ISO 20022 Guide

Preventing Card-Not-Present (CNP) Fraud

Card-not-present fraud is one of the fastest-growing forms of card fraud. Here’s how to safeguard your business and your customers against it.

On This Page

What is a card-not-present transaction?

A card-not-present (CNP) transaction refers to any transaction that takes place without a credit card or cardholder being physically present. CNP transactions stand in contrast to card-present transactions, in which payment details are captured in person by swiping, tapping or dipping a credit card through a reader.

What are the different types of card-not-present transactions?

There are a wide variety of CNP transactions, including:

What is card-not-present fraud?

As its name implies, card-not-present fraud is a form of card fraud run specifically on CNP transactions. CNP transactions tend to be more vulnerable to fraud than card-present ones because scammers don’t need to steal a physical card, counterfeit one or find their way around EMV chip technology in order to make fraudulent transactions.

In most cases, all a fraudster needs to make a transaction is a cardholder’s credentials, such as their name, billing address, account number, card value verification (CVV) number or card expiration date.It can take longer for merchants to detect this type of fraud because the scammer’s transactions are seemingly legitimate, which means fraudsters are often able to make multiple purchases using stolen credentials before they’re found out.

Card-not-present fraud can be divided into two subcategories: without 3D Secure (3DS) authentication, and with 3DS authentication. For reference, 3D Secure authentication is a security protocol designed to reduce the risk of fraud, identity theft and other illicit activities during CNP transactions.

Card-not-present fraud without 3DS authentication includes any CNP transaction that does not require an additional level of customer authentication — for example, when a customer makes a purchase online by entering their card information into a website and is not prompted to verify their identity. Although 3DS is intended to reduce the risk of fraud, fraud can still occur. Card-not-present fraud with 3DS typically happens when a card issuer bypasses authentication steps in an attempt to validate a transaction. If fraud should occur, the card issuer is held liable; however, this type of fraud can still impact a merchant’s overall fraud performance key performance indicators.

How do scammers obtain information to commit card-not-present fraud?

Cybercriminals use a variety of tactics to obtain cardholders’ payment details and commit card-not-present fraud — tactics such as:

Social Engineering

Social engineering is a broad category of scams in which fraudsters use psychological manipulation to convince their targets to share personal information, provide access to restricted systems or spread malware. Although phishing is perhaps the best known example of social engineering, other forms include spear phishing, baiting, pretexting, tailgating and quid pro quo attacks.

Spyware

Cybercriminals will often use social engineering to convince victims to download attachments that will automatically install spyware on their devices, which then monitors their activity. One of the most common forms of spyware, called a keylogger, records every keystroke a user makes and automatically sends it to the fraudster, enabling them to gain access to sensitive information, including user logins, account numbers and payment credentials.

Data Breaches

Merchants and banks are common targets for hackers looking to expose cardholders’ personal and financial information. Data from Statista shows that in the third quarter of 2022 alone, approximately 15 million data records were exposed worldwide through data breaches — a 37% increase from the previous quarter.

Card Skimming

Fraudsters will sometimes install skimming devices in ATMs or point-of-sale terminals at gas stations, restaurants and retail stores. When a cardholder inserts their credit or debit card into the machine, the device automatically captures their information from the card’s magnetic strip and sends it directly to the scammer.

Public Wi-Fi Networks

Cardholders who use public internet (without a VPN) to access accounts or review sensitive documents are at an increased risk of card-not-present fraud, as scammers will often monitor these networks to steal cardholders’ credentials.

What risks does card-not-present fraud pose to consumers?

Cybercriminals who commit card-not-present fraud typically use cardholders’ payment information to make fraudulent purchases, ranging anywhere from a few hundred dollars to tens of thousands.

In addition to fraudulent purchases, scammers may also:

  • Use cardholders’ credentials to set up recurring payments from their account, typically in small enough increments that it doesn’t warrant the cardholder’s notice or concern;
  • Acquire cryptocurrency and convert it into cash without leaving a paper (or digital) trail
  • Buy gift cards in bulk so that they can reduce their risk of being tracked when they make online purchases or resell those gift cards.  

Downloadable ISO Migration Guide & Checklist

Take your first steps toward adopting the new messaging standard using our ISO 20022 migration guide and compliance checklist.

How prevalent is card-not-present fraud?

Card-not-present fraud is one of the fastest-growing types of not just card fraud, but fraud in general:

  • According to UK Finance’s Fraud the Facts 2021 report, card-not-present fraud constituted 85.3% of all card fraud reported in 2020.
  • A 2021 report from Nilson Report states that card-not-present fraud accounted for almost 7 out of 10 fraud losses to merchants and acquirers in 2020, totaling almost $19.43 billion USD worldwide. 
  • Insider Intelligence expects card-not-present fraud to account for 74% of all fraud by 2024 — a 57% increase from pre-pandemic levels in 2019.

Who bears the loss for fraudulent card-not-present transactions?

Unlike card-present fraud, in which the issuing bank typically bears the loss for fraudulent transactions, merchants bear the loss for card-not-present fraud — particularly for CNP fraud without 3DS. In neither case is the cardholder held liable.

How else does card-not-present fraud affect merchants?

Bearing loss for card-not-present transactions can have a serious impact on merchants’ bottom lines. LexisNexis reports that in the United States and Canada, every $1 of fraud costs retail and eCommerce merchants $3.75 and $3.19, respectively. This is a considerable increase from 2019 rates — a 19.8% increase for the U.S. and an 11.1% increase for Canada — and those numbers are expected to climb.

If a customer realizes they’ve been the victim of card-not-present fraud, they may request a chargeback with their bank. Managing those chargebacks adds to merchants’ expenses, increasing overall fraud costs.

Card-not-present fraud not only takes a financial toll on merchants — it also has the potential to damage their brand’s reputation. If a merchant’s customers frequently find themselves the targets of card-not-present fraud, it suggests that that merchant has not done its due diligence authenticating purchases, which may prompt customers to take their business elsewhere.

Woman typing on her phone.

Get Your ISO 20022 Migration Guide.

Complete your migration with confidence using our comprehensive guide and ISO 20022 compliance checklist.

What technology can merchants use to combat card-not-present fraud?

Merchants should look to invest in fraud management software that enables fraud orchestration by leveraging the following technologies:

  • Digital Identity Services: Digital identity services collect data elements from a wide variety of sources and apply machine learning, data association and profiling techniques to authenticate customer identities. Merchants can use digital identity services to review transactional data, assess the likelihood of risk for each transaction and develop positive or negative consumer profiles.
  • Strong Customer Authentication (SCA): SCA is a form of multifactor authentication that builds an additional layer of security into CNP transactions by requiring merchants to verify customers’ identities based on at least two of the following components:
    • Something the customer knows, such as a password, passphrase or personal identification number
    • Something the customer has, such as a mobile phone, wearable device, hardware token or smart card
    • Something the customer is (based on biometric data), such as a fingerprint, facial recognition scan, voice pattern or DNA signature

In addition to preventing card-not-present fraud, implementing SCA can help merchants achieve Payment Services Directive 2 compliance.

  • Tokenization: Tokenization replaces sensitive data — such as a customer’s personally identifying information and payment details — with a unique, random numeric sequence, known as a token. This token is then used within a merchant’s payment environment to protect customer data. Since they cannot be converted back to their original form, these tokens add a layer of security to CNP transactions.    
  • Network Intelligence: Network intelligence is a form of business intelligence that analyzes data packets continuously in real time to determine the relationship between those packets and identify potential fraud signals. This analysis is made possible by packet capture, data and advanced machine learning algorithms.
  • Incremental Machine Learning: Compared to traditional machine learning models, which can be fairly static and suffer from model degradation, incremental machine learning leverages historical and live data to recognize behavioral changes and dynamically respond to anomalous activity. Incremental machine learning models can be automatically updated in real time based on streaming data, enabling merchants to recognize new and emerging threats, even as fraudsters’ methods become more sophisticated. 

How does ACI Worldwide fight card-not-present fraud?

ACI Fraud Management for Merchants is a full-service fraud prevention platform that uses fraud orchestration to empower merchants to reduce fraud and chargebacks while increasing conversions.

It achieves this by:

  • Providing holistic, real-time fraud operations using a single API connection
  • Consolidating 10,000+ fraud signals from various sources and applying data-rich analytics, so merchants can better anticipate and respond to payments fraud
  • Using advanced technology, including artificial intelligence, machine learning, and behavioral analytics to identify and assess anomalous behavior and unexpected patterns
  • Leveraging the latest in fraud prevention technology, including network intelligence, SCA, tokenization and incremental machine learning
  • Offering the flexibility to tailor fraud strategies based on payment method, channel and market, as well as add functionality when needed
  • Utilizing an automated, real-time decisioning engine to generate PCI- and compliance-certified fraud prevention strategies
  • Delivering support from a payments risk optimization team, which can provide bespoke payment strategies that guarantee long-term growth