Card-Not-Present Fraud in 2022: What Merchants Need To Know

What is Card-Not-Present Fraud?

Card-Not-Present (CNP) fraud is a type of fraud where a fraudster makes an unauthorized transaction without physically presenting the card. CNP fraud most commonly happens in e-commerce but can also occur in other card-not-present channels, such as mail order and phone fraud. Fraud actors use stolen payments data to carry out CNP transactions; this could be to test the validity of the payment credentials, to order products that they can resell for cash, or illegally steal money from the compromised account.

CNP fraud most often happens because the merchant is unable to confirm the identity of the cardholder in person or verify if the purchase is legit. When a merchant accepts a fraudulent transaction, they become liable to refund the actual cardholder when the latter raises a chargeback request. And if a merchant processes a large volume of such fraudulent CNP transactions, their chargeback numbers increase, inviting further penalties and legal disputes. According to the European Central Bank, CNP fraud accounted for losses to the tune of €1.5 billion in 2019 – about 80% of all card-related fraud!

Preventing CNP fraud can be challenging for merchants as they cannot use a physical card’s chip and pin EMV security features or point-of-sale PCI compliance standards. Thus, merchants become liable to refund a cardholder for fraudulent CNP transactions if the cardholder raises a chargeback. Common types of CNP include synthetic identity theft, account takeovers, friendly fraud, gift card fraud, and loyalty points fraud.

How Does Card-Not-Present Fraud Impact Businesses?

Card-Not-Present fraud can have potential negative effects on your business. It leads to chargebacks, erodes your bottom line and customer trust, and hurts your brand reputation in the long term.

• CNP fraud leaves merchants liable to chargebacks. Customers who become victims of CNP fraud raise chargeback requests. Too many chargebacks could put you in the high-risk merchant category, raising your processing costs and inviting penalties. In a worst-case scenario, you could even be barred from processing card transactions completely.
• CNP fraud affects your relationship with your customers. It can damage your brand reputation, especially if an angry customer, who has fallen victim to CNP fraud, were to go on social media and tell potential customers to avoid buying from you because you couldn’t protect their data.
• CNP fraud can be costly to businesses in the long term. Fixing the damage from a data breach can be expensive. To offset fraud-related losses they might have to raise prices or take more drastic measures, which could further hurt consumer trust and loyalty, leading to greater revenue decline over time.
• Sometimes merchants who have been victims of chargebacks might have their fraud prevention setting turned up too high, leading to false declines on genuine purchases. This creates more customer pain points in the checkout experience and prevents legit transactions from going through, which in itself could rack up significant losses over time.

How Does Card-Not-Present Fraud Work?

Card-Not-Present fraud works by a fraud actor impersonating an actual cardholder using stolen payment creds, which they use to commit large-scale fraud. These could range from card testing to making unauthorized purchases from an e-commerce merchant and reselling the products for cash. Fraudsters could also sell the payments creds on the Dark web, steal money from the cardholder’s account, or commit large-scale fraud.

It is not only fraud actors or rogues who commit CNP fraud. Sometimes, it could also be “friendly fraud” – where a legit consumer purchases products from a merchant but then falsely claims they did not authorize the transaction and instead raises a chargeback request.

If not protected, merchants have to take the liability of CNP fraud. Issuing banks have a vested interest in protecting cardholders from fraud-related losses – to encourage more card usage, leaving merchants open to losses and with no choice but to accept card payments, despite potential fraud risks.

Hence, it is critical for merchants to have the right systems and protocols in place to detect and prevent CNP fraud, ideally before it can cause much damage.

How Do You Detect and Prevent Card-Not-Present Fraud?

Your best strategy to fight CNP fraud is to have an omnichannel approach that combines AI and machine learning tools with human fraud analysts with specific knowledge and toolsets related to your business or industry. While no fraud prevention tool can be 100% fool-proof, having one can be a strong deterrent. Fraudsters don’t like resistance and would rather look for softer targets than engage a robust fraud-fighting setup.

If you haven’t already, here are the definitive steps you should take to combat CNP fraud:

• Use 2-Factor Authentication: 2-factor authentication is now mandatory for companies doing business in Europe as per the latest PSD2 regulations. 2-factor authentication adds a stronger security layer by having genuine cardholders authorize transactions using two of three factors – a PIN or password, an OTP, and a biometric scan. The added security layer makes it more difficult for fraud actors to break in.
• Switch to 3D Secure: 3D Secure is a security process that protects users from online card fraud by using 2-factor authentication. It uses a broader range of data elements (like customer’s shipping address, device ID, and payment history) and biometric authentication to allow for frictionless authentication and more secure payments. 3DS helps you stay compliant with SCA requirements and protects you from chargeback liability, instead shifting it to the card-issuing bank.
• Use Device Fingerprinting: Use device fingerprinting to establish a unique identifier for every device that accesses your website. You can track devices that are associated with fraudulent patterns and block them from further access. Encourage your customers to use in-built fingerprint scanners on their smartphones to protect their mobile devices from unauthorized access.
• Tap into AI and Machine Learning: Fraud tools that use AI and machine learning can help you to set up fraud prevention rulesets. You can minutely analyze transaction data and customer shopping behavior on your website and mobile apps and flag any suspicious activity. These tools can analyze millions of data points in real-time, giving you a significant edge in monitoring and fighting fraud.
• Use Human Fraud Intelligence: Combining AI and machine learning with human fraud analysts with a specific understanding of your industry and business can help you get the right balance. They can work within your existing fraud prevention setup, use relevant datasets to detect fraud in real-time, and reduce the financial impact of fraud on your business and customers.
• Leverage Cross-Network Intelligence: The best fraud prevention tools help you to leverage cross-network and cross-industry intelligence. These tools gather data by analyzing transactions and orders across the entire network and flagging any suspicious patterns. If fraud is detected at one merchant in the network, all other merchants in the network are alerted and protected.
• Go with Chargeback Guarantees: Insist on a fraud prevention solution that offers chargeback guarantees. Such a solution will review your orders, and if any order that it approves turns out to be fraudulent and results in a chargeback, you will get a full refund.

How Can Novalnet Help?

Novalnet offers AI-powered risk management that helps you to prevent fraud before it happens. Our tailor-made fraud prevention solutions use AI and machine learning to protect your business from any fraudster activity and design the best payment experiences for your customers, all of it in a PCI DSS-compliant environment. With our Payment APIs, hosted payment page, and instant plug-ins, you can accept payments easily while being fully compliant with the revised PSD2 guidelines.

Gowri Shankar Balasubramaniam

Gowri Shankar is the IT Application Security Manager at Novalnet with versatile knowledge in Programming and System/Security architecture. Having 11+ years of experience in the financial services industry, Cybersecurity, Payment Card Industry Data Security Standard (PCI DSS). Certified in Advanced Payment Card Industry Security Implementer (CPISI 2.0), Secure Software Lifecycle Professional (CSSLP) from (ISC)².