The world of credit card fraud is more complex than it might at first appear. There is a whole market unto itself, dealing in stolen credit card information. Carding is one of the more important functions of this demi-market, as it is essentially a version of "quality control." Carding is the practice used by those who steal credit card numbers of making a small transaction of utterly unimportant nature in order to determine if the card is still active. The only point of carding is to determine if the card is still sellable onto the credit card fraud market.
Carding requires the use of so-called cardable websites, which offer up opportunities for carding. This means that the website has some form of small-amount transaction available, which carders can use in order to quickly determine whether or not the card in question is still active. Such websites are often charity websites which will allow donations of any amount.
The point of carding at such low levels is so as to not attract any attention, while also avoiding the card's credit limit. For example, a small donation of one dollar to a charitable, cardable website would serve the purpose of carding perfectly well, while also likely going unnoticed by the card holder and the credit card company.
Previously, carding would refer to a practice of using generators which would come up with entirely random sets of credit card numbers. The carding individuals would then test these numbers to see which ones were actually connected to valid accounts; essentially, this version of carding amounted to a "guess and check" system for perpetrating credit card fraud.
Due to increasing security measures, however, this type of carding has been essentially eliminated, as the amount of information necessary for performing transactions is substantially greater than that provided by these random number generators. Nowadays, you need billing address and the CSV Card Security Code, along with the card's expiration date, all of which would be information that this version of carding would not provide. Thus, carding's primary role nowadays is as verification of active status on the card information.
Once a card has had its active status confirmed by carding, the information is collectively referred to as a phish. The carding individual will generally sell the phish to others; he will not carry out the credit card fraud himself, although he can still be held accountable on charges of credit card fraud for having provided others with the ill-gotten information they needed to perpetrate credit card fraud.
One of the primary problems of this relationship, however, is that the carding individual becomes a bit harder to trace, as he is now no longer the one performing the direct credit card fraud. As such, even if the credit card fraud were to be detected, the carding person might remain hidden from any investigation, thereby allowing him to do the same thing at a later date. Many times, the individual who performs the carding of a set of card information is also the individual who obtained the information, be it through skimming or phishing.
