Pre-gateway card testing prevention for merchants. Block BIN attacks, velocity probes, and enumeration before your gateway charges you the authorization fee.
Card testing traffic hits Cardvera at the edge. We classify, score, and decide in under 15 ms — then forward only what's real to your gateway. Your processor never sees the noise.
It's not the chargebacks. By the time those show up, your processor has already noticed. The real cost stacks before any of that — per attempt, on every BIN your gateway sees.
A 100,000-attempt wave adds roughly $13,000+ in stacked per-attempt fees before chargeback losses or VAMP penalties. Gateway-native tools score after the attempt has already reached the network. Cardvera doesn't.
See your exposure →A signed beacon fires from checkout before the auth call leaves your server. The edge scores it against velocity, BIN, geo, and device signals — then your gateway only sees the requests we let through.
Mouse path, keystroke rhythm, field timing, TLS & network fingerprint, BIN distribution, and merchant velocity windows — combined locally, transmitted as a signed beacon. No PII leaves the browser.
~2ms clientAllow, step-up, or block. The step-up is a silent proof-of-work the browser solves in the background — real customers never see it, bot farms pay the cost. False positives stay under 0.02%.
<15ms verdictYour backend pulls the verdict over an authenticated server-to-server call before charging the card. Single-use, expires in 10 minutes. The client never sees the score — bots can't manipulate what they can't observe.
1 API callSix independent detection layers — plus a feedback loop that turns real transaction outcomes into new block rules. A sophisticated bot might beat one or two. Beating all six at once, while staying ahead of rules that rewrite themselves from ground truth, isn't worth the cost.
Datacenter origins (AWS, GCP, DigitalOcean), residential-proxy networks, and IPs carrying prior abuse history — the rented infrastructure card testing runs on.
Headless browsers, Puppeteer / Playwright / Selenium automation, tampered runtimes, and spoofed or physically impossible device fingerprints.
Robotic cursor paths and missing micro-corrections, instant paste, uniform inter-key timing, ghost clicks, and sub-human form-completion times.
Scripted replays, token reuse across browsers, session hijacking, and signals that don't hang together across a single session.
High-velocity probing on shared BIN prefixes, low-amount enumeration, and coordinated bursts across cards, IPs, and devices.
A silent background challenge — free for one real customer, a real CPU cost per attempt for a farm running thousands. Makes scale the attacker's problem, not yours.
The layer for the bot that beats everything else. We ingest each transaction's real disposition — declines, $0-auth outcomes, chargebacks, refunds — and turn confirmed-bad patterns into automatic block rules. When a perfect mimic slips through once, its own outcome trains the edge to stop the next one.
We don't replace your fraud stack. We sit in front of it, take the card-testing hits, and let everything downstream do what it's actually good at.
Real customers never see a challenge. No fire hydrants, no traffic lights, no "I'm not a robot" friction on the order form. The entire assessment is silent.
Fraud scoring runs after the transaction and tells you what went wrong. Cardvera runs before authorization and prevents the request from leaving your server.
No IP blocklists to maintain, no velocity rules to tune, no manual thresholds. The model adapts to your traffic. You stay focused on selling, not threshold-chasing.
Radar is gateway-native — it scores after the authorization request has already reached the network. That means Visa APF, Mastercard NABU, and Misuse-of-Authorization fees are charged whether Radar blocks or not. Cardvera sits in front of Stripe, takes card-testing hits before they become auth attempts, and forwards clean traffic to Radar to do general fraud scoring. We coexist with your fraud stack; we don't replace it.
Different problem, different vendor. Cardvera doesn't offer a chargeback guarantee — card testing's primary cost is per-attempt authorization fees and VAMP exposure, not chargeback dollar losses. If you also need chargeback indemnification, pair us with NoFraud, Signifyd, or your processor's own coverage. We're priced to coexist.
One script tag on the checkout page, one server-side verdict call before you charge the card. Median time-to-first-block in private beta has been under an hour. No SDKs, no model training, no review queues to staff. If your fraud team is one person who already wears another hat, we're built for that.
Under 0.02% in private beta, measured against settled-and-shipped orders flagged. The step-up challenge absorbs ambiguous sessions — real customers solve it invisibly, attackers eat the CPU cost. We'd rather challenge a borderline session than block a real customer; false positives cost more than a missed bot.
No. The browser library never reads form field contents. We classify on behavior, timing, network signals, and BIN prefixes derived from the first six digits when needed for velocity windows. Full PANs, CVVs, and expiry dates stay between your checkout and your gateway. SOC 2 Type II in progress.
Cardvera is gateway-agnostic — the verdict call returns a simple allow/step-up/block to your backend, and you decide whether to call Stripe, Adyen, Checkout.com, Braintree, Worldpay, or anything else. Native helpers for Stripe and Adyen ship at GA. Other gateways: a generic HTTP integration that's been tested against Authorize.net, Checkout.com, and several PSPs in private beta.
Flat monthly SaaS — no per-transaction fees, no percent-of-GMV billing. Tiers by monthly authorization volume. Public pricing at GA. Beta customers get founder pricing locked for 24 months.
Private beta is open through Q3 2026. Founding customers get integration support, weekly office hours with the engineering team, and pricing locked for 24 months from GA.
No spam. No drip campaigns. Just your access invite.