Card not present fraud (CNP fraud) is when someone makes a purchase with a debit or credit card online without the permission of the legitimate card owner.
According to the Merchant Risk Council, fraudsters already have the information they need to make a purchase from more than 80% of the credit cards in existence. Given that shocking statistic, it’s little wonder that card not present fraud costs almost $10b to US consumers. In fact, it’s almost shocking that the figure is not higher.
In this article we discuss:
What Is Card Not Present Fraud?
Card not present fraud is a type of transaction where a credit card is used to make a purchase without presenting the physical card to the merchant at the point of sale.
E-commerce fraud is the most common type of CNP fraud. However, the term refers to any credit card transaction where the card is not physically presented to the merchant in order to complete the transaction — such as mail order fraud and phone fraud.
Preventing card not present fraud is difficult because merchants cannot use the card’s physical safety features, such as the chip and pin EMV security features, and point of sale PCI compliance standards that are used in card present fraud.
Moreover, in a card present transaction where a fraudster successfully bypasses EMV technology, the merchant is generally not liable due to the EMV store owner fraud liability shift. This is in contrast to CNP fraud, where merchants are forced to return the money from a transaction when a card holder successful claims it was fraudulent, a process commonly known as a chargeback.
The Impact of Card Not Present Fraud on Businesses
Though people often focus on the way Card Not Present fraud affects individuals, it’s also important to step back and look at the impact on businesses and the economy at large. When businesses lose money due to fraud, they have to raise prices, cut wages, or reduce their workforce to account for the losses. Though it’s difficult to track the exact financial costs, fraudulent chargebacks alone are estimated to cost businesses roughly $40 billion per year. That number is expected to rise dramatically over the next few years.
While the direct financial impact of fraud cannot be ignored, there are also other consequences at play. False-positive decline rates are on the rise, as merchants are desperate to protect themselves and their customers from fraudulent purchases. Consequently, when many innocent customers go to the checkout, their cards get declined by stringent card not present fraud prevention rules. These declines not only cause a headache for cardholders, but they also prevent millions of legitimate transactions from taking place every year.
CNP fraud also creates a disconnect between businesses and their customers. When a data breach occurs, it costs businesses a lot of money to try to rectify the issue. Moreover, the loss of consumer trust and loyalty can cause even greater revenue decline over the long term. This means that Card Not Present fraud can cause devastating losses due to loss of brand reputation—especially if a consumer goes onto social media to tell other potential customers to avoid a merchant because their data wasn’t secure.
Merchants with too many chargebacks end up in the high-risk merchant accounts pool. At a minimum this raises the merchant’s card processing fees. At worst, the merchant can lose their ability to process credit and debit card transactions entirely.
How Does Card Not Present Fraud Work?
Successful fraud attempts have increased by an average of 44%-48% since 2019, according to research from LexisNexis.
Card not present fraud works by tricking merchants into believing a transaction is legitimate when in fact the person initiating it does not intend to pay. Two broad categories of CNP fraud exist: Traditional e-commerce fraud which is performed by unauthorised cardholders, and friendly fraud which is performed by the authorised card holder.
Traditional e-commerce fraud occurs when a fraudster steals enough information about a cardholder’s account to use it for online purchases. This type of information is commonly available on the dark web. Fraudsters use the dark web to dump credit card information illicitly obtained via hacking, trade information about how to successfully prosecute individual attacks against merchants, and even franchise out known models of committing large-scale fraud operations.
Friendly fraud is when the authorised cardholder makes a purchase, but then fraudulently claims they did not authorise the transaction. Friendly fraud is difficult to detect because all of the the order details look exactly like a legitimate order.
Either type results in a chargeback.
The cost of chargeback fraud is passed onto the merchant because the bank is financially incentivised to indemnify card holders from fraud in order to encourage their use, and because e-commerce merchants have no choice but to accept credit card payments regardless of the potential fraud risk.
How Do You Prevent Card Not Present Fraud?
Fraudsters are sophisticated, and so the best defense against card not present fraud is an omnichannel ecommerce fraud prevention strategy that uses an algorithmic e-commerce fraud prevention solution, combined with a strong team of human analysts that specialize in knowing your specific industry trends and system vulnerabilities.
One of the biggest mistakes made by merchants is ignoring the effect of false declines (declining legitimate orders incorrectly labeled as fraudulent) and friendly fraud. Chargebacks feel like theft, so there is a natural tendency to focus on preventing them. However, turning away legitimate orders, and failing to identify and stop repeat friendly fraud attacks, is far more costly. Not only is the absolute value of dollars lost higher, but there is a huge knock-on effect due to the loss of good will with legitimate customers and the virality of poor customer experiences as a drag on corporate reputation.
It is far more important for companies to focus on fraud prevention measures that achieve business objectives. The goal should not be to prevent theft — it should be to maximize overall profit.
No card not present fraud defenses are foolproof, but setting up any type of card not present solution creates a deterrent effect. Fraudsters like the path of least resistance, and there are millions of potential targets on the internet that don’t take fraud prevention seriously. If your store presents friction, thieves will often choose to find a softer target.
How Do Fraudsters Steal Credit Card Information?
According to the latest U.S. census, roughly 13.6% of all sales occur online. This figure has more than doubled over the past decade, and it will likely increase at an even faster rate in the coming years. Since making purchases online is so prevalent (and requires very little information), it’s now easier than ever for cyber-criminals to use your credit card — without ever laying a finger on the card itself.
While there are various ways that criminals can commit CNP fraud, there are three primary avenues that allow fraudsters to steal and use your credit card information:
- Phishing Attacks: A phishing attack is a fraudulent message in which the sender poses as another person or institution in order to gain your trust. For example, you might receive an email that appears to be from your bank. The email will contain a link to a separate website where you would be instructed to provide sensitive information, like your address, credit card number, security code, and so on. However, the site will be designed by the fraudster to steal your information without your knowledge. Then, the fraudster could either use this information to make purchases, sell the data to a third party for a profit, or both.
- Malware: Malware is often a much more direct attack on your personal information. For example, if you visit a suspicious website over an unsecured network, you could expose your device to malware. Once the malware has gained access to one of your devices, hackers gain the ability to steal personal information stored there — including banking or credit card information.
- Physical theft of credit applications: Card not present fraud is an online phenomenon, but it does have a real-world component. As discussed on the ‘To Catch a Fraudster‘ podcast, thieves will break into any physical store location that offers credit and steal applications (either physical paper copies, or entire computers they will hack into later)—which have all the personal information they need to fraudulently take out credit cards.
- The Dark Web: The Dark Web essentially consists of private or otherwise concealed networks. While not all activity on the Dark Web is illegal, it does provide an environment for cyber-criminals to commit fraud anonymously. Hackers use it to sell the credit card information they steal to other fraudsters.
Different Types Of Card Not Present Fraud
There is no single type of card not present fraud. In reality, CNP fraud occurs in a number of ways, including the creation of fake identities, the use of card-based payment methodologies other than credit cards, and even some instances where no credit card information is stolen at all.
- Synthetic Identity Fraud: Synthetic identity fraud is often one of the most complex, as it requires criminals to acquire your personal information (banking info, Social Security number, etc.) and use it to create a false identity. Not only will this allow the criminal to spend your money under a false identity, but they can also commit other crimes using your information, putting you in a potentially frightening legal situation.
- Gift Card Fraud: Rather than simply using your credit card info to make purchases online, many criminals use your funds in exchange for gift cards which they then sell. Why? Because gift cards are easy to acquire and difficult to track. Moreover, there are various companies online that will buy gift cards for a percentage of their face value, allowing cyber-criminals to turn your credit line into cold hard cash even if they are partially used.
- Friendly Fraud: Friendly Fraud is a unique (and common) form of fraud in which someone makes a seemingly legitimate transaction and then requests a chargeback from the issuing bank for the funds. In doing so, the purchaser can keep the product or service in question, while also getting a refund for the cost. This kind of fraud ends up costing businesses and banks billions of dollars every year.
- Account Takeovers: As the name implies, account takeover fraud occurs when a third party takes over your financial account by stealing your login credentials. This allows criminals to have complete access to your finances, which they can then use to make purchases, withdraw money, or convert funds into less traceable assets — like cryptocurrency.
- Loyalty Point Fraud: Loyalty Point Programs are a common way for credit card companies to incentivize consumers to sign up for new cards and make purchases. However, criminals will hack into customers’ accounts and then sell off the loyalty points for cash.
How to Detect Card Not Present Fraud
While Card Not Present fraud is a real and dangerous threat to individuals, businesses, and banking institutions, there are ways to fight the problem before it starts. However, even under the best of circumstances, there’s always the chance that your sensitive data could be leaked or hacked without your knowledge. Therefore, it’s also important to know how to both detect and prevent card not present fraud:
- 3D Secure: 3D Secure is a financial protocol designed to provide an added layer of security between the purchaser, the merchant, and the card issuer. This protocol requires you to submit additional verification when making purchases online, thereby reducing the risk of fraudulent purchases.
- Two-Factor Authentication: Two-factor authentication makes it much more difficult for non-authorized people or entities to access your accounts or devices. There are three forms of authentication: something you know (password), something you have (a code or authentication app), and something you are (biometrics). Two-factor authentication requires you to provide two of them to access your account.
- Device Fingerprinting: Nowadays, many devices (particularly smartphones) feature built-in fingerprint scanners. With fingerprint logins in place, you can ensure that you — and only you — can access sensitive information on your mobile device.
- Machine Learning: While it may not seem like you can use machine learning to your own advantage, the advancement of machine learning allows the best e-commerce fraud prevention solution to analyze billions of data points to detect “suspicious” activities on your accounts.
- Network Effects: E-commerce fraud prevention solutions will use the data they gather by analyzing orders across their entire network to protect your account. If a fraudster or fraudulent transaction pattern is detected at one merchant, all merchants in the network will be protected.
- Human Fraud Analysts: With the increasing prevalence of CNP fraud, human fraud analysts can use datasets to detect fraud as soon as it happens, reducing the financial consequences for both individuals and businesses.
- Chargeback Guarantees: When you work with a card not present solution that provides a chargeback guarantee, the solution reviews orders for you, and then offers a full refund for orders it told you to approve that turned out to be fraudulent and came back as a chargeback.
What Is the Best Card Not Present Fraud Prevention Tool?
Card not present fraud is a major problem for consumers and merchants alike. However, the scope of the issue has given rise to a number of solutions merchants can use to protect their stores against fraudsters.
The top e-commerce fraud prevention tools all use advanced machine learning algorithms, large consumer networks, and expert human fraud analysts to detect and prevent card not present fraud. They also offer complete chargeback guarantees that will reimburse merchants for chargebacks they receive on approved orders.
For a full list of the card not present fraud prevention tools currently available, click here.