What Is Card-Not-Present Fraud and How Does It Work?

Credit card fraud doesn’t always require a physical card. Criminals exploit stolen payment details to make unauthorized purchases without ever touching the actual card. This type of fraud is especially common in digital and remote transactions, where verifying a card’s legitimacy is more challenging.

Basic Definition and Mechanics

Card-not-present (CNP) fraud occurs when a fraudster uses stolen payment details to complete a transaction without physically presenting the card. Unlike traditional fraud involving a stolen physical card, CNP fraud relies on compromised card numbers, expiration dates, and security codes. These details are often obtained through data breaches, phishing scams, or malware that captures payment information.

Once criminals acquire this data, they use it to make unauthorized purchases, often targeting merchants with weak fraud detection systems. Since there is no physical card to verify, businesses rely on digital security measures like address verification systems (AVS) and card security codes (CVV) to confirm legitimacy. However, these safeguards are not always effective, as stolen data often includes this information.

Fraudsters also use automated bots and scripts to test stolen card details by making small transactions to check if the card is still active. If successful, they proceed with larger purchases or sell the validated card details on dark web marketplaces, making it difficult for consumers and businesses to detect fraud before significant financial damage occurs.

Types of Transactions Where It Occurs

Card-not-present fraud happens in any situation where a payment is processed without the physical card being swiped, inserted, or tapped. These transactions rely on manually entered card details, making them more vulnerable to fraud. The most common scenarios include online purchases, mail orders, and telephone payments.

Online Purchases

E-commerce transactions are a prime target for card-not-present fraud. When customers shop online, they enter their card number, expiration date, and CVV code. Fraudsters with stolen details can do the same, often bypassing weak security measures.

Many retailers use fraud prevention tools like 3D Secure (e.g., Visa Secure, Mastercard Identity Check), which require an additional authentication step, such as a one-time password sent to the cardholder’s phone. However, if criminals have access to a victim’s email or phone number through phishing or data breaches, they can intercept these codes.

Subscription-based services, such as streaming platforms and meal delivery plans, are also common targets. Fraudsters may use stolen card details to sign up for free trials that require payment information, leading to unauthorized recurring charges. Businesses that fail to implement strong fraud detection measures may struggle to differentiate between legitimate and fraudulent transactions, increasing their exposure to chargebacks and financial losses.

Mail Orders

Mail order transactions, though less common today, still present fraud risks. These purchases involve customers providing card details via a written form or fax, which merchants then manually enter into a payment system. Since there is no real-time verification, fraudsters can exploit this method without immediate detection.

Unlike online transactions, which may use tools like AVS or 3D Secure, mail orders often rely solely on the accuracy of the provided card details. This makes it easier for criminals to target businesses that accept payments this way.

Fraudulent mail orders often involve high-value goods that can be resold, such as electronics, jewelry, or luxury items. Merchants that process these transactions without additional verification steps, such as calling the customer or requiring a signature upon delivery, face higher fraud-related losses. Some businesses mitigate risks by limiting mail order payments to trusted customers or requiring alternative payment methods, such as wire transfers or checks.

Telephone Payments

Phone-based transactions, or CNP payments over the phone, are another avenue for fraud. These occur when a customer provides card details verbally to a merchant, who then enters the information into a payment system.

Fraudsters often impersonate legitimate customers, sometimes using social engineering tactics to manipulate customer service representatives. For example, they may claim to be an elderly customer struggling with online payments to bypass standard security checks.

Businesses that accept phone payments typically use basic verification methods, such as asking for the billing address or CVV code. However, if criminals have obtained full card details from a data breach, they can easily provide this information. Some companies implement additional security measures, such as requiring a callback to a verified phone number or using voice recognition technology to detect suspicious activity.

Industries that frequently process phone payments, such as travel agencies, ticketing services, and hospitality businesses, are particularly vulnerable. Fraudulent bookings for flights, hotels, or event tickets can result in financial losses if the cardholder later disputes the charge. To reduce risk, some businesses require additional identification or use secure payment links instead of manually processing card details over the phone.

Cardholder and Merchant Liabilities

When unauthorized transactions occur, financial responsibility depends on various factors, including the type of fraud, security measures in place, and the policies of card networks like Visa, Mastercard, and American Express. For consumers, federal regulations such as the Fair Credit Billing Act (FCBA) and the Electronic Fund Transfer Act (EFTA) limit liability if fraud is reported promptly. Under the FCBA, credit cardholders are generally liable for no more than $50 in fraudulent charges, though most issuers, including Chase and Capital One, offer zero-liability protection, meaning cardholders owe nothing for unauthorized transactions.

Debit cardholders face stricter timelines under the EFTA. If fraud is reported within two business days, liability is capped at $50, but delays up to 60 days can increase responsibility to $500. Beyond that, the full amount may be lost.

For businesses, liability is more complex and often falls on the merchant rather than the issuing bank. Unlike card-present transactions, where EMV chip technology shifts fraud responsibility to the least secure party, CNP transactions place the burden on businesses unless they implement fraud prevention tools. If a fraudulent purchase is disputed, the merchant typically absorbs the loss unless they can prove the transaction was legitimate.

To mitigate risk, businesses use fraud detection tools such as device fingerprinting, velocity checks, and machine learning algorithms that analyze purchasing patterns. Address verification services (AVS) and tokenization add extra layers of security, but no system is foolproof. Some merchants also enroll in fraud liability shift programs offered by card networks, which transfer responsibility back to the issuing bank if an authenticated payment method, like 3D Secure, was used. However, these programs can introduce friction in the checkout process, potentially leading to lost sales.

Chargeback Practices

Chargebacks allow cardholders to dispute unauthorized or erroneous transactions and receive a refund. While this system protects consumers, it creates financial and operational burdens for merchants. A chargeback not only results in the loss of the sale but also incurs fees from payment processors, which can range from $20 to $100 per dispute. If a business exceeds a chargeback rate of 1% of total transactions, networks like Visa and Mastercard may impose additional penalties or even place the merchant in a monitoring program, leading to higher processing costs and stricter compliance requirements.

To combat excessive disputes, merchants rely on chargeback management strategies, including maintaining detailed transaction records, implementing clear refund policies, and using fraud prevention tools. Compelling evidence, such as proof of delivery, customer communication logs, and transaction authentication data, can help businesses challenge illegitimate disputes through the representment process. Some retailers also use chargeback alerts from companies like Ethoca and Verifi, which provide real-time notifications of disputes, enabling merchants to issue refunds before a formal chargeback is initiated. This preemptive approach can help reduce chargeback ratios and maintain good standing with payment processors.

Reporting Requirements

When card-not-present fraud occurs, both consumers and businesses have specific reporting obligations to minimize financial losses and prevent further misuse. Cardholders should report unauthorized transactions to their bank or card issuer as soon as they notice suspicious activity. Most issuers provide 24/7 fraud reporting hotlines and online dispute forms, allowing customers to quickly flag fraudulent charges. Under the Fair Credit Billing Act, consumers have up to 60 days from the date of their statement to dispute a charge, but reporting sooner increases the likelihood of a swift resolution.

For merchants, reporting fraudulent transactions is equally important, especially if they notice patterns of suspicious activity. Businesses can submit fraud reports to their payment processors, who may flag compromised card details and share them with card networks to prevent further misuse. Additionally, merchants can participate in fraud prevention databases, such as the Mastercard Alert to Control High-Risk Merchants (MATCH) system, which helps identify fraudulent transactions across multiple businesses. Law enforcement agencies, such as the Federal Trade Commission (FTC) and the Internet Crime Complaint Center (IC3), also accept reports of payment fraud, particularly when large-scale data breaches or organized crime rings are involved.