Q1 - Before you use credit card numbers you must have established all prerequisite account setups, and the numbers must be internally checked (you cannot use arbitrary numbers). You can validate the code by using such predefined cards for your positive tests, and by made-up numbers for your negative tests. Credit cards also have a status associated with them (such as lost, stolen, etc.) as well as an expiration date and other security codes that must all be prepared on the masterfile that you access during your test. This adds up to a significant number of combinations.
Q2 - This has me confused. Are you telling me that you are not preparing the target data that you expect to find when you issue a call for a specific page? Assuming that you have signed-in to a web site, simulating one of the test clients on the masterfile, then your page should reflect the account contents related to that test client, something that should be easy enough to test. If you establish proper test scripts the verify step entries should list what ought to appear relative to the input actions you previously performed.
Q3 - The response time "N" is usually independent of the number of users: it is the maximum time to not upset any users wanting to interact with the system. Your performance testing confirms that a target application is capable of meeting that "N" target even if it handles a sustained load based on the targeted number of users served.