How to protect your business from CNP fraud in 2023

Tags: Fraud prevention
CNP fraud

Leveraging eCommerce for 24/7 sales anywhere in the world has positioned online marketplaces for accelerated growth. But with growth comes heightened risk of card-not-present (CNP) fraud.

Criminals are gaining access to sensitive online data through phishing, skimming and hacking. According to a recent study, every $1 of fraud costs eCommerce merchants $3.75, up nearly 20% from 2019. 

Many merchants are adopting measures to detect and prevent CNP fraud to protect their business and bottom line.

When a payment becomes a charge-back

From the consumer’s point of view, an online transaction seems fairly straightforward: The consumer provides personal and credit card information and receives transaction confirmation. However, on the back end, there’s a complex payment process designed to mitigate risk. 

There are typically six layers in that process:

  • The merchant’s bank 
  • Merchant account 
  • The consumer’s bank that issues a credit card
  • Payment gateway, which is a service that sends the merchant’s eCommerce transaction data to the merchant’s bank
  • Payment processor
  • A payment network, such as Visa, Mastercard or American Express

Transactions are often grouped and processed in batches. That delay in payment resolution is an opportunity for fraudsters. A fraudulent online charge made on a credit card might not appear on a consumer’s bill for a month. 

If the consumer disputes the fraudulent charge, it could lead to a charge-back. The credit charge unwinds itself through the system and ends up on the merchant. 

Detecting and preventing CNP fraud

An effective CNP fraud prevention program revolves around risk mitigation. By understanding fraudsters’ techniques and CNP fraud prevention tools, organizations can develop risk strategies that help them mitigate costs while providing enhanced customer experiences.

Know Your Customer

Financial institutions need to know who they are dealing with to assess risk and prevent money laundering. There are strict rules for identity verification to discover if the person opening an account actually exists. Know Your Customer (KYC) requirements are a significant check to see if the person matches a real-world identity and is not synthetic.

Other identity checks that can determine if a customer’s identity is legitimate include:

  • Searching the email address
  • Calling the phone number
  • Confirming the person on social media

A more enhanced KYC program checks various identity data points, including IP addresses and mobile phone numbers. Video KYC enables organizations to use tools such as biometric face verification and real-time document verification

Various combinations of those identity verification checks typically take place during customer onboarding. They also can be performed on a set schedule or for specific events, such as when an account status or customer information changes.

Monitor your transactions

Legitimate consumers and fraudsters often produce different transaction patterns. Understanding how consumers interact and transact can help organizations spot fraudulent patterns.

Monitoring transactions is vital. While small businesses often can monitor all transactions, larger companies may need a dedicated transaction monitoring program and a fraud detection expert. 

Monitoring often includes determining if:

  • The customer is new
  • The purchase is unusual
  • The transaction amount is significantly higher than normal
  • There is inconsistent information in the order
  • There are multiple orders
  • The customer is using a different shipping address
  • The orders are coming from a different IP address

Adding transaction limits or flagging higher-cost transactions for manual review can prevent higher-cost fraud cases. Organizations can set transaction limits per transaction or cumulatively. 

Meet payment card industry (PCI) security standards

Every transaction and every part of the eCommerce system requires protection. The right tools and security mindset can help merchants achieve that goal.

According to the PCI Security Standards Council, an organization should:

  • Build and maintain a secure network to protect payment card information
  • Protect cardholder information
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy
  • Pass quarterly remove-vulnerability scans

Adopt additional security measures

An Address Verification System compares the address numbers in a credit card file with the corresponding numbers provided in the eCommerce transaction. A card verification value adds security with three or four numbers that further prove the customer’s legitimacy. 

As more consumers make mobile transactions, mobile data points such as geolocation, billing data and device information can provide identity verification. Device identification can be a particularly effective tool for profile matching. 

Reduce risks while expanding business

Implementing measures to help prevent CNP fraud and reduce online charge-backs protects organizations and customers. Companies that provide security and positive experiences can gain market share, keep customers happy and make the most of the digital opportunity.


Like this article




Stay informed with the Identity Insider.

Receive relevant compliance updates, industry best practices, and top trends in identity verification straight to your inbox.