Few metrics shape merchant revenue more directly than the payment authorization rate. Authorization rate is the percentage of attempted transactions that a customer's bank approves, and even small dips can mean significant lost sales. One of the biggest unseen threats to those rates is card testing—a tactic where fraudsters use a merchant's checkout to validate stolen credit card numbers.
While card testing doesn't always result in chargebacks, it creates failed transactions that degrade a merchant's trust with banks. This often leads to a lingering drop in authorization rates, meaning legitimate customer payments are unjustly declined long after the attack has stopped.
To solve this, Shopify implemented a proprietary platform-level machine learning model to detect and block these attacks before they ever reach the bank.
By blocking approximately 90% of card testing attacks on guest credit card checkouts (which are the main card-testing attack vector), this model helped merchants get 13% more of their legitimate sales approved by banks. Here's how Shopify's unique approach to fraud intelligence protects your authorization rates without adding friction for real buyers.
Key takeaways
- Card testing damage is indirect but costly. The real cost isn't failed transactions—it's months of degraded trust with banks and soft declines on legitimate customers.
- Platform-scale signals matter. Attacks that look distributed to individual processors are obvious when you can see patterns across millions of merchants.
- Smart intervention preserves conversions. By targeting high-risk attempts before they hit the network, Shopify blocks 90% of card testing attacks and delivers a 13% lift in authorization rates—protecting merchant revenue without adding friction for real buyers.
Why traditional defenses fall short
Attackers have evolved, even as payment networks have deployed increasingly robust card testing models. They've abandoned easily detectable, brute-force tactics—like hundreds of attempts per minute from a single IP address—in favor of sophisticated, distributed campaigns.
Today's attackers spread low-volume attempts across thousands of distinct merchants and route their traffic through residential proxies. These networks of real home internet connections (often everyday consumer devices) make automated fraud traffic appear to originate from legitimate shoppers, rather than from data centers or known bad IPs. The result: Each individual attempt looks like a plausible customer, meticulously mimicking authentic transaction patterns.
Payment networks are structurally disadvantaged against these tactics. They only enter the picture at the moment of authorization—the final step in a long buyer journey. This means they have no visibility into how a shopper arrived at checkout, what they did on the storefront, or how their behavior compares to legitimate buyers. With only the transaction payload to work with, networks must lean on aggregated, lagging signals (e.g., decline rate spikes, BIN-level patterns, chargeback feedback loops) that take time to materialize. By the time those signals trigger a response, the damage to a merchant's authorization profile is already done.
Shopify's advantage: Platform-level detection
Shopify has a uniquely holistic view of commerce. We see everything about the traffic flowing through a merchant's store, from the moment a visitor lands on the site to the moment they click "pay."
To combat distributed card testing, we engineered a proprietary machine learning model that scores every payment attempt before it touches the processor—exclusively available to merchants using Shopify Payments. This preemptive system uses a supervised machine learning model, trained on historical, network-level fraud patterns, to analyze signals across three deep, proprietary dimensions:
- Behavioral patterns. How does this attempt compare to legitimate buyer behavior? Velocity, timing, and interaction patterns that distinguish good intent orders from malicious attacks.
- Network-level signals. Patterns visible only at Shopify's scale—cross-merchant and cross-processor activity, device fingerprints, and infrastructure indicators that reveal coordinated attacks.
- Transaction context. The combination of payment method, merchant category, and buyer history that helps distinguish a first-time customer from a fraudster testing cards.
When the model flags a high-risk attempt, we intervene before the transaction reaches the payment network—stopping bad actors while giving legitimate customers a path to complete their purchase.
Results: Higher auth rates and protected GMV
By intercepting these attacks early, we ensure that only the safest, highest-quality traffic is sent to processors and the customer's bank:
- 90% attack interception. Our model catches 90% of card testing attacks. This means far fewer fraudulent attempts ever reach the point where they can damage a merchant's risk profile.
- 13% authorization rate improvement. By keeping merchant trust high with banks, we boosted legitimate payment success rates by 13%.
For legitimate buyers, the impact is invisible. Malicious traffic is effectively mitigated without any adverse impact on legitimate business or authentic revenue.
