Card-not-present (CNP) transactions are widely accepted, but they pose significant risks. As FICO reports, CNP fraud is projected to reach $49 billion globally by 2030. With that in mind, it’s essential for merchants to understand what CNP fraud is, how it works, and how they can detect and prevent it. Let’s take a look below.
Key Takeaways
- Card-not-present fraud happens when an unauthorized individual gets hold of a cardholder’s credentials and makes fraudulent purchases using that payment information.
- CNP fraud detection is more difficult without the physical card, making it harder for merchants to verify transaction legitimacy.
- Cybercriminals employ a variety of techniques, such as skimming, phishing, and data breaches, to illegally obtain credit card details and use them to make unauthorized purchases through CNP transactions.
- CNP fraud can significantly affect a merchant’s bottom line; robust security measures and due diligence in transaction and identity checks can help curb it.
What Is Card-Not-Present (CNP) Fraud?
As the name suggests, card-not-present fraud happens when an unauthorized individual (or scammer) somehow gets hold of a cardholder’s credentials—name, card number, billing address, CVC / CVV number, card expiration date, and makes fraudulent purchases using that payment information.
This type of fraud is associated explicitly with card-not-present transactions, since the scammer does not use the actual physical card to make purchases. CNP fraud detection is more difficult without the physical card. Without the card on hand, it’s harder for merchants to verify the transaction’s legitimacy.
What Is a Card-Not-Present Transaction?
A card-not-present transaction is one where neither the cardholder nor the actual card is present at the point of sale. The payment is completed using only the cardholder’s payment information (e.g., card number, CVV, expiration date, etc.). This is in direct contrast to card-present (CP) transactions, where payments are completed by swiping, tapping, or dipping the physical card at a payment terminal.
Common Examples of CNP Transactions
Here are some examples of scenarios where CNP transactions are pretty standard:
- Online eCommerce purchases. Transactions where a customer purchases a product or service through the merchant’s website or eCommerce platform, or uses a payment link to pay. In such cases, the customer simply needs to enter their payment information online.
- Mobile app payments. Transactions where a customer loads their payment information onto payment apps or digital wallets (Apple Pay, Google Pay, etc.) and then uses them to make purchases.
- Subscription billing. Transactions in which a customer enters their card information to purchase a recurring subscription (gym membership, streaming services, etc.), which is then stored in the system so that payments can be automatically deducted at previously agreed-upon intervals.
- Phone and mail orders (MOTO). Transactions in which a customer enters their payment information on a physical form and mails it to the business, or shares it over the phone with a sales associate to place an order, are known as mail-order / telephone-order (MOTO) payments.
- Digital goods and services. Transactions where a customer pays for digital products or services (e.g., software, online games) by entering their card details online.
How Card-Not-Present Fraud Works
Scammers and cybercriminals employ a variety of different techniques to illegally obtain credit card details of legitimate cardholders and use them to make unauthorized purchases through CNP transactions.
This type of fraud not only affects customers but also merchants, as customers are likely to dispute unauthorized charges, leading to chargebacks. This means the business loses the sale value, plus the chargeback (and any applicable chargeback fees).
How Fraudsters Get Card Data
The following are some of the main ways that fraudsters get access to card information:
- Skimming — Scammers may install card-skimming devices on payment terminals or ATMs that capture card information automatically when an unsuspecting customer swipes, dips, or taps their card. Stolen card data from skimming can later be used for CNP fraud.
- Phishing — Fraudsters may employ psychological manipulation to trick unsuspecting customers into revealing their payment information through fake calls, emails, or messages.
- Data breaches — Fraudsters may cause security breaches on bank or merchant websites/databases to obtain cardholder data in bulk.
- Spyware — Scammers may trick cardholders into downloading malware onto their devices, which is designed to automatically monitor a user’s online activity and capture sensitive information such as passwords and payment details.
- Public WiFi networks. Fraudsters may even monitor public WiFi networks to obtain sensitive payment information from unsuspecting users.
Why CNP Fraud Is Harder to Detect Than In-Person Fraud
CNP fraud detection is more complex than in-person fraud detection because CNP transactions can be carried out remotely, without a physical card. In-person transactions allow for additional security checks such as chip-and-PIN, signature, or photo identity verification to safeguard against fraud. In contrast, CNP transactions require only your payment information, making it harder for merchants to detect fraud.
Types of Card-Not-Present Fraud
Card-not-present fraud prevention can become easier once you understand the various ways it can show up. Here are some common examples of it:
- Stolen card data fraud. One of the simplest types of CNP fraud is when fraudsters steal card information through any of the means discussed earlier (e.g., malware, phishing, data breaches) and use it to make unauthorized online purchases.
- Account takeover (ATO). Sometimes, cybercriminals may steal credentials to someone’s bank accounts, retail accounts, social media accounts, email accounts, etc. Then, once the bad actor gained access to an account, they would change the credentials so that the legitimate user was locked out. Fraudsters do so to steal personal data, funds, loyalty points, etc.
- Friendly fraud. A type of first-party fraud that occurs when a legitimate cardholder disputes a valid transaction with their bank. This may happen because they don’t recognize the charge, forgot about the purchase, experienced buyer’s remorse, or intentionally attempt to avoid paying. Even though the transaction was authorized, the merchant can lose the product and the revenue and incur chargeback fees.
- Subscription and recurring payment fraud. Scammers often use stolen card information to purchase subscriptions (magazines, newspapers, streaming services, etc.), which can go unnoticed for a long time.
- Digital goods and instant fulfillment fraud. Digital goods such as gift cards, game keys, software, and more are delivered instantly after purchase. Often, fraudsters will purchase them using stolen card data and resell or redeem them immediately, mimicking legitimate customers.
Why CNP Fraud Is a Serious Issue for Merchants
CNP fraud can significantly affect a merchant’s bottom line. First, when the cardholder realizes the unauthorized charge on their card, they will request a chargeback with their card-issuing bank. For CNP transactions in the U.S., merchants typically bear the cost of chargebacks, whereas in many card-present transactions, the issuing bank absorbs the loss.
Not only do merchants lose the sale proceeds and the product or service sold, but they may also have to pay an extra fee if their chargeback rate is too high. What’s more, a high chargeback rate can damage their reputation. Customers are likely to take their business elsewhere if they frequently fall victim to CNP fraud.
How Prevalent Is Card-Not-Present Fraud?
With the increasing popularity of eCommerce and mobile payments, card-not-present fraud has become more common than you think. Here are some alarming statistics from a 2024 Mastercard report:
- CNP fraud losses in the US are estimated to reach $12.87 billion by 2026.
- The total monetary value of chargebacks in the U.S. is projected to reach $15.3 billion by 2026.
- Among digital goods merchants, friendly fraud accounts for approximately 75% of fraud cases.
How Merchants Can Prevent Card-Not-Present Fraud
CNP fraud detection and prevention can be tricky because technology is constantly evolving, and fraudsters keep pace. However, the following best practices can help merchants to a large extent.
Transaction and Identity Verification
- Card verification value (CVV) codes are 3-digit numbers that appear on the back of most cards (Visa, Mastercard, and Discover). For American Express, these are 4-digit codes that appear on the front of the card.
- One of the simplest CNP fraud prevention measures that merchants can implement is to make this information mandatory for all CNP transactions. While it’s not foolproof, it’s unlikely fraudsters will have access to this information unless they have the physical card.
- Merchants should also use an address verification system (AVS) to verify that the billing information entered at the time of payment matches the information on file. This can add another layer of security to CNP transactions.
Authentication and Step-Up Controls
- Merchants should also consider 3D Secure (3DS) or other forms of strong customer authentication (SCA) protocols to prevent CNP fraud. These protocols require customers to verify their identity using methods such as one-time passwords (OTP) or biometric authentication (fingerprint or facial recognition) within the banking or wallet app.
- Further, techniques such as tokenization and encryption can ensure that sensitive payment data is replaced by a sequence of unique, random numbers (a token) or a code when transmitted or stored within the merchant’s payment ecosystem. Even if fraudsters obtain such information, it becomes useless, thereby preventing CNP fraud.
Risk Controls and Monitoring
- Merchants should also comply with PCI DSS and employ robust risk-monitoring systems capable of detecting suspicious activity through device data, IP traffic, and transaction pattern analysis. Choosing a payment provider that offers all of this is a simple and easy way to safeguard your business against CNP fraud.
- The right setup catches suspicious behavior while still letting trusted customers move through checkout smoothly.
CNP Fraud Detection: Identifying Risk Without Blocking Good Customers
The most well-executed CNP fraud detection systems don’t just stop bad actors; they do it without blocking good customers. You must be able to spot real risk signals while keeping checkout fast and friction-light. Here’s how smart merchants do it:
- Using risk scoring to flag high-risk orders instead of reviewing everything
- Watching for mismatched billing and shipping details
- Monitoring IP location vs. delivery address inconsistencies
- Setting velocity rules for repeat attempts or rapid-fire purchases
- Reviewing unusually large digital goods or gift card orders manually
The right setup catches suspicious behavior while still letting trusted customers move through checkout smoothly.
Choosing a CNP Fraud Solution
CNP fraud prevention requires robust security measures and due diligence around transaction and identity checks. For small businesses, this can sound like a lot of overhead and complexity, but it doesn’t have to be. When you partner with Kurv, you get access to its suite of PCI-compliant payment processing solutions that already include chargeback prevention and fraud protection. To learn how to safeguard your CNP transactions, contact us today.
Ready to Grow Your Business?
Apply and start accepting payments within a day
Frequently Asked Questions
Is CNP fraud illegal?
Yes. Card-not-present (CNP) fraud is illegal. It involves using stolen credit or debit card information to make purchases without the physical card or cardholder present, which constitutes theft and financial fraud. Depending on the jurisdiction and the severity of the offense, CNP fraud can result in criminal charges, fines, and imprisonment.
Who is liable for CNP fraud?
In most cases, the cardholder is not financially liable for fraudulent CNP transactions, provided they report the fraud promptly.
Under card network rules (e.g., Visa, Mastercard, AmEx), liability for CNP fraud typically falls on the merchant, because there is no physical card verification (like chip-and-PIN). If a transaction results in a chargeback due to fraud, the merchant generally absorbs costs such as the refunded amount, chargeback fees, and potential penalties if fraud rates are high. Payment processors and issuing banks play roles in dispute resolution, but merchants usually bear the direct financial loss.
Can CNP fraud be fully prevented?
No. CNP fraud cannot be entirely eliminated, but it can be significantly reduced. Because online and remote transactions don’t involve physical card authentication, they inherently carry more risk. However, businesses can dramatically reduce exposure by implementing AVS, CVV verification, tokenization, encryption, and other fraud-detection tools.
Is CNP fraud increasing?
Yes. CNP fraud has increased in recent years as eCommerce and digital payments continue to grow. As more transactions move online, fraud has shifted away from card-present (in-store) fraud toward digital channels. Fraudsters tend to follow opportunity, and remote transactions present fewer physical verification barriers. While chip-enabled cards significantly reduced in-store fraud, the fraud risk migrated to online and phone-based transactions.
How can small businesses reduce CNP fraud?
Small businesses can reduce CNP fraud by combining technology, policies, and monitoring. SMBs can enable AVS and CVV checks for all transactions, use 3D Secure for higher-risk orders, and monitor for mismatches between billing and shipping addresses.
They can also set transaction limits or velocity rules and require strong customer authentication for large purchases. Updating your billing descriptor to something that clearly identifies your business can help, too. Also, be sure to work with a payment provider that offers built-in fraud tools.
Is CNP fraud more common than in-store fraud?
Yes. CNP fraud is generally more common than card-present (in-store) fraud. The adoption of EMV chip technology has significantly reduced in-store counterfeit card fraud. However, since CNP transactions don’t require a physical card or chip authentication, fraudsters increasingly target online, mobile, and phone orders instead. As digital commerce expands, CNP fraud accounts for a larger share of total payment fraud losses.
