What You Need to Know About Card-Not-Present Fraud

January 12, 2016         By: Tom Groenfeldt

As EMV technology brings greater security to brick-and-mortar payments and consumer behavior continues to drive the omnichannel trend, fraudsters are turning their attention to the online “card-not-present” commerce channel.

Here’s what you need to know about the expected rise in card-not-present (CNP) fraud.

As E-Commerce Grows, So Too Will Card-Not-Present Fraud

Last year, Aité Group reported that U.S. credit card fraud had increased 100 percent from just seven years ago. As a contributing factor, Aite cited increasing fraud at the point-of-sale, as well as rising card-not-present fraud—which now represents 45 percent of total U.S. card fraud. At the same time, U.S. online and mobile commerce is growing at a 15 percent annual rate.[1]

As the number of chip cards and EMV terminals continues to grow, analysts expect that CNP fraud will grow with it, although Javelin Research & Strategy warns against thinking of EMV as influencing the shift toward CNP fraud. Rather, the analysts suggest, the growth in CNP fraud is largely a factor of the growth in e-commerce shopping.[2]

In any event, the next step for online merchants is clear—the smartest approach is to improve fraud prevention strategies and safeguards.

“Based on what we’ve seen in other regions that have migrated to EMV at in-store point-of-sale, fraud moves to other channels,” said Alisa Ellis, Vice President of Global Products & Solutions at Discover. “This, coupled with the fact that we are now in a digital age where purchases are being made everywhere from online, in-app, to mobile, should have retailers of all sizes looking to secure all commerce channels with stronger authentication methods to protect both them and their customers’ information.”

Mature U.S. E-Commerce Market has Already Taken Strides toward Security

While an increase in CNP fraud could be imminent based on previous findings, there’s good reason to believe the U.S. will not experience the sharp spike in CNP fraud that other regions throughout the world have. American consumers and merchants have, after all, been conducting e-commerce for decades via telecommunications, which has made real-time authorization for card transactions common practice.

U.S. merchants and payment networks have developed and implemented sophisticated software and processes to authenticate buyers—ranging from recognizing a consumer’s home computer, to tying sales and shipments to a known home address. Additionally, financial institutions have robust systems in place to detect unusual behavior, as anyone who has used a card in a foreign country, without notifying their card company, has learned first-hand. Systems can also detect when a card number is used around the same time in two distant locations, and spot a spurt of quick-succession purchases, which is often an indication the card being used was stolen.

After looking at solutions for CNP fraud, the EMV Migration Forum and Smart Card Alliance concluded that there is no silver bullet. Instead, they recommend taking a layered approach to improving security.[3] These strategies include:

  • Device authentication, such as confirming that the device used to make the payment is being used by the right consumer
  • Multi-factor authentication, in which the credentials used to make the payment are checked against the address, phone number, and email address provided by the customer at check-out
  • Tokenization, which replaces payment credentials with one-time codes
  • Rigorously checking the identity of an online customer when they pick up merchandise reserved in a physical store

Suite of Security Tools for Online Merchants

The payments industry is advancing the next generation of 3D Secure (3DS), an online authentication protocol, to support new and emerging technologies in the remote payment environment. This protocol allows merchant electronic commerce platforms to link into interfaces controlled by issuers where cardholders can confirm their identity directly with their banks by entering a password or a one-time code. As the 3DS standard evolves, it may come to secure purchasing in-app, in addition to in e-commerce channels, and will seek to require less and less input from consumers during checkout in order to create a more secure, seamless experience.

Discover is active in EMVCo, defining the standard for emerging 3DS 2.0 protocol—the next major evolution of the standard—and looking to expand its suite of current card-not-present fraud products and 3DS technology to provide a holistic solution to merchants and fraud service provider partners.

Several additional tools exist that can help merchants safeguard their e-commerce channel. Verify+, a consumer authentication tool from Discover, checks a customer’s information in a CNP transaction against cardholder records and provides the information needed to identify high-risk transactions before the merchant fulfills the purchase. In doing so, merchants maximize their CNP fraud protection while still providing a non-disruptive customer experience. A second fraud prevention tool, Discover Fraud Alerts, notifies merchants immediately when a cardholder or issuer reports a fraudulent transaction, so they can freeze the shipment of merchandise.[4]

Ensuring that payment data is protected at all stages of their transaction is critical to reducing fraud losses and retaining consumer trust. Discover is committed to enabling a smarter, more seamless transaction experience, and providing the tools and resources to help merchants and payment service providers to do so.

For more resources on EMV, visit the Discover Network EMV Resource Center at Additionally, click here to learn more about Discover fraud products.