Card Not Present (CNP) Fraud: What It Is and How to Prevent It

According to the Federal Reserve’s latest report, card-present fraud has remained relatively stable in recent years, while card-not-present fraud continues to increase due to the growth of eCommerce and digital transactions. With EMV chip cards now fully adopted in most regions, fraudsters have shifted their efforts online, as these cards make card-present theft significantly more difficult.

Chargeback fraud is more likely in card-not-present transactions because cardholder information is more challenging to check. When a consumer receives a product or service, they can claim that they never approved the charge or that they did not receive the thing.

What Is Card Not Present (CNP) Fraud and How Does It Work?

To be considered for a CNP transaction, you must not use a physical terminal to tap your mobile wallet or swipe your magnetic stripe, or enter your EMV chip. As a result, card-not-present transactions can be made via online forms, mobile apps, or phone calls.

Card-not-present transactions are often misunderstood since many people believe that if a customer is there with their card, the transaction is considered card-present.

Even though the customer has their credit card in hand, the transaction is still regarded card-not-present even if the card information is manually entered into the card terminal. Because the transaction occurred at the point of sale, the card itself never contacted the machine; read on to know why.

Any time a fraudster obtains payment information, such as a credit card number, the name, and address of a customer, or the three-digit security code on the back of a credit card, they commit CNP fraud.

Massive data breaches, phishing attacks, and credential stuffing have made full account takeovers available for sale on the dark web and Telegram channels. As a result, fraudsters can easily purchase complete sets of stolen credentials. Most of the time, the merchant bears the brunt of the responsibility for fraudulent CNP transactions, and chargebacks are widespread.

Card Not Present Fraud Prevention: Practical Tips to Protect Your Business

Because the merchant, payment service provider, or bank of the victim is usually held liable for CNP fraud, knowing how to protect your business from it is critical. To help you distinguish between legitimate customers and fraudsters, new technologies have been developed.

Amass All of Your Client’s Contact Information

In general, the more information you know about a customer, the better. This is true in the context of credit card fraud prevention, marketing and sales, and the processing of credit card transactions. The same information that lets you confirm user IDs or contest a chargeback can also help you increase upselling, cross-selling, and segmentation.

When it comes to what you should be collecting, the bare minimum is:

• Email address
• Information about your credit card, including the CVV code.
• The mailing address for the payment.
• The IP address of the device that was used to sign in
• Phone number
• Account registration, login, and credit card payments are all places to collect this information. If you're looking for a secure and convenient way to request payments from verified users, consider using a payment link.

In addition to following the best SCA practices, there is a wealth of additional information available to you. As we’ll see later, user devices, phone numbers, and email addresses can help to weed out rogue actors – or at the very least show that they’re dangerous consumers.

When you have more information about a user, it’s easier to reject transactions that could be fraudulent using a card not present.

Conversions and sales can be negatively affected if too much friction in the data collection process.

Enrichment of Data for Fraud Detection

It may have occurred to you after reading the first suggestion that you might be asking yourself, “How can I acquire additional information without creating friction?” Data enrichment is the solution. Everyone from e-commerce sites to financial institutions is now using these tools, and it’s not hard to see why.

You might think of it as an approach that takes single data points and uses them to compile information from other places throughout the internet. In some cases, it is discovered that an account’s email address is being used to register for accounts on social media sites such as Facebook. A landline or cell phone number can be checked to see if it’s in the United States or another nation.

With all of that information, anomalies may be detected more easily. The most excellent part is that you don’t have to ask people for additional authentication procedures because the correct technologies allow you to do so quickly.

This approach is effective because it operates silently in the background, enabling fraud prevention teams to assess risk without introducing additional friction for legitimate users. Data enrichment is a significant task, and the most crucial part is finding new, relevant datasets that are both fresh and open source. One way to achieve this is to link an email address to the user’s associated social media profiles, which should be done following GDPR standards.

CNP Data Protection Best Practices

Credit information must still be protected even if they aren’t in front of you at the time. According to PCI Data Security Standard (PCI DSS), this is the case, and it is primarily intended to safeguard every merchant from future CNP fraud efforts (and card-present too).

Websites should implement HTTPS with TLS encryption to protect sensitive data such as payment credentials, personal identifiers, and login information. In addition, you should encrypt all of your data, whether it’s being transferred between clients and your website or between your employees.

This practice works because encrypted and protected data is less likely to come into the hands of criminals, which minimises the risk of online payment fraud. Managing cloud-based security infrastructure, continuous monitoring, and incident response can be costly, especially for rapidly scaling businesses. It’s the most frequently stated issue among industry insiders and consultants.

Solutions for Card Not Present Fraud

Businesses can choose from various fraud prevention products, whether they need a complete end-to-end system or only a few specific modules. The points above are ideal, but it’s also a good idea to consider additional safeguards like biometrics, captchas, and one-time passwords.

Using a device fingerprinting module, your fraud manager will be able to examine the hardware and software of a person who visits or transacts on your website.

When a device is fingerprinted, tens of thousands of data points are gathered that can be used to identify potentially harmful individuals. These include:

• Operating system
• VPN and browser information
• Time zone and language
• User agents
• IP address
• HTTP request headers
• Plugins or fonts and more.

Final Thoughts on Card Not Present Fraud Protection

The most effective method to avoid CNP fraud is to be well-prepared, well-equipped, and well-versed in the field. No matter how many layers of protection are put in place, fraudsters will find a way to get through.  However, a good knowledge of CNP would reduce the cases of fraud.