Skip to main content

Card Not Present (CNP) Fraud: How to Protect Your Business from Fraudulent E-Commerce, Mail, or Phone Orders

By January 21, 2022December 12th, 2022No Comments
Card not present fraud (fraudulent purchases that are made online, over the phone, or by mail) has been increasing in recent years. As online and otherwise remote payments become more common, merchants are expected to lose as much as $130 billion to card-not-present fraud by the end of 2023. The main factors are that scams are becoming more complex – and therefore more successful – while merchants have been relatively slow to adopt anti-fraud countermeasures.

As card-present fraud has gone down, card-not-present fraud has gone up.

Card not Present (CNP) FraudEMV technology has been extremely successful at minimizing card-present payment fraud. Before chip cards were introduced, credit cards typically had their users’ account information recorded on a magnetic strip, which made them very easy to clone. Even when merchants had the opportunity to manually inspect the card at the point of sale, it was not easy to detect fraudulent transactions.

The EMV payment standard, however, introduced smart payment cards with built-in microchips. These chips hold dynamic encrypted data, which can change over time. As a result, it’s much harder for a hacker to access the data. Even if they were able to successfully clone the card, the data may have already changed by the time they attempt a fraudulent transaction.

These measures significantly reduced card-present retail fraud – by some estimates, as much as 76 percent. However, as card-present fraud rates dropped, there was a corresponding surge in fraudulent card-not-present transactions placed both online and over the phone. Most of these fraudulent attempts involve brute force, with hackers attempting to repeatedly process stolen card data. These attempts can generate hundreds of thousands of automated authorization attempts.

Under current standards, merchants are financially liable for fraudulent card-not-present transactions.

The EMV payment standard treats card-present and card-not-present fraud differently.

  • If a merchant uses EMV technology for their card-present purchases and correctly follows established procedures (e.g., they require customers to dip their chip card rather than swiping it), they are not liable for fraudulent purchases. In these cases, the liability is with the cardholder’s issuing bank.
  • If a merchant accepts a fraudulent charge online, over the phone, or by mail, they are required to provide a refund if the cardholder files a chargeback.

These rules make it especially important for merchants to implement fraud prevention measures for all transactions – regardless of where the order is placed.

How can merchants defend their business from card-not-present fraud?

Address and card code verification services

Address Verification (AVS) and Card Code Verification (CCV) are two of the most reliable ways to prevent card-not-present fraud.

  • Address Verification confirms that the billing address entered is the same as the one on file with the credit card issuer.
  • Card Code Verification confirms that the person making the purchase has physical possession of the card. (Note: PCI standards do not allow the storage of CVV numbers, so these security codes should not be accessible to a criminal unless they have the stolen card physically in their hands. A stolen card number alone would not be enough to complete the purchase.)

E-commerce merchants can also implement IP address matching to check if the purchaser’s IP address corresponds to the card billing address.

A word of warning: on their own, these verification methods only alert merchants to potential discrepancies; they do not prevent credit card transactions from being processed. It is up to the merchant to decide to refuse a suspicious payment if the information does not match. If desired, they can manually make a judgment call for each transaction, although most credit card processing technologies can be set to automatically reject transactions where there is a variance.

3-Domain secure (3DS) technologies

3-Domain secure (3DS) protocol was originally developed by Visa to improve the security of online credit card payments. Now, each of the major card networks offers their own 3-D secure technologies, each with different implementation requirements. Similar to 2-factor authentication (2FA), 3DS adds an extra verification step to the checkout process, requiring the cardholder to confirm the transaction before the payment is processed.

Analytics and AI-enhanced risk management solutions

Merchants should be mindful of larger-than-average orders from new customers, or buyers who otherwise do not fit the usual pattern of doing business. Automated risk management systems can look out for red flags such as:

  • A high volume of authorization attempts from a single account
  • Recently changed shipping addresses
  • Suspicious changes in countries, browsers, or VPNs
  • Mass password request requests

By identifying patterns that frequently correspond with fraud – then alerting merchants to transaction attempts that match these patterns – machine learning and AI-based analytics solutions can reduce the need for merchants to manually review each transaction.

How can merchants protect their customers from card-not-present credit card fraud?

Strategies for Reducing Card not Present Fraud

While merchants tend to be – for good reason – most concerned with protecting their own business from fraud, there’s another component to consider as well. When customers place an order – be it online, over the phone, or in person – they trust that the seller will appropriately protect their payment data. With breaches occurring more frequently every year, retailers have an ever-increasing responsibility to keep their customers’ data secure. That means meeting PCI compliance requirements, which includes:

  • Not storing, processing, or transmitting credit card data on unsecured systems
  • Encrypting or tokenizing sensitive data
  • Restricting access for unauthorized users
  • Monitoring systems via log reviews, intrusion detection/prevention, quarterly vulnerability scans, and change-detection mechanisms

While merchants aren’t required to implement anti-fraud solutions such as address verification or 3DS, PCI compliance requirements are mandatory. Compliance must be documented each year in the form of a self-assessment questionnaire (SAQ). However, that’s not to say that merchants have to handle the entire burden of compliance on their own.

With PCI-compliant payment processing technologies that offload the handling, storage, or transmission of credit card data, merchants can take most – if not all – of their infrastructure out of scope for these questionnaires. Instead of reporting on their entire infrastructure, they can report on a much smaller, more manageable part of it – while using the technology provider’s built-in security standards to protect their cardholders’ data. This makes transactions much more secure for both the business and their customers.

Learn more about protecting your business from card-not-present fraud.

At Curbstone, we’ve helped hundreds of merchants achieve secure, PCI-compliant payment processing. Not only do our technologies move sensitive data off your network, thus,  keeping your systems out of scope for PCI reporting, they also use Remote Tokenization to provide an additional layer of protection against theft. You – and your customers – can have full confidence – wherever you process payments.

Secure Technologies for Card Not Present Payments