to 4–5 payment attempts per hour. After that, the store temporarily blocks all transactions until the top of the next hour. Most bots give up when they hit that wall.

Beyond that, we also:

• Monitor activity in real time

• Take action within minutes of an attack

• Regularly update blocklists and filters

• Layer in additional fraud tools depending on your processor

The Bottom Line

Card testing attacks happen across the internet every day. It’s not a reflection on your business, and it doesn’t mean your site has been compromised. Think of it like bots knocking at your digital front door — and us standing right behind it with locks, alarms, and a plan.

If you see failed payment alerts, rest assured: we already know about it and are on top of it. And in almost every case, no harm is done.