Card-Not-Present Fraud: How Merchants Can Detect and Prevent It

Why CNP Fraud Affects Online Merchants Differently

In card-present transactions (in-store purchases with a physical card), EMV chip technology has dramatically reduced fraud losses. When a chip card is used at a chip-enabled terminal, the liability for fraudulent transactions shifts to the card issuer. Merchants who accept chip cards at chip terminals are largely protected from counterfeit card fraud.

Card-not-present transactions have no equivalent protection. Online merchants cannot verify the physical card — they can only verify that the card number, expiration date, CVV, and billing address provided by the buyer match what the bank has on file. None of these checks verify that the person making the purchase is actually the cardholder.

This asymmetry means that as fraud prevention has improved in physical retail (through chip cards), criminals have increasingly shifted their activity to online channels. CNP fraud rates for online merchants have grown steadily, and the card networks' rules generally place greater liability on merchants for CNP transactions.

Common CNP Fraud Schemes

CNP fraud takes several forms, each with different characteristics and prevention approaches.

Classic stolen card fraud: a criminal obtains card data (through data breaches, phishing, or card skimming) and uses it to make online purchases before the cardholder notices the theft. Speed matters — criminals often test stolen card data with small purchases before using it for large ones.

Account takeover (ATO): a criminal gains access to a customer's existing merchant account (through credential stuffing, phishing, or password reuse) and makes purchases from the stored card. The transaction looks legitimate because it uses the customer's actual account credentials.

Card testing: criminals test large batches of stolen card numbers with small purchases to determine which are valid and have sufficient funds. Merchants who see many failed authorization attempts followed by a small successful transaction, often for digital goods, may be experiencing card testing.

New account fraud: a criminal creates a new account at your store using stolen identity information and card data, making purchases that appear to be from a new customer.

Buy-now-pay-later (BNPL) fraud: increasingly common as BNPL services grow; criminals abuse the delayed payment structure to obtain goods before fraud is detected.

Detection Tools and Techniques

Effective CNP fraud detection combines automated tools with merchant judgment. Layer multiple signals rather than relying on any single indicator.

Address Verification System (AVS): verify that the billing address provided matches the bank's records. Full AVS match (address and ZIP) is a strong signal of legitimacy. Mismatches don't guarantee fraud but warrant additional scrutiny.

CVV verification: require the card security code (CVV2/CVC2) for all CNP transactions. While stolen card data often includes CVV, requiring it raises the bar for fraudsters and provides an additional verification layer.

Velocity rules: limit the number of orders from a single IP address, device, or email address within a time window. Fraudsters testing stolen card batches generate high-velocity signals.

Device fingerprinting: tools like Stripe Radar, Kount, and Forter identify device characteristics associated with fraud patterns. A new device making a large first purchase is higher risk than a recognized device with transaction history.

IP geolocation: flag orders where the IP address location differs significantly from the billing address, especially for high-value orders. A US billing address with a purchase from an Eastern European IP is worth reviewing.

3D Secure authentication: adding a cardholder authentication step (biometric, OTP, or bank app confirmation) significantly reduces CNP fraud and shifts liability to the issuing bank for authenticated transactions.

Responding to CNP Fraud Chargebacks

When CNP fraud results in a chargeback, your representment options depend on the authentication measures you had in place.

If 3D Secure authentication was completed: provide the authentication record. Under Visa and Mastercard liability shift rules, the issuing bank bears the loss for authenticated transactions where the card data was stolen. Your win rate on these cases is very high.

If 3D Secure was not used: focus on all authorization evidence — CVV match, AVS match, IP address and geolocation, device fingerprint, purchase history if the customer had prior transactions. While you won't have authentication records, documented fraud screening due diligence helps your case.

For card testing chargebacks: provide evidence of your fraud controls, the pattern of transactions, and any fraud alerts from your screening tools. Document that you responded quickly to block the fraudster once the pattern was identified.

For account takeover fraud: demonstrate that the transaction was made from the customer's authenticated account, that you took reasonable steps to secure customer accounts (strong password requirements, login alerts), and that the specific compromise was outside your control.

One hard truth: without 3D Secure authentication, CNP fraud chargebacks are often difficult to win outright. Prevention is significantly more effective than response for true CNP fraud.

Building a CNP Fraud Prevention Stack

Effective CNP fraud prevention uses a layered approach — no single tool catches everything, but multiple tools covering different attack vectors dramatically reduce your exposure.

Tier 1 — Basic controls (all merchants): require CVV verification, enable basic AVS matching, use your processor's built-in fraud rules (Stripe Radar, PayPal's fraud filters), and implement 3D Secure on transactions above your chosen threshold.

Tier 2 — Enhanced controls (moderate to high risk): add a dedicated fraud scoring platform (Kount, Sift, Forter), implement device fingerprinting, add behavioral analytics (mouse movement patterns, typing speed) that detect automated fraud tools, and use velocity rules.

Tier 3 — Advanced controls (high-value merchants or high-risk categories): manual review queues for flagged transactions, machine learning models trained on your specific fraud patterns, consortium data sharing (your processor's fraud network flags cards that have frauded other merchants), and enhanced customer verification for high-value orders.

Balance fraud prevention against conversion rate: overly strict controls that block legitimate purchases are also costly. Calibrate your rules based on your actual fraud rate, and avoid declining legitimate customers unnecessarily.