Card-Not-Present Fraud: The Basics


For over twenty years, merchants have been selling their products online, starting with small items like books and gifts. E-commerce was considered a niche market. Today, however, 69{f748b26f3a1b305e8d5b41398549632c588ef8fa9551e474b1cc4460a92082c3} of Americans shop online at least once per month, and e-commerce sales are expected to reach $400 billion by the end of 2017. E-commerce transactions can be easier, more convenient, and priced more competitively than their brick-and-mortar counterparts. While this boom has ushered in a new era of commerce, it has also brought about an increase in a unique type of scam that was previously limited only to mail order and telephone order merchants: card-not-present fraud. 

What is Card-not-Present Fraud?

Because a physical payment card cannot be present during the checkout process, many point-of-sale (POS) card-present security protocols do not translate electronically. Security measures such as requesting identification, examining the payment card, and getting a signature are impossible or impractical for a high-volume retailer. Instead, e-commerce merchants must rely on imperfect solutions to combat online fraud, and many cyber criminals take advantage of the inherent weaknesses in CNP transactions.

Part of this issue lies within the EMV (chip card) implementation. Because the security features employed by card-present EMV transactions are so strong, counterfeiters, scam artists, and thieves are bolstering their online attacks. CNP fraud is expected to increase 100{f748b26f3a1b305e8d5b41398549632c588ef8fa9551e474b1cc4460a92082c3} by 2018, currently represents 45{f748b26f3a1b305e8d5b41398549632c588ef8fa9551e474b1cc4460a92082c3} of total U.S. credit card fraud, and accounts for 25{f748b26f3a1b305e8d5b41398549632c588ef8fa9551e474b1cc4460a92082c3} of fraud losses worldwide.

Most stolen credit card numbers are obtained via a data breach, theft by dishonest employees, or online phishing scams. Common CNP fraud scenarios include:

  • A criminal uses stolen credit card data to purchase an order and has it delivered to an empty or abandoned house. The criminal then picks up the package later.
  • A cardholder makes a purchase online, receives the merchandise, then files a dispute with their credit card issuer. The credit card issuer files a chargeback and the merchant bears the loss.

Who is affected?

Unfortunately, the merchant bears the loss of card-not-present fraud. According to Chargebacks 911, merchants lost $2.23 for every dollar of fraud in 2014. Javelin consulting firm reported that the total value of CNP fraud transactions will reach almost $19 billion in 2018. If a fraudulent transaction processes successfully and the merchandise is shipped out, the merchant will lose both the money from the sale and the product. In addition, cardholders are less likely to shop online if they are previous victims of CNP fraud, costing the merchant legitimate future sales as well.

How can the threats of CNP fraud be lessened?

 As with most cases of business security, protection begins with the merchant, especially during the checkout process. Collecting certain pieces of cardholder data will save a lot of time and stress if the transaction does turn out to be fraudulent. Be sure to collect the following in addition to the card number:

  • Cardholder name
  • Card expiration date
  • Card security code, also known as a CVC, CSC, CVV, CVN, CVD, etc.
  • The billing address and phone number associated with the credit card

Collecting this additional information can help verify that the online customer is in physical possession of the card, rather than just the card number. If you do suspect an order to be the result of fraudulent activity, ask yourself the following questions to help determine whether or not you should process the order:

  • Geolocation – was the purchase made in one location and being shipped to another? Is the shipment going out of the country? Check the shipping address online through a street view program. Does the address look inhabited?
  • Does the customer’s e-mail address seem legitimate? Is the domain recognizable? A G-mail, Yahoo, or MSN e-mail is more commonplace, typically with a word or name in the address. However, an e-mail address with seemingly random letters and numbers from an unrecognized domain could raise some red flags. If in doubt, e-mail the customer or call the number provided during the checkout process.
  • Is the transaction value far higher than typical, or of a suspiciously large quantity? If your web site normally processes an average of $75 per transaction, an order for $7,500 should raise suspicion. While the prospect of closing the sale and fulfilling an order of that magnitude can be tempting, it’s important not to ship the product out until you can verify that the card is not compromised and the transaction is legitimate. If you ship out the product and the transaction turns out to be fraudulent, you could be out both the product and the money from the sale, in addition to any additional fees you may be charged for processing a fraudulent transaction.
  • Choose a shipping provider that allows re-routable shipments. If a transaction turns out to be fraudulent, you may be able to recover your product.
  • IP address of the transaction, if available.

Keep in mind that not all fraudulent transactions are caught immediately. It could be upwards of several months before a charge is reversed due to fraudulent activity. While there are some software solutions that can detect transaction anomalies, or block transactions from a certain location, overzealous anti-fraud programs and tactics could result in the loss of legitimate sales.

The best way to minimize CNP fraud is to use common sense, train your employees in fraud detection, and securely collect enough cardholder information.

Interested in protecting your retail business? Check out our article on three ways to improve your business’ security.