Card-not-present (CNP) fraud jumped 33% from 2015 to 2016 as EMV chip cards pushed fraudsters out of physical stores and onto online channels, and U.S. merchants were projected to lose $6.4 billion to it in 2018, with global cumulative losses estimated to top $70 billion over five years. No single filter stops it; retailers detect CNP fraud by layering device fingerprinting, Address Verification Service, velocity checks, and machine-learning scoring on every order. A managed multilayered approach that pairs automated rules with human analyst review catches fraud without blocking good orders.
Good news: E-commerce merchants are successfully making it easier than ever for customers to complete their online transactions. But this can come at a surprising cost: Card-not-present (CNP) fraud rates are increasing, and merchants are bearing the brunt of these losses like never before.
TL;DR: Online retailers detect card-not-present (CNP) fraud by layering multiple signals: device fingerprinting, Address Verification Service (AVS), velocity checks, and machine-learning scoring on every order. No single filter is enough. U.S. merchants were projected to lose $6.4 billion to CNP fraud in 2018 alone, and CNP fraud increased 33% in just one year (2015 to 2016) as EMV chip cards pushed fraudsters from physical stores to online channels. A managed, multilayered approach, combining automated rules with human analyst review, is the most effective way to catch fraud without blocking good orders.
Below, we explore some of the data behind the rise in CNP fraud, so merchants can better understand why these changes are occurring and how they can protect themselves.
Sources: IDology, Experian data
U.S. merchants will lose $6.4 billion in 2018 due to card-not-present fraud, and some experts project cumulative losses will exceed $70 billion globally over the next five years.
Sources: IDology, Juniper Research
By 2022, a new form of fraud called “click-and-collect” will account for a significant percentage of card-not-present fraud losses.
Source: Juniper Research
Growing demand for in-store pickups of online orders. According to a Cisco study, 44% of U.S. consumers want to be able to pick up their online purchases at a physical store. Retailers are bending over backward to meet this demand, offering in-store pickups as quickly as within an hour of purchase.
Online retailers detect CNP fraud by stacking multiple controls on every order: Address Verification Service (AVS) to confirm billing details, device fingerprinting to flag unfamiliar or spoofed devices, velocity checks to catch rapid repeat orders, and machine-learning models that score risk in real time. None of these layers is sufficient alone: 1,093 data breaches in 2016 flooded the black market with card data that passes basic filters easily. The most effective approach combines automated scoring with human analyst review in a managed fraud solution, which reduces both fraud losses and the false declines that cost merchants legitimate revenue.
Learn how our multilayered approach can protect your business and help you safely grow your online sales. Talk with a ClearSale credit card fraud analyst today.
Retailers detect CNP fraud by combining multiple signals on each transaction: Address Verification Service (AVS) to match the billing address on file, device fingerprinting to flag unfamiliar or spoofed devices, velocity checks to catch rapid repeat orders, and machine-learning models that score risk based on hundreds of behavioral and historical signals. A single filter is rarely enough, a managed, multilayered approach is the industry standard.
Card-not-present (CNP) fraud occurs when a stolen card number is used for a transaction where the physical card is not presented, most commonly online purchases, phone orders, or buy-online-pickup-in-store orders. Because the merchant cannot verify the physical card, identity validation falls entirely on digital signals, which makes CNP the primary fraud channel for e-commerce.
CNP fraud rose 33% from 2015 to 2016, driven by two forces: EMV chip cards made in-person card fraud significantly harder, so fraudsters migrated to online channels; and data breaches surged (1,093 breaches in 2016, a 40% increase from 2015 per the Identity Theft Resource Center), flooding the black market with usable card data.
U.S. merchants were projected to lose $6.4 billion in 2018 due to CNP fraud, according to Juniper Research. Globally, cumulative losses were projected to exceed $70 billion over the following five years. Merchants absorb most of those losses directly through chargebacks because fraud liability in CNP transactions typically falls on the merchant, not the card issuer.
No. AVS checks whether the billing address the shopper provides matches the address on file with the card issuer, which catches some stolen-card attempts. But fraudsters who obtain full card data from breaches often have the billing address too, so AVS alone produces both false positives (blocking good customers) and false negatives (passing fraud). It works best as one layer in a broader detection stack.
Click-and-collect fraud happens when a fraudster uses a stolen card to buy online and picks up the order in person, where many stores do not require ID or card re-verification at pickup. Retailers detect it by flagging orders where the shipping address is a store location combined with a high-risk billing address, a new account, or an unusual device, then requiring staff to verify ID at pickup.
A managed fraud solution combines automated scoring rules with human analyst review to evaluate orders a machine alone would incorrectly block or approve. Simple rule-based filters catch only known patterns and generate high false-decline rates, which cost merchants good revenue. A managed approach applies machine learning and human expertise together, reducing both fraud losses and unnecessary declines.
3D Secure 2.0 (3DS2) shifts chargeback liability from the merchant to the card issuer when the issuer authenticates the transaction. When a transaction passes 3DS2 authentication, the merchant is not liable for that chargeback. However, 3DS2 is not universally implemented, and fraudsters increasingly target channels and merchants where it is absent, so it reduces but does not eliminate merchant exposure.