This year, analysts estimate that card-not-present fraud will account for nearly $9.5 billion in losses, an increase of 8.5% over last year.

The increase in card-not-present fraud correlates with the rise of e-commerce; as more people shop online, fraudsters are launching increasingly sophisticated and persistent efforts to access digital payment information. 

Card-not-present (CNP) fraud is expected to make up 73% of card payment fraud losses this year. This type of payment fraud results in significant business losses — fraudulent chargebacks alone cost companies roughly $40 billion annually. If you’re worried about protecting your business from card-not-present fraud, here are some of the latest prevention strategies and tools you can use to mitigate this risk. 

What is card-not-present fraud?

Card-not-present (CNP) fraud occurs when a criminal uses stolen credit card information to make a purchase online, over the phone, or through some other means where the card does not need to be physically presented to complete the sale. CNP fraud can occur with any transaction in which the user only provides the credit card numbers, expiration date, and CVV code.

CNP fraud is common because it has become easy for criminals to obtain credit card information without accessing the physical card. Criminals can obtain credit card information through data breaches, phishing scams, and malware. Alternatively, criminals can buy entire lists of credit card and CVV numbers online and match them to personal data necessary to use the number, such as a home address.

Types of CNP transactions

One of the reasons why card-not-present fraud is so prevalent is that the payments space has evolved to include dozens of CNP applications. As a result, there are many avenues through which a criminal can use stolen credit card information to attempt a fraudulent purchase. 

Here are a few examples of CNP transactions that are vulnerable to card-not-present fraud. 

  • Online shopping: when a customer completes a transaction through an e-commerce site.
  • Phone purchases: when a customer provides their payment details over the phone. 
  • Mobile wallet payments: when a customer uses stored credentials in a digital wallet to complete a transaction. 
  • Card-on-file payments: when a customer provides payment information for a merchant to store and use for future transactions. 
  • Recurring payments: when a customer authorizes a merchant to deduct funds from their payment method on a regular basis. 
  • Invoice payments: when a customer makes a payment against a balance for goods or services rendered by a vendor. 

As you can see, one of the reasons why CNP payments are so vulnerable is that a criminal doesn’t need to steal a physical card to make fraudulent transactions. Each of the examples listed above can be completed without presenting an EMV chip or scanning a mag stripe. This dynamic makes it difficult for merchants to see who is on the other side of the transaction — the actual customer or a scammer. 

Card-not-present fraud is especially prevalent in retail and e-commerce, but the travel industry, online gaming, and entertainment are all easy targets for CNP fraudsters. In fact, any business that does not require a physical card to be present to complete a transaction could be vulnerable to CNP fraud. 

How does card not present fraud work? 

Although there are many types of card not present fraud, the basic process for committing this crime is relatively consistent. It starts with the theft of someone’s credit card information. 

There are many methods that someone could use to steal credit card data. Social engineering — tricking someone into revealing their personal information — is one popular option. This includes phishing, pretexting, and spoofing, among other tactics. 

Spyware and card skimming are two other techniques that a criminal could use. Criminals will infect a device with spyware posing as an innocent attachment or link, which will then install a piece of malware to log someone’s keystrokes as they enter passwords into websites. Card skimming is a similar technique in which a device is installed that automatically captures card information when a cardholder inserts their credit or debit card into a point-of-sale terminal. 

Finally, data breaches also give criminals the information they need to commit card-not-present fraud. Financial institutions and e-commerce merchants are common targets for hackers looking to expose cardholders’ personal and financial information. 

Once card details are exposed, the criminal can make fraudulent purchases ranging anywhere from a few hundred dollars to tens of thousands. They could also set up recurring payments from the victim’s account, buy cryptocurrency and convert it into cash, or buy gift cards to resell or make other online purchases. 

Unfortunately, any time CNP fraud occurs, the merchant bears the loss. Especially in industries with tight margins — such as e-commerce — this puts many sellers at financial risk. Financial institutions, too, risk losing customer trust when CNP fraud occurs. 

Best practices for combatting card-not-present fraud

The burden of combatting CNP fraud lies with the merchant. And, as digital payments continue to get more popular, techniques and tools to mitigate this risk must get more sophisticated. The latest trends to reduce the risk of card-not-present fraud are outlined below. 

Artificial intelligence to monitor and prevent payment fraud

Leveraging artificial intelligence can help detect and flag suspicious transactions in real time.’s Transaction AI, for instance, offers a CNP fraud detection capability by employing multiple data points:

  • Actionable, real-time alerts of anomalous account behavior.
  • Risk scores for every account transaction to reduce false positives for your fraud team, save valuable time, and prevent carding attempts sooner.
  • Rule-based workflows based on risk that can scale to thousands of instances of carding fraud. The granular definition and governance of these workflows accelerate investigations and can be customized with organization-specific criteria. 

Transaction AI harnesses your customer data with billions of insights from unique data sources available only to users. These systems can analyze large amounts of data, including historical transaction data, customer behavior data, and known fraud patterns, to identify anomalies and patterns that may indicate fraudulent activity.

Tokenization to prevent data theft

Tokenization is the process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security. Tokenization minimizes the amount of data a business needs to keep on hand to bolster the security of credit card and e-commerce transactions while minimizing the cost. It also helps institutions meet complex compliance requirements, such as PCI DSS. Merchants can take advantage of this protection by accepting payments via Apple Pay and other products that create these tokens and also use biometric scanning for verification.

Implement Strong Customer Authentication (SCA)

SCA is a new EU regulation that requires merchants to implement additional authentication measures for certain types of online transactions. SCA requires authentication to use at least two of the following three elements:  

  • Something the customer knows, such as a PIN or password
  • Something the customer has, such as a mobile device or hardware token
  • Something the customer is, such as a biometric face ID or unique fingerprint

SCA measures are preventative and work best when coupled with a failsafe solution like Transaction AI.’s advanced transaction monitoring software can lead to a 53% reduction in fraud case investigations and a 66% decrease in time spent investigating fraud. Learn more about our artificial intelligence by signing up for a free demo.