CNP (card-not-present) fraud is a big deal in the payments industry. A lingering threat and a very real possibility, the eCommerce industry is at stake. According to a white paper from the Smart Card Alliance, U.S. eCommerce sales estimates for 2015 sit between 299-339 billion dollars. As more people shop online (the most common CNP transaction form), the risk of fraud will increase.

What is CNP fraud?

CNP fraud means that someone uses any of these pieces of information in an unauthorized manner: credit or debit card number, security code, or cardholder’s address to purchase something in a card-not-present setting.

A card-not-present setting occurs when the situation is not face-to-face. For example, physical POS sales at a store register are card-present. They happen face-to-face. A customer makes a purchase and the card is present at the time of the transaction, usually at the merchant’s location. On the other hand, when a CNP purchase is made, the merchant does not come into contact with the card. This happens with mail-in transactions, transactions handled over the phone, and online transactions.

CNP fraud is responsible for about 16% of total fraud losses, according to a 2010 Aite report illustrated within the Smart Card Alliance document.

Who is responsible?

From Accertify’s white paper, when someone uses a card in an unauthorized manner in the United States, the consumer’s exposure is limited to $50 in losses. In card-present scenarios, the liability falls typically on the card issuer. But in CNP scenarios, the liability is always on the merchant. If the card is fraudulent, that means the merchant will be responsible for the full value of the unauthorized purchase. Ouch.

Three Ways to Beat It

But what can a merchant do?

Identity Authentication

There are three factors of authentication: 1) an ownership factor (the person has the credit card, for example); 2) a knowledge factor (the person knows their PIN or security code, for example); and 3) an inherence factor (the person can do something, such as pass a fingerprint scan, for example).

Smart CNP fraud solutions include combinations of these factors, never just one alone. You will want to build a solution that includes several methods.


We’ve talked about how this can help before. And if you don’t know what it is, you can visit our Payment Basics post to learn more about the nuts and bolts. To summarize quickly, tokenization assigns a benign and non-decryptable value in place of the sensitive card data. This dummy value is called a token. These tokens are used during transactions after authorization, keeping the real card data safely in a server. If criminals wish to try and dive into the process, grabbing card information, they will find a bunch of worthless tokens.

Data from Devices

You can also combat CNP fraud from enlisting a little help from the devices your customers are using. Monitoring IP addresses, digital fingerprints, and device locations are just three examples of data you can capture about your customers that can help you isolate problem areas. Maybe you will notice certain trends based on places, time periods, and other habits. These particular ideas come from Verifi’s article on CNP fraud.

CNP fraud is a growing concern for every merchant. These tips can help you get started in the fight against it, but keep your eyes open. Advances in technology on both sides of the war mean there’s always more to learn.

Any insights into CNP fraud tips, tricks, or troubles? Share them with us in the comments and follow us on Twitter.

Photo credit: EDrost88

Related Posts

PIN on Glass for Mobile Payments
PIN on Glass: The Next Movement in Mobile Payments
How Merchants Can Protect Themselves from Credit Card Skimming
Time’s Getting Short to Prep for Post-EMV Online Fraud

Leave a Reply