E-commerce merchants must decide if card not present fraud (CNP) purchases made at their online stores are legitimate. Evaluating orders incorrectly leads to chargebacks, which require merchants to return the value of the transaction, even after they ship their merchandise.
CNP is a major problem that only continues to grow. In fact, it’s estimated that this type of fraud will cost retailers $130 billion in revenue by 2023.
Sophisticated fraudsters continually attack unprepared merchants. But proactive e-commerce merchants can do a lot to protect themselves. One thing is sure — if you do nothing, you’ll be an easy target.
This article answers the most commonly asked questions about card not present fraud.
What Is Card Not Present Fraud?
Card not present fraud is a type of transaction where a credit card is used to make a purchase without presenting the physical card to the merchant at the point of sale.
E-commerce fraud is the most common type of CNP fraud. However, the term refers to any credit card transaction where the card is not physically presented to the merchant in order to complete the transaction — such as mail order fraud and phone fraud.
Preventing card not present fraud is difficult because merchants cannot use the card’s physical safety features, such as the chip and pin EMV security features, and point of sale PCI compliance standards that are used in card present fraud.
Moreover, in a card present transaction where a fraudster successfully bypasses EMV technology, the merchant is generally not liable due to the EMV store owner fraud liability shift. This is in contrast to CNP fraud, where merchants are forced to return the money from a transaction when a card holder successful claims it was fraudulent, a process commonly known as a chargeback.
How Does Card Not Present Fraud Work?
Successful fraud attempts have increased by an average of 44%-48% since 2019, according to research from LexisNexis.
Card not present fraud works by tricking merchants into believing a transaction is legitimate when in fact the person initiating it does not intend to pay. Two broad categories of CNP fraud exist: Traditional e-commerce fraud which is performed by unauthorised cardholders, and friendly fraud which is performed by the authorised card holder.
Traditional e-commerce fraud occurs when a fraudster steals enough information about a cardholder’s account to use it for online purchases. This type of information is commonly available on the dark web. Fraudsters use the dark web to dump credit card information illicitly obtained via hacking, trade information about how to successfully prosecute individual attacks against merchants, and even franchise out known models of committing large-scale fraud operations.
Friendly fraud is when the authorised cardholder makes a purchase, but then fraudulently claims they did not authorise the transaction. Friendly fraud is difficult to detect because all of the the order details look exactly like a legitimate order.
Either type results in a chargeback.
The cost of chargeback fraud is passed onto the merchant because the bank is financially incentivised to indemnify card holders from fraud in order to encourage their use, and because e-commerce merchants have no choice but to accept credit card payments regardless of the potential fraud risk.
How Do You Prevent Card Not Present Fraud?
Fraudsters are sophisticated, and so the best defense against card not present fraud is an algorithmic e-commerce fraud prevention solution, combined with a strong team of human analysts that specialize in knowing your specific industry trends and system vulnerabilities.
One of the biggest mistakes made by merchants is ignoring the effect of false declines (declining legitimate orders incorrectly labeled as fraudulent) and friendly fraud. Chargebacks feel like theft, so there is a natural tendency to focus on preventing them. However, turning away legitimate orders, and failing to identify and stop repeat friendly fraud attacks, is far more costly. Not only is the absolute value of dollars lost higher, but there is a huge knock-on effect due to the loss of good will with legitimate customers and the virality of poor customer experiences as a drag on corporate reputation.
It is far more important for companies to focus on fraud prevention measures that achieve business objectives. The goal should not be to prevent theft — it should be to maximize overall profit.
No card not present fraud defenses are foolproof, but setting up any type of prevention system creates a deterrent effect. Fraudsters like the path of least resistance, and there are millions of potential targets on the internet that don’t take fraud prevention seriously. If your store presents friction, thieves will often choose to find a softer target.