Contact Us
 
Contact Us

Insights

< Back to Thought Leadership

Credit Card Testing (Carding): A Growing Risk for Not-for-Profit Organizations

credit card testing carding
May 06, 2026

By Rick Shields, CPA, Principal at Blue & Co.

Not-for-profit organizations that accept donations through their websites face a relatively new risk: credit card testing (also known as “carding”). If your site allows visitors to click a link and then donate with a credit card, bad actors may use automated software (“bots”) to test stolen card information, often sourced from the dark web, to identify which cards are still active.

It’s a fairly simple process, but it leaves the not-for-profit with a huge bill to pay.

How It Works

The internet visitor clicks the “Donate Here” link and then begins an automated process using a bot to enter credit card numbers and related contact information, including name, address, and the card verification value (CVV) number. The bot can enter millions of cards, each attempting to donate a small amount to the not-for-profit. For each instance a donation goes through, the card is flagged as active, and the bad actor proceeds accordingly.

Of course, most transactions are denied, and if one goes through, the not-for-profit receives a small donation. So what’s the risk? Each decline instance still generates a small charge to the organization.

It’s small enough that in the normal course of business, you wouldn’t notice it. In a carding scenario, it becomes significant. It can exceed $100,000, and the not-for-profit has little to no recourse against the credit card companies once it has occurred.

Credit card companies may charge additional fees based on the volume of declined transactions.

Mitigation Strategies to Consider

CAPTCHA Controls

Implement Completely Automated Public Turing (CAPTCHA) challenges to help prevent bots from accessing donation sites. This is not foolproof and can be circumvented by having humans enter the CAPTCHA and then transfer the data entry to a bot. Also, CAPTCHA may be bypassed if the code is sophisticated enough.

User Account Requirements

Require the potential donor to set up a user account to make a donation. The user account will have an email address. The website sends an activation code to the email address, and then the user can proceed. This adds friction to the process, though determined actors may still find ways to bypass it.

Limit Transaction Attempts

Implement number two above, but limit the number of declines per user. This requires the bad actor to set up separate user accounts with distinct email addresses, each with the ability to enter only a few credit card numbers before the user’s account is locked, and the process has to be repeated.

A Broader Cybersecurity Consideration

The issue of carding can be incorporated into a not-for-profit’s overall cybersecurity risk assessment and response. Organizations may sometimes overlook front-facing web pages and focus on the security of internal networks. All are elements of electronic transmission and data storage that need to be protected.

We’re Here to Help 

If you have questions about your website security or overall cybersecurity strategy, reach out to your local Blue & Co. advisor. We can help assess your current environment and connect you with the team at Blue Pioneer Consulting to identify practical steps to strengthen your defenses.

Share this article

Recent Articles View All Thought Leadership

sell-side transaction advisor

Selling Your Business: Why the Right Sell-Side Advisor Matters

June 01, 2026

By Jonah Gjertson, Senior Consultant at Blue & Co. When considering the sale of your business, regardless of career stage or circumstance, engaging an experienced sell-side transaction advisor can help […]

Learn More
IEEPA tariff refund process

Tariff Refunds Are Coming: What Importers Should Do Now to Recover IEEPA Duties

May 28, 2026

By Nancy Orben, CPA, Senior Manager at Blue & Co. Are you eligible for a tariff refund? The U.S. Supreme Court ruled on February 20, 2026, that tariffs imposed under […]

Learn More
building fraud resistant operations

Building Fraud-Resistant Operations

May 27, 2026

By Chad Nieter, CPA, Senior Manager at Blue & Co., and Joel Barnett, Technical Account Executive at Blue Pioneer Consulting Fraud prevention isn’t something leadership can simply hand off to […]

Learn More
Subscribe to our newsletters.

Facebook

Construction is becoming more connected and more exposed.As firms adopt cloud platforms, mobile devices, and digital workflows, cybersecurity is no longer just an IT issue. It’s an operational risk that can directly impact timelines, budgets, and client trust.This piece breaks down practical, real-world strategies construction firms can implement today, from email security to zero-trust networks and device management.Watch the full video and read the article here: hubs.la/Q04hpJCR0 ... See MoreSee Less
View on Facebook
· Share

Share on Facebook Share on Twitter Share on Linked In Share by Email

Blue & Co. ranked #16 in the Large Business category for the Indiana Chamber of Commerce’s 2026 Best Places to Work awards. Out of more than 150 organizations that participated statewide, Blue was recognized among the top 24 large employers in Indiana.Because the rankings are based on workplace practices and employee feedback, this recognition means even more. Thank you to our incredible team for continuing to build a culture centered on collaboration, growth, and support.Visit our careers page to learn more about opportunities at Blue: hubs.la/Q04hsSyb0 ... See MoreSee Less
View on Facebook
· Share

Share on Facebook Share on Twitter Share on Linked In Share by Email

Quick Links

AICPA SOC Award Banner for Service Organizations | Blue Button
Blue & Co. Logo

Copyright © 2026, Blue & Co., LLC.
All Rights Reserved.

See All Locations

Share this article
Share this article