Chance of guessing any valid credit card data

What’s the chance of guessing valid credit card data that could be used to make a payment online? To me, it looks like it’s not extremely hard to guess, but I’m not able to calculate the probability. I mean, it’s not like it was designed to be as strong as 128-bit keys, which you know you can’t really crack. So I wonder if any attacks are possible because of this lower entropy, and if not, why.

Ok, there are 16 digits. That alone would provide a bit more than 50 bits of entropy, if all the digits were random. But they are not: some are fixed and define the card issuer, and there should also be some redundancy for a checksum. Also, there are a lot of valid numbers, because a lot of people have credit/debit/prepaid cards today, I guess millions of people. You just need to guess one valid code. Ok, sometimes you have to provide other data for payment as well, for example the expiration date or the CVV. Yet those don’t provide a lot of entropy. There might also be additional checks (like the owner’s name or address), but I’m not sure those are always enforced.

I’m not saying it’s easy to buy something with a specific person’s credit card in a specific online store. I’m just wondering if it’s not that hard, given a large botnet, to try to guess any valid credit card data by testing it (or even actually making a purchase) on random e-commerce websites.