Skip to main content

Card testing fraud

Malicious third parties may try to use your website to determine if stolen credit card details are valid. They try many small payments using different credit card numbers and expiry dates. The approved cards are then used to defraud another merchant for a larger amount. This is called "card testing".

Websites with minimal validation rules that allow an attacker to try many credit card numbers are often targets. This can include websites used for making donations or paying invoices.

Protect against card testing

If you make card testing difficult, your website is less likely to be a target.

If you are using the PayWay REST API or classic API and your payment website is generally available on the Internet you must:

You can also:

  • Validate the payment reference number has an outstanding balance
  • Set a minimum payment amount
  • Use 3D Secure
  • Use PayWay Fraud Guard

Contact us

For sales, help and technical support contact us.


The information contained in this publication is provided for learning purposes only and is subject to change. Revisions may be issued from time to time that encompass changes or additions to this module.

This is a guide only and it is not comprehensive. It does not impinge on or overrule any formal arrangement you may enter into with the Bank. The Bank and its officers shall not have any liability for any losses of any kind incurred in connection with any action, inaction or decision taken in reliance on the information herein or for any inaccuracies, errors or omissions. In this publication references to the "Bank" are to Westpac Banking Corporation ABN 33 007 457 141 and to any of its operating Divisions, including BankSA and St.George.