Can Merchants Reject Every Transaction that Fails a Security Check?

Not always. It depends on the security check. For example, blocklisted accounts can’t be accepted because they consist of known bad actors who constantly abuse the system. However, in low-risk situations, like not passing a two-factor authentication on the first attempt, over-blocking can hurt conversions and customer experience. That’s why many merchants use a risk-based approach : automatically block high-risk ones, review medium-risk ones, and allow low-risk ones.

What are Some Warning Signs of Card-Not-Present (CNP) Fraud?

There are signs of suspicious activity that’s often linked to CNP fraud, for example: Billing address and IP/geolocation mismatch Repeated declines or authorization failures Unusually large orders from new customers Multiple transactions from the same card in a short time period

How Effective is 3D Secure (3DS) in Reducing CNP Fraud?

It’s considered an effective payment fraud prevention measure. That’s because 3D Secure adds an extra verification layer (for example, by sending a one-time passcode or triggering biometric authentication ). It helps verify that the cardholder is genuine and that the card actually belongs to them. The term “3D” comes from the fact that this method consists of three domains: the cardholder’s bank, the merchant’s bank, and the card network.

What Kind of Data Do Fraudsters Use to Commit CNP Fraud?

Commonly stolen data for card-not-present fraud includes details like: Card number Expiration date Billing address Cardholder name CVV code Bad actors often obtain this information without accessing the physical card. That’s why, without verification and monitoring, CNP fraud is hard to spot.

Should Cmall Businesses Care About CNP Fraud, Even if They Do Mostly In-Person Sales?

Yes. As online sales grow, or if you plan to accept more online payments in the near future, CNP fraud risk becomes relevant. It’s good to have safeguards early and adapt to trends beforehand as a way to optimize internal business processes and reduce related risks, like minimizing chargebacks.

What is Card-Not-Present (CNP) Fraud? [5 Detection Tips]

A card-not-present (CNP) transaction is a term that is pretty self-explanatory from first glance — a transaction where the person makes a card payment without having the physical card with them. Unlike standard, card-present, or in-person payments, there isn’t a card that is physically swiped in a store. This makes CNP a good technology and even a better channel for fraud. The convenience of making purchases has made a huge shift in e-commerce; however, merchants now need to know how to deal with CNP-related fraud, determining whether the card being used is being used by its rightful owner.

For that, there are special AI tools, identity verification systems, and monitoring solutions. We’ll explain in a more detailed manner how to spot and prevent card-not-present (CNP) fraud and ensure security through concrete examples and tips for businesses.

What is a Card-Not-Present (CNP) Transaction?

A card-not-present (CNP) transaction is a payment that happens when neither the customer nor their card is physically present at the checkout. All transactions that happen online or remotely, for example, on an online platform or through the phone, are considered CNP. Otherwise, for the payment to qualify as “card-present”, there must be a physical card reader.

For example, even if a customer is physically present and provides their card for another person so that they can manually input the required information on their behalf, the transaction would be categorized as card-not-present.

Examples of Card-Not-Present Transactions

Digital technologies and the use of the internet have made card-not-present transactions the go-to method for purchasing items or services.

So, some of the most popular examples of CNP transactions include:

Online banking (logging into the bank’s dashboard to make a transaction)
E-commerce store (entering payment card details when buying from an online store)
Card-on-file (using pre-saved card details for subscriptions or other recurring payments)
Online invoices (using an online system and your card to pay an invoice)
Mail orders (sending card details to order through the mail)
Phone purchases (sharing details with a seller and finalizing a purchase via the phone)

An infographic summarizing what a CNP transaction is and listing six examples of it.

All online platforms that have online shopping carts, “Buy” buttons, and electronic invoicing are considered to be CNP payments. This provides evidence that the card was used to finalize and authorize the payment. Additionally, all methods allow customers to buy and finalize their payments without having to actually visit a physical store or a banking branch.

What is the Biggest Difference Between Card-Present and Card-Not-Present?

If electronic data is captured at the point of sale (for example, by swiping a card or making a contactless payment through a digital wallet, such as Apple Pay), it’s considered to be a card-present payment. Other methods are considered card-not-present transactions.

For example, a card-present transaction can be done via a card, for example, a card reader that connects to smartphones, and any other POS systems that use card readers, while a card-not-present payment can be done using a payment app that doesn’t use a card reader or through subscription billing.

What is Card-Not-Present Fraud?

Card-not-present fraud is a type of credit card fraud that occurs when the fraudster steals card information and doesn’t use the card in person, but rather makes an online purchase or a phone transaction, aka the card details are only provided without physically possessing the credit card.

In this sense, CNP fraud occurs when criminals can access personal information and steal payment details, like:

The cardholder’s name
Their billing address
Account number
Expiration date
CVV code

Due to the majorly popularity that online shopping has gained recently, it’s harder for businesses to detect this type of fraud.

Infographic listing eight risks linked to CNP transactions.

Businesses often process thousands of transactions at the same time, making it harder to spot suspicious activity. Generally, CNP fraud is harder to detect because the business can’t physically inspect the card or determine if the cardholder is real. For example, you can’t see the warning signs so easily, such as missing security features and other red flags. As a result, merchants use stronger verification methods, such as selfie verification or address verification, including other standard checks, such as requiring the entry of the CVV number to confirm that you have the card with you.

Why Do CNP Transactions Pose Fraud Risks?

Card-not-present transactions are a good channel for fraud because there are a lot of ways criminals utilize them to benefit financially. For example, CNP fraud can happen when the criminal accesses a cardholder’s information, such as their CVV code, card number, and expiry date, and then uses this data to make unauthorized purchases.

CNP transactions harm both customers and businesses. That’s because:

Businesses lose revenue when transactions are disputed and need to be refunded.
Customers lose trust and need to deal with unauthorized charges.

There are additional chargeback protection programs for higher-risk merchants; however, the issue is that chargebacks almost always lead to extra fees and losses linked to lost goods or provided services without actual payment.

What are the Most Common Types of Card-Not-Present-Fraud?

Criminals commit CNP fraud and steal card details with the one and only goal: to make purchases at the cardholder’s expense.

Infographic summarising four ways criminals get data for CNP fraud.

This can happen using various types of deceptive practices, for example:

Friendly fraud. This happens when a customer purchases an item but files a chargeback on purpose to keep both the item and get a refund for it. To succeed, they claim the item arrived damaged, for example, or the shipping company lost it.
Phishing. This happens when a fraudster creates a fake website or a fake profile posing as another legitimate company or its official support representative as a way to trick people into sending them their card information, often through a link.
Application fraud. This happens when a criminal uses a fake or stolen identity, including synthetic identity fraud, to apply for new payment cards. They then use it for unauthorized transactions.
Triangulation fraud. This happens when a criminal uses a fake online store as a front, then uses stolen card information to buy goods from real merchants to complete the orders made on the fake store. What happens next is that the true cardholder disputes their transaction, and the legitimate merchant is left to deal with the losses.

How Much Does it Cost to Process Card-Not-Present Payments?

For businesses, processing card-not-present payments comes with extra challenges and fees due to assessment fees charged by card brands, interchange fees, the payment provider’s markup, and other costs linked to PCI DSS compliance. Typically, CNP transactions cost more because they pose a bigger risk of fraud.

That’s why the interchange fees are also higher since chargeback fraud is more likely to happen here compared to card-present and in-person payments.

PCI DSS compliance consists of rules, also known as PCI Data Security Standards (PCI DSS), set by the PCI Security Standards Council, which organizations must follow to process card payments securely. The main goal is for merchants to have high security standards for storing credit card information and reducing the risk of stolen data, unauthorized transactions and identity theft.

These are the main requirements for merchants:

Use firewalls to prevent unauthorized access.
Set strong passwords for all devices and update them regularly.
Encrypt cardholder data with secure algorithms and encryption keys.
Forward cardholder data only to trusted locations, and always encrypt it in transit.
Install antivirus software on all relevant devices.
Keep all devices updated, including software.
Restrict access to cardholder data and allow access to only those who need it.
Assign unique IDs to everyone with access to cardholder data.
Use secure physical locations to store cardholder data.
Log and monitor all access to cardholder data.
Regularly test software, systems, and employees for security gaps.
Maintain clear documentation of all equipment, software, and staff who can access cardholder data.

Related: Payments Compliance Explained

How to Detect and Verify Card-Not-Present Transactions?

The biggest issue and security challenge that comes with card-not-present payments is that neither the cardholder nor the card itself is present during the purchase. For this reason, it’s difficult for companies to detect fraud and verify the real cardholder without adding unnecessary friction to the checkout process. For example, if different windows open or redirect the user to extra security checks without prior explanation, the user would most likely drop off and leave their cart without completing the transaction.

Common effective measures for verifying CNP transactions include:

1. Blocklists

This includes known bad actors and fraudulent accounts that are added and blocked from making purchases on the platform. For example, iDenfy’s ID verification software also carries this feature, offering custom blocklists with logged names and biometric data of common fraudsters who try to bypass identity verification checks, for example, in cases when they are triggered before a large transaction that reaches a certain threshold.

2. Card Verification Numbers (CVN)

The three or four security digits on the back of the card help verify if the buyer has their card in hand and help prevent CNP fraud when the user is asked to submit these details. This is a very popular method for detecting fraud and preventing unauthorized transactions. For clients, the CVN check is a familiar process, which is always a good factor as well in terms of trust and user experience.

3. ID Document Checks

Apart from two-factor authentication that can be implemented using automatically sent OTPs to the user’s device, for example, like SMS verification sent to the user’s phone number, some online platforms add extra identity verification measures, such as ID document checks, where they ask the cardholder to capture their ID document (ID card, passport, or driver’s license, for example).

The system then automatically extracts personal information, verifying if the person is real and isn’t using a stolen or forged document. To maintain a good user experience, this option is best in high-risk situations, when the platform’s monitoring system detects suspicious behavior, such as an unusual login to a marketplace from a suspicious IP address, or a high-value transaction, which is also atypical of the buyer’s shopping history.

4. Address Verification System (AVS)

This is a fraud detection tool that compares the cardholder’s address in the system via the card-issuing bank with the one provided during checkout. Often, the street address and the postal or zip code are cross-checked to see if there’s a match. If not, the transaction is declined as a way to prevent CNP fraud, such as a chargeback.

5. Bank Verification

Bank verification helps confirm that the person is using a valid bank account that actually belongs to them, ensuring that the account holder is a legitimate customer, not a fraudster trying to finalize an unauthorized transaction. While financial institutions, such as loan service providers, use this method to check if the person has sufficient funds or is eligible for a loan, for example, all online shops and marketplaces can also use this method to ensure that the account is valid and legitimate. That’s why bank verification helps better assess client risk profiles based on factors like transaction history and grade them from low to high risk when assessing their financial health.

It’s also beneficial to check if the user provides a valid bank account so that the funds from their online wallet can be transferred to the right account. In terms of KYC compliance, bank account verification services, like iDenfy, help automatically extract identity data (such as name, surname, IBAN, and other banking details) from the account holder’s bank directly via open banking technology without damaging the end-user experience. This adds a second layer of security since standard KYC details are cross-checked with the bank’s information.

Extra Useful Tips to Process CNP Transactions Safely

There are other useful ways to prevent fraud and ensure safety around card-not-present transactions, for example:

Use digital invoices, especially if you deal with purchases over the phone.
Set maximum purchase amounts and daily spending thresholds; otherwise, if the limit is reached, add extra checks, such as identity or bank account verification.
Monitor transactions and AML red flags, such as how many attempts to buy are made within a short period of time. This can indicate fraud.
Use proof of address (PoA) verification and trigger utility bill checks, for example, if the compared cardholder’s address doesn’t match their IP or device location.
Add two-factor authentication via email verification or similar methods to avoid non-compliance with regulations like PSD2 in the EU.
Ensure secure data storage by safeguarding users’ card details. Enable the option to pre-save card information for future purchase and faster checkouts or recurring payments, such as subscriptions.

Other simple processes, like using educational newsletters or blog posts on your website about the most common techniques that are used to scam users, are vital. For example, simple guidance like informing clients not to share card details over text or email already helps. Additionally, you should always work with trusted third parties, including payment service providers and fraud prevention service providers. This helps build an automated, built-in strategy that automatically flags suspicious transactions or clients trying to abuse your system.

Stopping CNP Fraud with iDenfy

At iDenfy, we specialize in payments compliance and offer multiple verification, screening and ongoing monitoring services to ensure that the account holder is protected from fraud throughout their whole business relationship.

For example, you can use our no-code ID verification solution, Magic Link, and add it to your website to verify clients, enabling quicker payments without the hassle of building and implementing KYC solutions from scratch. Other seamlessly integrated options, especially beneficial for age verification if you’re offering age-restricted items or services, are our API solutions, such as our Shopify app.

See the full integrations list, and feel free to connect with us through a quick demo.