Carding in iGaming: How Card Testing Works Through Small Deposits
Casino and betting platforms are a natural target for card testing, because the deposit flow gives fraudsters a fast yes/no answer on whether a stolen card still works. For PSPs and operators, the damage usually shows up later: chargebacks, MID risk scoring, and sometimes an acquirer deciding it has seen enough.
- Why iGaming fits card testing so wellWhen a fraudster has a list of stolen card numbers, the first job is simple: find out which cards are still “live” and not blocked by the issuing bank. That requires a platform where registration is quick, the minimum deposit is small, the transaction is authorized instantly, and a failed attempt does not stand out the way it would on an e-commerce checkout.Casino and betting sites have historically matched that profile almost perfectly, which is why they have been such a common testing ground for carding activity.
- What the pattern looks like in practiceThe classic setup is a burst of small deposits from different cards, often drawn from one stolen batch with nearby numbers and the same BIN group, sent to one account or to a series of newly created accounts over a short period. The attempts often come from the same device or IP range.The goal is not to win or even play. The goal is to get an approved/declined response from the payments stack. If a transaction goes through, the card is working and can be resold for more or used in a larger fraud chain somewhere else.
- Why the operator still pays for itEven when the casino does not lose money on the original deposit, the costs come through several channels. A real cardholder will eventually spot a charge they did not make and dispute it, so a wave of small card tests turns into a wave of future chargebacks.Visa and Mastercard also track card testing patterns at the merchant ID level, which affects the merchant’s risk profile regardless of who caused the activity. And if the acquirer sees a sharp spike in declines across many cards, it can temporarily block payment acceptance for the merchant. That is a classic bank risk signal, and it tends to get attention.
- How the industry catches itFraud teams usually look for short bursts of attempts across a BIN range and IPs, shifts in the approved/declined ratio in real time, and device or behavioral signals that do not look human. The way someone types card details, moves a mouse, or navigates a checkout flow can be very different when the traffic is coming from a bot or script rather than a player.Another basic control is a limit on the number of payment attempts from one device or IP over a given period. It is not glamorous, but it works often enough to stay in the stack.
For high-risk operators, the important point is not that card testing exists — everyone in payments knows that. The point is that iGaming’s deposit mechanics make it especially easy to run, and that means fraud controls have to watch for pattern abuse long before a chargeback file lands on someone’s desk.
Weekly high-risk digest
Regulation, sanctions and payment news across your verticals — once a week, free.
Please check your inbox and click the link to confirm your subscription.
Please enter a valid email address!