| ▲ | janpeuker 5 hours ago | |
Payment processors don't allow just brute forcing all card numbers a.k.a. card enumeration or card testing [1][2] and card schemes penalise merchants and payment processors heavily if they don't take measures against it [3]. 1) https://stripe.com/newsroom/news/card-testing-surge 2) https://stripe.com/blog/the-ml-flywheel-how-we-continually-i... 3) https://docs.stripe.com/disputes/monitoring-programs#enumera... | ||
| ▲ | kodbraker 5 hours ago | parent | next [-] | |
The rate they try becomes very non frequent when they use multiple card validation apis. I'm not sure how it can be related when it's different pan numbers, different source ips etc. Enumerating CVC2 with a single PAN is a different story. | ||
| ▲ | opengrass 4 hours ago | parent | prev [-] | |
Until 6 years ago Stripe didn't obfuscate card numbers in API logs at all. | ||