What is card-not-present fraud? What businesses need to know

Radar
Radar

Accept payments online, in person, and around the world with a payments solution built for any business—from scaling startups to global enterprises.

Learn more 
  1. Introduction
  2. How does card-not-present fraud work?
    1. Acquisition of credit card information
    2. Verification of stolen details
    3. Making unauthorised transactions
    4. Receiving goods or services
    5. Covering tracks
    6. Challenges in prevention and detection
    7. Response and mitigation
  3. Card-not-present fraud vs card-present (CP) fraud
    1. Key differences in execution
    2. Challenges and solutions specific to CNP fraud
  4. How card-not-present fraud affects businesses and customers
    1. Impact on customers
    2. Impact on businesses
  5. Signs of card-not-present fraud attacks
    1. For businesses
    2. For customers
    3. General indicators
  6. How to protect your business against card-not-present fraud
    1. Use advanced verification tools
    2. Monitor transactions
    3. Secure payment gateways
    4. Educate your team and customers
    5. Keep systems updated
    6. Review and adjust policies regularly
    7. Implement customer verification methods
  7. How to respond to card-not-present fraud attacks
    1. Immediate steps
    2. Follow-up actions
    3. Communicating with customers
    4. Preventive measures
    5. Legal and compliance aspects

Card-not-present (CNP) fraud is credit card fraud in which the physical card isn't needed to complete a transaction. CNP fraud is most common in online purchases and over-the-phone transactions, and this method has proliferated as e-commerce sales have grown: in 2020, retail e-commerce sales in the United States grew by 36%, while CNP fraud losses increased by 31%. The main difference between CNP fraud and other forms of credit card fraud is the absence of the physical card during the transaction, which makes CNP fraud a major concern for e-commerce and remote sales.

In contrast to traditional fraud, in which fraudulent actors might steal or duplicate the physical card, those committing CNP fraud usually obtain the necessary credit card details through other means. This can include data breaches, phishing or other deceitful methods. They then use these details to make unauthorised purchases or transactions.

Tackling CNP fraud can be complicated, given the shifting nature of these attacks. As payments technology evolves, so do fraudulent actors' attempts to penetrate it, which puts pressure on businesses to create a strong mitigation plan and continually update it. Below, we'll look at CNP fraud: what it is, how it works and best practices that businesses can use to fight it.

What's in this article?

  • How does card-not-present fraud work?
  • Card-not-present fraud vs card-present (CP) fraud
  • How card-not-present fraud affects businesses and customers
  • Signs of card-not-present fraud attacks
  • How to protect your business against card-not-present fraud
  • How to respond to card-not-present fraud attacks

How does card-not-present fraud work?

Unlike traditional fraud involving stolen or copied physical credit cards, CNP fraud relies on digital mechanisms that steal information. CNP fraud is complex and involves several steps, from the acquisition of credit card information to the unauthorised transactions. Here's a breakdown of CNP fraud:

Acquisition of credit card information

  • Data breaches: Fraudulent actors obtain credit card information through data breaches at businesses. This can involve hacking into databases to steal credit card numbers, expiry dates and security codes.

  • Phishing attacks: Another common method is phishing, in which fraudulent actors trick individuals into giving away their information. This could involve emails or fake websites designed to look like legitimate businesses.

  • Skimming devices: Although more often associated with physical card fraud, skimming devices can also capture card details that are then used in CNP transactions.

  • Purchasing stolen data: Fraudulent actors can also acquire credit card details from the dark web or other illegal platforms where such information is sold.

Verification of stolen details

  • Small transactions: Often, to verify that the stolen information is valid and that the account is active, fraudulent actors will make small transactions (sometimes known as micro charges). These are usually small enough to go unnoticed by the cardholder.

  • Online verification services: Some fraudulent actors use online services that verify the validity of card details without making a transaction.

Making unauthorised transactions

  • Online shopping: Once they've obtained valid card details, fraudulent actors make purchases online. They tend to target digital goods or services that can be delivered quickly.

  • Larger purchases or transactions: If the small transactions go unnoticed, fraudulent actors might proceed with larger purchases or attempt to transfer funds.

Receiving goods or services

  • Delivery to safe addresses: Often, the fraudulent actor has items delivered to addresses that cannot be traced back to them, avoiding detection.

  • Reselling goods: Fraudulent actors will resell physical items purchased through CNP fraud for cash.

Covering tracks

  • Rapid closure of transactions: After making unauthorised purchases, fraudulent actors often close the transaction routes quickly. This could involve changing account details or abandoning the fraudulent accounts.

  • Using cryptocurrencies or anonymised payments: To transfer funds, scammers might use cryptocurrencies or other methods that anonymise the receiver.

Challenges in prevention and detection

  • Quickly evolving tactics: Fraudulent actors constantly update their methods to bypass security measures.

  • Global reach: The digital nature of CNP fraud means that fraudulent actors can strike from anywhere, complicating jurisdiction and law enforcement.

  • Balancing security and the customer experience: Businesses strive to implement security measures that are strong enough to prevent fraud but subtle enough to not inconvenience legitimate customers.

Response and mitigation

  • Advanced monitoring and analytics: Employing sophisticated software to monitor transactions for unusual activity is an important method of increasing safety.

  • Multi-factor authentication: Asking for additional verification beyond card details can provide a bulwark against attacks.

  • Educating customers: Making cardholders aware of the importance of protecting their card information is an effective means of increasing security.

CNP fraud is a constantly evolving battle against the increasingly sophisticated methods of fraudulent actors. It requires vigilance, innovative technology and collaboration among businesses, payment processors and customers.

Card-not-present fraud vs card-present (CP) fraud

To address the challenges associated with fraud, it's important to distinguish between card-not-present fraud and card-present fraud. These forms of fraud differ in how they are executed and the issues they present.

Key differences in execution

Card-not-present fraud

  • Occurrence: CNP fraud happens in transactions that do not require the physical card, such as online purchases, transactions over the phone and mail order.

  • Method: Fraudulent actors use stolen card details obtained via data breaches, phishing or other methods. They don't need the physical card to make fraudulent transactions – just the card number, expiry date and sometimes the card verification value (CVV) number.

  • Detection: Detecting CNP fraud can be challenging because the fraudulent actor does not need to present the physical card to make a purchase. Verification relies on data points that can be easier to compromise.

Card-present fraud

  • Occurrence: CP fraud occurs during in-person transactions, in which the physical card is used for payment.

  • Method: This involves using a stolen physical card or creating counterfeit cards by using stolen card data.

  • Detection: CP fraud can be easier to detect compared with CNP fraud. Physical signs – such as a damaged card, a signature mismatch or suspicious behaviour by the person making the transaction – can raise red flags and alert businesses to potential fraud.

Challenges and solutions specific to CNP fraud

Challenges

  • Lack of physical verification: The biggest challenge in CNP fraud is the absence of the physical card, which makes it difficult to verify whether the user is the legitimate cardholder.

  • Tactics that change quickly: Online fraud techniques evolve quickly, making it more challenging for businesses to keep up with new fraud methods.

  • Global reach: Fraudulent actors can conduct CNP fraud from anywhere, complicating jurisdiction and enforcement.

Solutions

  • Advanced digital verification tools: Tools such as an address verification service (AVS) – also known as address verification system – as well as CVV checks and two-factor authentication help verify the identity of the person conducting the transaction.

  • Behavioural analytics and AI: Implementing machine learning algorithms to analyse purchasing patterns and detect anomalies can be effective in identifying potential CNP fraud.

  • Customer education: Educating customers about safe online shopping practices and how to protect their card information is important in the fight against fraud.

Although CNP and CP fraud involve unauthorised use of a credit card, they differ substantially in execution and the challenges they present. CNP fraud, which does not require verification of the physical card, requires a heavier reliance on digital verification methods and data analysis to detect and prevent fraud. These differences mean that businesses must have tailored strategies to combat each type of fraud effectively, with CNP fraud demanding a more technology-centric and adaptive strategy.

How card-not-present fraud affects businesses and customers

CNP fraud can have cascading effects on businesses and their customers – and understanding the extent of these impacts is important for developing effective strategies to combat this issue. Some impacts include:

Impact on customers

  • Financial loss and liability: Although many credit card companies have policies that limit customer liability in fraud cases, the immediate impact of unauthorised transactions can be distressing. Customers might face temporary loss of funds, which can be disruptive, especially if large amounts are involved.

  • Privacy concerns: CNP fraud often arises from data breaches, leading to a sense of violation for customers whose personal and financial information has been compromised.

  • Loss of trust and confidence: When customers fall victim to CNP fraud, their trust in the security of online transactions can erode. This distrust can extend to the online retail sector as a whole, affecting customer behaviour.

  • Time and effort in resolution: Victims of CNP fraud have to invest time and effort into contesting fraudulent charges, securing their accounts and sometimes dealing with legal proceedings. These efforts can consume a large amount of time and resources.

Impact on businesses

  • Financial losses: Businesses bear the brunt of CNP fraud through chargebacks, in which they lose the revenue from the sale and the goods or services provided. Losses from CNP fraud in the US are expected to reach US$10 billion in 2024, according to an Insider Intelligence report. Businesses might also incur fines and increased payment processing fees.

  • Increased operational costs: Businesses seeking to combat CNP fraud must invest in advanced security measures, fraud detection systems and customer verification processes, all of which contribute to increased operational costs.

  • Reputational damage: A business that falls prey to CNP fraud, especially if the fraud occurs frequently or is highly publicised, can suffer reputational damage. This can lead to a loss of customer trust, which can be more challenging to restore than financial losses.

  • Impact on customer experience: Implementing stringent security measures to combat CNP fraud can sometimes make the transaction process more cumbersome for customers, potentially affecting sales.

  • Regulatory and legal consequences: Businesses might face legal challenges and regulatory scrutiny if they fail to protect customer data or are found to have inadequate security measures.

  • Long-term challenges: Dealing with the threat of CNP fraud requires continual investment in technology and staff training. This is a long-term challenge that demands constant attention and resources.

Signs of card-not-present fraud attacks

Recognising the signs of card-not-present fraud is important for businesses and customers to prevent and address these attacks effectively. Here's a look at possible indicators of a CNP fraud attempt:

For businesses

  • Unusual order patterns: One red flag is a sudden spike in orders, especially of high-value items or large quantities of goods. Fraudulent actors often try to maximise the value obtained from stolen card details.

  • Multiple transactions on one card: Numerous transactions in a short period, particularly if they fail and are retried, could indicate that a fraudulent actor is testing a card's validity.

  • Different shipping and billing addresses: Orders in which the shipping address differs from the billing address warrant extra scrutiny because this can be a tactic used by fraudulent actors.

  • Orders from high-risk locations: Transactions that originate from – or are delivered to – regions known for high levels of fraud activity should be monitored closely.

  • Rush or overnight delivery requests: Fraudulent actors often choose the fastest delivery methods so that they can receive the goods before the fraud is detected.

  • Inconsistencies in order details: Mismatched information, such as differing names or contact details across orders, can be a sign of fraudulent activity.

For customers

  • Unexpected transactions: Unfamiliar charges on a credit card statement are a sign of potential fraud.

  • Alerts from financial institutions: Many banks and card issuers provide alert services for unusual activity. Receiving such alerts can be an early warning of fraud.

  • Phishing scams: Receiving emails or messages that ask for personal or financial information can be a precursor to CNP fraud.

  • Unusual account activity notifications: Notifications about password changes, address updates or other account alterations that you did not make are warning signs of fraud.

General indicators

  • Failed transactions: Multiple failed transaction attempts followed by a successful attempt might indicate that someone is using stolen card numbers.

  • Small test purchases: Small transactions often precede larger fraudulent purchases. Fraudulent actors make these "test" charges to see whether the card is still active.

By staying vigilant and recognising the signs, businesses and customers can take timely action to prevent and mitigate the impact of CNP fraud. For businesses, this involves implementing appropriate verification processes and monitoring systems. Customers should check their statements regularly and report any suspicious activity to their card issuer.

How to protect your business against card-not-present fraud

Protecting your business against CNP fraud requires a comprehensive strategy that combines best practices and security measures. For most businesses with modern payment systems, this also includes choosing payment software and hardware that is resistant to CNP fraud.

Although your tactics and policies should reflect the specific nature and needs of your business, here are some ways to minimise the risk of CNP fraud that most businesses might find relevant:

Use advanced verification tools

  • AVS: This tool compares the billing address provided by the customer with the one on file with the credit card issuer. Discrepancies can signal a fraudulent transaction.

  • CVV: Requiring the CVV for online transactions adds an extra layer of security because this information is not stored on magnetic strips and is harder for fraudulent actors to obtain.

  • Two-factor authentication (2FA): Implementing 2FA for transactions adds an additional verification step, which typically involves a code being sent to the customer's phone or email address.

Monitor transactions

  • Real-time transaction analysis: Employ systems that analyse transactions as they happen, looking for unusual patterns or activities that deviate from the norm.

  • Set transaction limits: Establishing limits for transaction amounts or frequency can help catch fraudulent activities early.

Secure payment gateways

  • Choose reputable payment processors: Partner with payment processors that have a strong record for secure processing and fraud prevention.

  • Encryption and tokenisation: Make sure the payment gateway uses strong encryption for data transmission and tokenisation, which replaces sensitive card details with unique identifiers.

Educate your team and customers

  • Staff training: Hold regular training sessions for your staff members to educate them about the latest techniques and trends in fraud prevention.

  • Customer awareness: Educate your customers on the importance of protecting their card information and the signs of phishing attempts.

Keep systems updated

  • Regular software updates: Keep all software up to date with the latest security patches – especially software related to payment processing and security.

  • Compliance with Payment Card Industry Data Security Standard (PCI DSS): Adhering to these standards is mandatory and a best practice in securing cardholder data.

Review and adjust policies regularly

  • Adaptive strategies: As fraud techniques evolve, so should your prevention strategies. Review and adjust your policies and methods regularly.

Implement customer verification methods

  • Delayed dispatch for suspicious orders: If an order seems suspicious, delaying dispatch until verification can prevent losses.

  • Manual review of high-risk transactions: Some transactions might require a manual review for an added layer of security.

By adhering to these best practices, your business can create layers of security that work together to detect, prevent and respond to fraudulent activities effectively. The goal is to make your business a harder target for fraudulent actors, while maintaining a smooth experience for genuine customers.

How to respond to card-not-present fraud attacks

Responding to CNP fraud attacks requires a prompt and systematic strategy. Here's a quick look at how to handle such incidents effectively:

Immediate steps

  • Verify the incident: Confirm the fraudulent activity. Sometimes, what seems like fraud could be a customer forgetting about a purchase or using a different card.

  • Contact the payment processor: Report the incident to your payment processor. These services have protocols to deal with such situations and can provide guidance.

  • Cancel the transaction: If the order hasn't been fulfilled yet, cancel it to prevent any loss of goods or services.

  • Flag the account: Mark the account used for the fraudulent transaction. This helps in tracking and prevents repeat attempts using the same details.

Follow-up actions

  • Review security measures: Assess how the fraud occurred. Analyse whether there were any lapses in your security protocols and what you could do to improve them.

  • Update systems: If the fraud exploited a specific vulnerability, address it immediately. This might involve updating software or changing operational procedures.

  • Document everything: Keep detailed records of the fraudulent transaction, your response and any communication with parties involved. This is important for any potential investigations or insurance claims.

Communicating with customers

  • Transparent communication: If customer data has been compromised, inform the affected customers promptly.

  • Guidance on next steps: Advise customers on how to safeguard their accounts, and report the incident to their card issuers.

  • Support channels: Provide accessible customer support to handle enquiries and concerns related to the fraud.

Preventive measures

  • Employee training: Educate your staff about CNP fraud and the importance of following security protocols.

  • Update security measures regularly: Stay informed about the latest fraud trends, and update your security measures accordingly.

  • Customer awareness programmes: Educate your customers about protecting their card information and recognising phishing attempts or other fraud tactics.

  • Enhance verification processes: Implement more stringent verification processes for transactions, especially those that appear risky.

  • Report to authorities: In some cases, it might be necessary to report the incident to law enforcement or other regulatory bodies.

  • Compliance with data breach protocols: Follow legal and regulatory requirements related to data breaches, including notifying affected parties and regulatory bodies.

Taking these steps will allow your to business respond to CNP fraud attacks effectively, mitigate damage and strengthen defences against future incidents. By acting swiftly, learning from the incident and improving your processes, you can safeguard your business and maintain customer trust. Learn more about how Stripe protects businesses against CNP fraud.

Ready to get started?

Create an account and start accepting payments – no contracts or banking details required. Or, contact us to design a custom package for your business.