Clearsale Blog | Insights on Ecommerce and fraud

Card-Not-Present Fraud Is Skyrocketing

Written by Sarah Elizabeth | Oct 27, 2017
TL;DR

Card-not-present (CNP) fraud jumped 33% from 2015 to 2016 as EMV chip cards pushed fraudsters out of physical stores and onto online channels, and U.S. merchants were projected to lose $6.4 billion to it in 2018, with global cumulative losses estimated to top $70 billion over five years. No single filter stops it; retailers detect CNP fraud by layering device fingerprinting, Address Verification Service, velocity checks, and machine-learning scoring on every order. A managed multilayered approach that pairs automated rules with human analyst review catches fraud without blocking good orders.

Good news: E-commerce merchants are successfully making it easier than ever for customers to complete their online transactions. But this can come at a surprising cost: Card-not-present (CNP) fraud rates are increasing, and merchants are bearing the brunt of these losses like never before.

TL;DR: Online retailers detect card-not-present (CNP) fraud by layering multiple signals: device fingerprinting, Address Verification Service (AVS), velocity checks, and machine-learning scoring on every order. No single filter is enough. U.S. merchants were projected to lose $6.4 billion to CNP fraud in 2018 alone, and CNP fraud increased 33% in just one year (2015 to 2016) as EMV chip cards pushed fraudsters from physical stores to online channels. A managed, multilayered approach, combining automated rules with human analyst review, is the most effective way to catch fraud without blocking good orders.

Below, we explore some of the data behind the rise in CNP fraud, so merchants can better understand why these changes are occurring and how they can protect themselves.

Card-not-present fraud increased by 33% from 2015 to 2016 – and will continue to rise in the near future.

Sources: IDology, Experian data

Reasons Why:

  • Abundance of credit card data on the black market. There were 1,093 data breaches in 2016 — a record year and a 40% increase from 2015, according to the Identity Theft Resource Center. With so much sensitive data readily available, and given the difficulty merchants face when attempting to validate a consumer’s identity online, e-commerce provides fraudsters with the perfect opportunity for theft.
  • Chip cards have limited the opportunity for fraud in in-person transactions. The tighter security of EMV (chip) cards has decreased the rate of in-person credit card fraud. As a result, fraudsters have migrated to other, less secure commerce channels (like online sales).

U.S. merchants will lose $6.4 billion in 2018 due to card-not-present fraud, and some experts project cumulative losses will exceed $70 billion globally over the next five years.

Sources: IDology, Juniper Research

Reasons Why:

  • Delayed rollout of 3D Secure 2.0. Although this change will eventually shift the burden of fraud responsibility from the merchant to the card issuer, it has not fully been implemented yet – and as a result, merchants are still on the hook for most chargebacks.
  • Increase in in-store returns. Fraudsters are increasingly making fraudulent purchases online and returning the merchandise in a brick-and-mortar store, where identification is rarely required for returns.

By 2022, a new form of fraud called “click-and-collect” will account for a significant percentage of card-not-present fraud losses.
Source: Juniper Research

Reasons Why:

Growing demand for in-store pickups of online orders. According to a Cisco study, 44% of U.S. consumers want to be able to pick up their online purchases at a physical store. Retailers are bending over backward to meet this demand, offering in-store pickups as quickly as within an hour of purchase.

  • Identities are often not verified for these pickups. Customers choosing this option typically don’t have to provide a shipping address, which makes it harder for the merchant to validate the transaction at the point of sale. Additionally, upon pickup, many stores don’t require customers to present an ID or to re-swipe the credit card used for the purchase. This lack of security exposes merchants to higher CNP fraud levels.

How Merchants Can Combat Card-Not-Present Fraud

Online retailers detect CNP fraud by stacking multiple controls on every order: Address Verification Service (AVS) to confirm billing details, device fingerprinting to flag unfamiliar or spoofed devices, velocity checks to catch rapid repeat orders, and machine-learning models that score risk in real time. None of these layers is sufficient alone: 1,093 data breaches in 2016 flooded the black market with card data that passes basic filters easily. The most effective approach combines automated scoring with human analyst review in a managed fraud solution, which reduces both fraud losses and the false declines that cost merchants legitimate revenue.

Learn how our multilayered approach can protect your business and help you safely grow your online sales. Talk with a ClearSale credit card fraud analyst today.

 

Frequently Asked Questions about Card-Not-Present Fraud

How do online retailers detect card-not-present fraud?

Retailers detect CNP fraud by combining multiple signals on each transaction: Address Verification Service (AVS) to match the billing address on file, device fingerprinting to flag unfamiliar or spoofed devices, velocity checks to catch rapid repeat orders, and machine-learning models that score risk based on hundreds of behavioral and historical signals. A single filter is rarely enough, a managed, multilayered approach is the industry standard.

What is card-not-present fraud?

Card-not-present (CNP) fraud occurs when a stolen card number is used for a transaction where the physical card is not presented, most commonly online purchases, phone orders, or buy-online-pickup-in-store orders. Because the merchant cannot verify the physical card, identity validation falls entirely on digital signals, which makes CNP the primary fraud channel for e-commerce.

Why has CNP fraud increased so sharply?

CNP fraud rose 33% from 2015 to 2016, driven by two forces: EMV chip cards made in-person card fraud significantly harder, so fraudsters migrated to online channels; and data breaches surged (1,093 breaches in 2016, a 40% increase from 2015 per the Identity Theft Resource Center), flooding the black market with usable card data.

How much do U.S. merchants lose to CNP fraud each year?

U.S. merchants were projected to lose $6.4 billion in 2018 due to CNP fraud, according to Juniper Research. Globally, cumulative losses were projected to exceed $70 billion over the following five years. Merchants absorb most of those losses directly through chargebacks because fraud liability in CNP transactions typically falls on the merchant, not the card issuer.

Does Address Verification Service (AVS) stop CNP fraud on its own?

No. AVS checks whether the billing address the shopper provides matches the address on file with the card issuer, which catches some stolen-card attempts. But fraudsters who obtain full card data from breaches often have the billing address too, so AVS alone produces both false positives (blocking good customers) and false negatives (passing fraud). It works best as one layer in a broader detection stack.

What is click-and-collect fraud and how is it detected?

Click-and-collect fraud happens when a fraudster uses a stolen card to buy online and picks up the order in person, where many stores do not require ID or card re-verification at pickup. Retailers detect it by flagging orders where the shipping address is a store location combined with a high-risk billing address, a new account, or an unusual device, then requiring staff to verify ID at pickup.

What is a managed fraud solution and why do merchants need one?

A managed fraud solution combines automated scoring rules with human analyst review to evaluate orders a machine alone would incorrectly block or approve. Simple rule-based filters catch only known patterns and generate high false-decline rates, which cost merchants good revenue. A managed approach applies machine learning and human expertise together, reducing both fraud losses and unnecessary declines.

How does 3D Secure 2.0 affect CNP fraud liability for merchants?

3D Secure 2.0 (3DS2) shifts chargeback liability from the merchant to the card issuer when the issuer authenticates the transaction. When a transaction passes 3DS2 authentication, the merchant is not liable for that chargeback. However, 3DS2 is not universally implemented, and fraudsters increasingly target channels and merchants where it is absent, so it reduces but does not eliminate merchant exposure.