Card testing is a billing problem before it's a fraud problem
Everyone treats card testing as fraud to be scored. By the time your fraud tool weighs in, the network has already charged you. Here's where the money actually leaks.
Most teams meet card testing through their fraud stack: a wave of small authorizations rolls in, the model flags them, and someone opens a dashboard. That framing is the problem. By the time a fraud score exists, the authorization has already left your server and reached the card network — and the network has already started charging you.
Card testing is a billing event first. The fraud is downstream.
Where the money leaks
The costs that matter aren’t chargebacks. They stack per attempt, before any transaction settles:
- Visa APF — $0.0195 on every authorization, approved or declined.
- Mastercard NABU — $0.0195, same rule.
- Visa Misuse-of-Authorization — $0.09 on auths not followed by a settlement. Recently tripled.
- Enumeration penalties — programs like VAMP add per-dispute fees once your ratio crosses a threshold.
A 100,000-attempt wave is roughly $13,000+ in stacked per-attempt fees before you count a single chargeback. None of it shows up where fraud teams look.
The authorization is the product the network sells you. Card testing makes you buy a hundred thousand units you never wanted.
Why scoring after the fact can’t fix it
A gateway-native tool — Radar and friends — scores the request after it has reached the network. That’s useful for deciding whether to capture, but the authorization fee is already incurred. You can block the charge and still pay for the attempt.
The only place to stop the bleeding is in front of the gateway:
internet ──▶ [ cardvera edge ] ──▶ your gateway
classify · decide only real traffic
< 15 ms no auth fees on blocked attemptsIf the request never becomes an authorization, there’s no APF, no NABU, no misuse fee, no enumeration ratio to defend.
The mental model shift
Stop asking “is this transaction fraudulent?” and start asking “should this ever become an authorization at all?” The first question is a fraud problem you answer too late. The second is a billing problem you answer at the edge, in single-digit milliseconds, before the meter starts.
That shift — from scoring fraud to preventing the auth — is the entire reason Cardvera sits where it does.