Card not present fraud: Know the prevention measures

CNP fraud is the most common type of card fraud worldwide. It poses significant challenges for businesses of all sizes and industries, relying on stolen card information and typically resulting in financial losses. So, to protect your business and customers, you must proactively implement robust prevention measures, which we’ll explain on this page.

This article has everything you need to know about CNP fraud, including common tactics employed by fraudsters. We’ll also explain the essential prevention measures you can adopt to safeguard against CNP fraud.

What is card-not-present fraud?

Card-not-present fraud, also known as remote purchase fraud, is when a criminal uses a stolen or compromised credit card to make a purchase online, over the phone, or through other channels where the physical card isn’t present during the transaction.

In terms of detection and prevention, this type of payment fraud poses significant challenges because it relies on the unauthorized use of card information, rather than the actual card itself.

Due to the potential for substantial losses faced by businesses, many organizations have implemented various measures, such as fraud prevention, identity resolution, and verification tools, to effectively manage risks and mitigate fraud-related financial impacts.

However, it’s crucial to strike a balance between safeguarding against CNP fraud and maintaining a seamless checkout experience for genuine customers. If there’s too much friction at the checkout, you risk losing customers.

If you run an ecommerce business, your success or failure often depends on how you facilitate smooth transactions while incorporating CNP fraud prevention and identity verification tools. The following tips are, therefore, essential for your fraud monitoring strategy.

How does card-not-present fraud work?

Card-not-present (CNP) fraud happens when someone with malicious intent gets hold of crucial payment details, such as credit card numbers, personal information (e.g. names and addresses), or the three-digit security code on the card's back. Armed with this information, the fraudster can make fraudulent purchases.

In today's world, fraudsters have convenient access to purchasing "fullz," which are comprehensive stolen profiles containing a wealth of personal information. These profiles are often stolen through data breaches or phishing attacks, and can be bought and sold via the dark web.

Unfortunately for business owners, the liability for fraudulent CNP transactions largely falls on the shoulders of the merchants. As a result, chargebacks have become a common outcome from CNP fraud, as victims often only discover the fraudulent activity after it has been detected.

How is credit card data stolen for card-not-present fraud?

Fraudsters use various techniques to steal payment card information, but the most common methods are phishing, skimming, hacking, data breaches and social engineering.

Phishing

Phishing involves the use of fraudulent emails, texts, or other electronic communications to deceive people into sharing their personal and financial information. Typically, these messages appear to come from trusted sources, such as banks, e-commerce platforms, or service providers, with the goal being to trick readers into clicking on malicious links, or providing sensitive data, which can then be used for CNP fraud.

Digital Skimming

Also known as Magecart attacks, this method happens when cybercriminals inject malicious code into your, the merchant's, website. This code captures payment card information entered by unsuspecting customers during the checkout process, which is then sent to the fraudsters who can use it to carry out unauthorized transactions or sell it on the dark web.

Hacking

This is when hackers get unauthorized access and manipulate computer systems or networks to gain valuable information. In the context of CNP fraud, hackers target databases or networks containing payment card data, then exploit vulnerabilities in security measures.

Data Breaches

Data breaches happen when unauthorized individuals gain access to sensitive information stored by your business. These breaches can happen for many reasons, including weak security measures, insider threats, or sophisticated cyber attacks. When payment card data is compromised in a data breach, it becomes susceptible to misuse by fraudsters for CNP fraud.

Social Engineering

Social engineering involves manipulating individuals or exploiting human psychology to deceive people into revealing confidential information. In terms of CNP fraud, fraudsters may impersonate trusted individuals or organizations, tricking victims into providing their payment card details, login credentials, or other sensitive information through phone calls, emails, or in-person interactions.

Learn more: The regions with the highest credit card fraud

What’s the difference between card-not-present fraud and card-present fraud?

The main difference between card-not-present (CNP) fraud and card-present (CP) fraud is the nature of the transaction and the level of risk associated with each type of fraud.

CNP fraud is when a criminal uses stolen or compromised card information to make a purchase online or over the phone. The key aspect here is that the fraudster needs only the card details to carry out the fraudulent activity.

On the other hand, CP fraud is when a criminal uses a stolen or counterfeit physical card to make fraudulent purchases, either in-person at brick-and-mortar stores, restaurants, or other establishments where the card is normally physically present during the transaction. In CP fraud, the criminal exploits the actual card (not just the card information), often through techniques such as card skimming or card cloning.

Are CNP transactions riskier and more common than CP transactions?

CNP transactions are riskier and more common than CP transactions due to several factors.

CNP transactions lack physical verification, making it easier for fraudsters to go undetected, while CP transactions often involve additional security measures, such as chip-and-PIN or signature verification, which provide an extra layer of protection.  

Another risk factor to consider is the global reach of CNP transactions, which makes it hard to track and prevent. The widespread connectivity of online and phone-based transactions provides fraudsters with ample opportunities to exploit stolen card information on a larger scale.

This connectivity also exposes your business to data breaches, either through hacking attempts or data leaks from compromised service providers. The vast volume of personal data collected and stored by online platforms makes them attractive targets for cybercriminals.

Common CNP fraud statistics worldwide

Let’s see how CNP fraud affects different parts of the world…

North America

• In 2022, CNP fraud accounted for $8.75 billion in payment fraud losses, and is predicted to reach $10.16 billion in 2024.
• According to the FTC, US consumers reported losing more than £3 billion ($3.8 billion) to investment scams in 2022.
• In 2021, the FTC fielded nearly 390,000 reports of credit card fraud alone.

UK

• In the UK, payment card fraud made up 45% of all financial fraud losses in 2022.
• Losses due to CNP fraud decreased by 6% to £199.4 million in the first six months of 2022.
• Overall fraud losses totalled £1.2 billion in 2022.

Europe

• In 2018, CNP fraud accounted for 79% of the total value of card fraud.
• In 2019, the total value of fraudulent transactions using cards issued within SEPA was €1.87 billion ($2.17 billion) in losses.
• Europe spends 6% of its annual ecommerce revenue to manage payment fraud, including the implementation of SCA (strong customer authentication).

Who is responsible for CNP fraud?

The responsibility for card-not-present (CNP) fraud falls primarily on the merchant until proven otherwise through a chargeback case. This means that if a fraudulent CNP transaction happens, you, the merchant, are initially held liable for any resulting financial losses.

Since October 2015, merchants who use EMV (Europay, Mastercard, and Visa) protection are not held liable for card-present (CP) fraud. However, if your business accepts CP transactions without EMV protection, specifically designed for chip cards, you assume liability for any fraudulent activity.

What prevention measures should merchants take to reduce CNP fraud?

There are a number of ways you can protect your business from CNP fraud, including:

Fraud Detection Systems

The first port of call is to Implement robust fraud detection systems that use advanced algorithms and machine learning techniques, such as Checkout’s Fraud Detection tool. These systems analyze transaction patterns, customer behavior, and other relevant data to identify potentially fraudulent activities and flag suspicious transactions for your review.

3D Secure

3D Secure protocols, such as "Verified by Visa," "Mastercard SecureCode," or "American Express SafeKey”, add an extra layer of security to CNP transactions by requiring customers to authenticate themselves, either by using a password, one-time code, or biometric verification.

Two-Factor Authentication (2FA)

Implement two-factor authentication for customer logins and transactions. This method adds an additional layer of security by requiring customers to provide two forms of identification, such as a password and a unique verification code sent to their registered mobile device or email address.

Tokenization

You can adopt tokenization techniques to protect sensitive customer payment information, replacing actual card details with unique tokens, ensuring that the original card data is securely stored in a token vault. This minimizes the risk of unauthorized access to card information in case of a data breach.

Network tokenization is a broader type of tokenization. It’s a process carried out by acquirers – or payment service providers – on behalf of their merchants, similar to PCI tokenization. The purpose of network tokenization is to enhance the security of card data by safeguarding it between the token provider and the merchant, which reduces the scope of the Payment Card Industry Data Security Standard (PCI DSS).

The main difference between network tokenization and PCI tokenization is the entity responsible for issuing the tokens. In network tokenization, it’s the card scheme (e.g. Visa or Mastercard) that issues the tokens, as opposed to the acquirer or payment service provider. This characteristic grants network tokens greater reach across the entire payment ecosystem, making them applicable to a broader range of use cases.

ID Verification

A simple yet effective way to prevent CNP is to use identity verification measures, ensuring that the individuals conducting CNP transactions are legitimate. This can include verifying customer identities through government-issued identification documents, address verification, or employing third-party ID verification services.

Read more: What forms of ID verification are used for payments?

Explore fraud detection at Checkout.com

Checkout.com offers an advanced fraud detection system, called Fraud Detection Pro, that equips your business with powerful tools to effectively detect and combat fraud.

This system leverages advanced algorithms and machine learning capabilities to analyze transaction data and detect patterns indicative of fraudulent activities, helping you  enhance your fraud prevention strategies and protect your business from financial losses.

With Fraud Detection Pro, you also gain access to real-time insights and alerts, enabling you to swiftly identify suspicious transactions and take appropriate action. By leveraging the expertise of Checkout.com's fraud prevention specialists, and the continuous refinement of Fraud Detection Pro, your business can stay ahead of emerging fraud trends and one step ahead of fraudsters.