ASAASA Standard
Not in Phase 1Production Foundation

Card Testing Protection

Billing Safety · BIL-23 · Priority: P1

Why It Matters

Card testing is an automated attack where fraudsters use your checkout flow to validate thousands of stolen credit card numbers. They submit small charges ($0.50–$1) through your Stripe integration to see which cards are active — then sell the validated cards on the dark web.

Each failed attempt costs you a Stripe dispute fee of $15. A card testing attack can generate hundreds of failed charges in minutes, costing you thousands in fees and potentially getting your Stripe account flagged or suspended.

AI-built apps are prime targets because they typically have no rate limiting, no CAPTCHA, and publicly accessible checkout endpoints.

Priority: P1 — Financial loss + Stripe account risk.

Affected Stack: Any framework with Stripe Checkout or Payment Intents

The Problem

AI tools create a checkout endpoint that accepts requests without any rate limiting, bot detection, or velocity checks.

// ❌ No protection — bots can hit this endpoint thousands of times
export async function POST(req: Request) {
  const { priceId } = await req.json();
  const session = await stripe.checkout.sessions.create({
    line_items: [{ price: priceId, quantity: 1 }],
    mode: 'payment',
  });
  return Response.json({ url: session.url });
}

The Fix

Layer multiple protections:

1. Rate limit the checkout endpoint

// ✅ Rate limiting with IP-based throttle
import { Ratelimit } from '@upstash/ratelimit';
import { Redis } from '@upstash/redis';

const ratelimit = new Ratelimit({
  redis: Redis.fromEnv(),
  limiter: Ratelimit.slidingWindow(5, '1 m'), // 5 requests per minute
});

export async function POST(req: Request) {
  const ip = req.headers.get('x-forwarded-for') ?? '127.0.0.1';
  const { success } = await ratelimit.limit(ip);
  if (!success) {
    return new Response('Too many requests', { status: 429 });
  }
  // ... proceed with checkout
}

2. Require authentication before checkout

// ✅ Only authenticated users can create checkout sessions
const user = await getAuthenticatedUser(req);
if (!user) {
  return new Response('Unauthorized', { status: 401 });
}

3. Enable Stripe Radar

Stripe Radar provides machine learning-based fraud detection. Enable it in your Stripe dashboard and configure rules for velocity checks.

References

Related Checks

Is your app safe? Run Free Scan →