Cardvera decides in under 15 ms by combining six independent detection layers across the browser and the edge — then closes the loop with an adaptive backstop that learns from what actually happened to each transaction.
One checkout request, start to finish: signals gathered in the browser, a verdict at the edge in single-digit milliseconds, a conditional silent challenge, a server-to-server pull before the card is charged — and the disposition flowing back to sharpen the next decision.
No layer is perfect on its own; we say so. Each one narrows the field and hands the rest to the next — which is exactly why beating one or two gets you nowhere.
Datacenter origins (AWS, GCP, DigitalOcean), residential-proxy networks, and IPs carrying prior abuse history — the rented infrastructure card testing runs on.
Headless browsers, Puppeteer / Playwright / Selenium automation, tampered runtimes, and spoofed or physically impossible device fingerprints.
Robotic cursor paths and missing micro-corrections, instant paste, uniform inter-key timing, ghost clicks, and sub-human form-completion times.
Scripted replays, token reuse across browsers, session hijacking, and signals that don't hang together across a single session.
High-velocity probing on shared BIN prefixes, low-amount enumeration, and coordinated bursts across cards, IPs, and devices.
Bot farms operating at scale — a silent background challenge that's free for one real customer but a real CPU cost per attempt for a farm running thousands.
The six real-time layers exist to make a bad first attempt rare. The feedback loop guarantees the second one fails: ground truth — what actually happened to the transaction — becomes the next block rule.
We ingest each transaction's real disposition and mine it for confirmed-bad patterns. A mimic that slips through once trains the edge to stop the next one — automatically, without a human writing a rule.
Auth declines, $0-auth outcomes, and decline-reason codes — the earliest tells that a tested card was never going to settle.
What actually captured and shipped vs. what was immediately refunded — separating real orders from test traffic.
Confirmed fraud disputes, weeks later, that retroactively label a pattern as bad and feed the rule engine.
Your own confirmed-fraud and confirmed-good flags, weighted highest — the model adapts to your traffic, not a generic baseline.
Card testing is a volume business with thin margins per card. Our job isn't to be unbeatable — it's to make beating us cost more than it returns.
The layers are independent, so an attacker has to defeat all six simultaneously on every attempt. The moment one succeeds, its transaction resolves — and the feedback loop turns that success into a rule that closes the gap. The attacker isn't fighting a fixed target; they're fighting one that rewrites itself from their own failures. Against thin per-card economics, that's a losing trade.
Verdicts render at the edge in under 15 ms — in front of your gateway, never adding a round-trip to checkout.
The browser library never reads card fields. We classify on behavior, network, and BIN prefixes — full card data stays between you and your gateway.
A simple allow / step-up / block verdict. Call Stripe, Adyen, Checkout.com, or anything else after.
Type II underway. Single-use, short-lived verdicts; secrets never leave your tenant.
Drop the SDK on checkout, pull the verdict server-side before you charge. Median time-to-first-block in private beta has been under an hour.