fbpx
Contact Us
 
Contact Us

Insights

< Back to Thought Leadership

Credit Card Testing (Carding): A Growing Risk for Not-for-Profit Organizations

credit card testing carding
May 06, 2026

By Rick Shields, CPA, Principal at Blue & Co.

Not-for-profit organizations that accept donations through their websites face a relatively new risk: credit card testing (also known as “carding”). If your site allows visitors to click a link and then donate with a credit card, bad actors may use automated software (“bots”) to test stolen card information, often sourced from the dark web, to identify which cards are still active.

It’s a fairly simple process, but it leaves the not-for-profit with a huge bill to pay.

How It Works

The internet visitor clicks the “Donate Here” link and then begins an automated process using a bot to enter credit card numbers and related contact information, including name, address, and the card verification value (CVV) number. The bot can enter millions of cards, each attempting to donate a small amount to the not-for-profit. For each instance a donation goes through, the card is flagged as active, and the bad actor proceeds accordingly.

Of course, most transactions are denied, and if one goes through, the not-for-profit receives a small donation. So what’s the risk? Each decline instance still generates a small charge to the organization.

It’s small enough that in the normal course of business, you wouldn’t notice it. In a carding scenario, it becomes significant. It can exceed $100,000, and the not-for-profit has little to no recourse against the credit card companies once it has occurred.

Credit card companies may charge additional fees based on the volume of declined transactions.

Mitigation Strategies to Consider

CAPTCHA Controls

Implement Completely Automated Public Turing (CAPTCHA) challenges to help prevent bots from accessing donation sites. This is not foolproof and can be circumvented by having humans enter the CAPTCHA and then transfer the data entry to a bot. Also, CAPTCHA may be bypassed if the code is sophisticated enough.

User Account Requirements

Require the potential donor to set up a user account to make a donation. The user account will have an email address. The website sends an activation code to the email address, and then the user can proceed. This adds friction to the process, though determined actors may still find ways to bypass it.

Limit Transaction Attempts

Implement number two above, but limit the number of declines per user. This requires the bad actor to set up separate user accounts with distinct email addresses, each with the ability to enter only a few credit card numbers before the user’s account is locked, and the process has to be repeated.

A Broader Cybersecurity Consideration

The issue of carding can be incorporated into a not-for-profit’s overall cybersecurity risk assessment and response. Organizations may sometimes overlook front-facing web pages and focus on the security of internal networks. All are elements of electronic transmission and data storage that need to be protected.

We’re Here to Help 

If you have questions about your website security or overall cybersecurity strategy, reach out to your local Blue & Co. advisor. We can help assess your current environment and connect you with the team at Blue Pioneer Consulting to identify practical steps to strengthen your defenses.

Share this article

Recent Articles View All Thought Leadership

SBA's E2G Manufacturing Program

SBA’s E2G Program Highlights Manufacturing’s Real Growth Constraint: Talent

May 19, 2026

By Jordan Miller, CPA, Senior Manager at Blue & Co. If you spend time talking with manufacturers right now, especially leaders in small to mid-sized operations, you start to hear […]

Learn More
Preserving 340B Eligibility: Why Hospitals Need a Proactive DSH Strategy

Proactive DSH Strategy for Preserving 340B Eligibility

May 14, 2026

For hospitals that depend on 340B savings, optimizing the Disproportionate Share Hospital (DSH) percentage that drives 340B eligibility should be treated as a financial and operational priority. In simple terms, […]

Learn More
The Optimal Retirement Age for Dentists: A Financial Perspective

The Optimal Retirement Age for Dentists: A Financial Perspective

May 06, 2026

As of 2025, there were approximately 200,000 dentists practicing in the United States. Of these, nearly 35% of them were 55 years or older. In 2023, the average retirement age […]

Learn More
Subscribe to our newsletters.

Facebook

Preparing for the CPA exam can feel overwhelming—but the right guidance can make all the difference.At Blue & Co., we’re committed to supporting our people through every stage of their careers, including one of the most important milestones in accounting. From knowing what to expect to building a study plan that works, having the right tools and support system matters.Whether you’re just starting your CPA journey or getting ready to sit for your next section, this is a great place to begin.Read our tips on what to expect and how to prepare:hubs.la/Q04czgC50 ... See MoreSee Less
View on Facebook
· Share

Share on Facebook Share on Twitter Share on Linked In Share by Email

Quick Links

AICPA SOC Award Banner for Service Organizations | Blue Button
Blue & Co. Logo

Copyright © 2026, Blue & Co., LLC.
All Rights Reserved.

See All Locations