What is "Card-testing"
'Card-testing' is when one person steals multiple credit cards, or mass produces card numbers, and tests them all to see which ones can be used.
To combat this, Stripe, the Payment Service Provider (PSP), advises implementing a concept known as 'Captcha'. This can help stop automated 'card-testing', where stolen card details are run through website checkouts to see if they can successfully buy something.
Captchas intercept the automation, by asking the user if they are human. Automated scripts generally stop at this point, which means the fraudulent transaction is not completed.
As a way to deter further testing, I strongly suggest implementing CAPTCHA, and you can learn more about this, here:
Google reCAPTCHA: https://www.google.com/recaptcha/intro/index.html
This works well on the web to reduce fraud, but card-testing in apps isn't automated in the same way. Fraudsters will complete the card test in person to buy something digital and of low value; a digital bus ticket, unfortunately, falls into that category perfectly.
A fraudulent user will use your app as a way to complete a 'card-test', with a captcha being something they will easily complete successfully.
Using postcodes to verify someone is who they say they are
By default, we require that the customer provides a valid postcode. This is checked by Stripe against the information stored on the customer's account with the issuing bank. Where it does not match, the transaction is automatically refunded straight away.
Requiring the postcode helps to reduce fraud where cards have been stolen, as this information is not present on the card itself. The person who has stolen the card must have additional information about the individual to be able to complete the transaction.