Yeah, sorry.
Card runners are guys basically randomly generating potential numbers (the first 6 numbers are public knowledge, that's the BIN - identifies who the issuing bank is), and randomly generating the remaining numbers. They then target low security web sites and run very small amount transactions to determine if a card # is legit.
It gets even better, because every valid credit card # has to pass a mathematical formula (luhn check), so you can increase your odds of getting a valid card during the attack.
edit: And if you think that sounds bad, don't get me started on ACH/Direct Debit and the Euro equivalent (SEPA).