Card testing is a common attack on WooCommerce stores: bots submit many small orders to check stolen card numbers against your checkout. Beyond the fraud itself, it triggers processor fees and can harm your merchant standing. These defenses stop it.
Your payment processor has built-in fraud controls - address verification (AVS), card security code (CVV) checks, and machine-learning risk scoring. Enable them. They reject a large share of stolen-card attempts before an order completes.
3-D Secure adds an issuer-side verification step (such as a one-time code) to card payments. It shifts liability and blocks most automated card testing, which cannot pass the extra challenge.
A CAPTCHA on the checkout and account pages stops the bots that drive card testing, since they cannot solve it at scale. Modern invisible challenges add little friction for real customers.
Limit how many payment attempts an IP can make in a short window, and use a web application firewall to block sources showing attack patterns. A sudden burst of failed payments from one IP or region is the signature to watch for.
Monitor for an unusual rise in failed or tiny orders. Catching a card-testing run early - and temporarily tightening checkout - limits the damage and the processor fees.
If attacks persist, requiring an account (with email verification) for checkout raises the effort for bots. Balance this against the friction it adds for genuine buyers.
On SoftSys managed WooCommerce hosting, a web application firewall and preemptive security sit in front of your store, blocking much of this automated abuse before it reaches checkout.