Card not present fraud is a huge concern for any business that facilitates remote payments by credit or debit card. In fact, a study by leading finance industry organisation UK Finance found that more than 80% of card fraud losses in the UK reported in 2022 were from forms of card not present fraud.
Though there are many security measures available to mitigate the risk of card not present transaction fraud, a constantly-evolving security landscape means that all business owners must take a proactive approach to stay ahead of cyber criminals.
If you take remote payments and want to know how to protect your business from card not present fraud, this guide will take a closer look at what CNP fraud is, the current state of the threat, and what you can do to avoid falling victim to it.
What is card not present fraud?
Card not present (CNP) fraud is a category of credit card fraud that works by making fraudulent transactions in situations where a customer doesn’t need to physically present a card to a merchant.
Using stolen credit card numbers, card not present fraud can take a variety of forms, such as through an e-commerce store’s payment gateway, or through a virtual terminal operated by a business that’s taking card payments over the phone.
Because cardholder not present fraud only requires a criminal to get a hold of the victim’s card information, and not the card itself, it can be easier for fraudsters to commit and harder for merchants to detect. Because of this, CNP fraud represents a huge proportion of all credit card fraud, and should be a major concern for business owners of all sizes.
The state of card not present fraud UK
Card not present fraud is a major issue in the UK. For most merchants who offer remote payments, it’s likely that CNP fraud is the most common security threat that they’ll face.
To give you a better idea of the scope of CNP fraud in the UK, here are a few figures from The 2023 Annual Fraud Report by leading finance industry collective UK Finance:
In 2022, card not present fraud accounted for 81% of all reported card fraud losses. This dwarfed the next largest category of lost or stolen card fraud (15%) and card ID theft (3%).
The number of reported cases of CNP fraud in the UK was 2.2million.
The total reported value lost as a result of CNP fraud was £395.7million.
Card not present fraud trends show that total yearly losses have been on a steady decline since 2018, when total lost value shot up by 24% year on year.
How does card not present fraud affect UK merchants?
Looking at the state of card not present fraud in the UK, it shouldn’t be surprising that card not present fraud is a major concern for UK merchants, whether they’re larger well-recognised brands, small business owners or entrepreneurs beginning to think of ideas for their own side hustle.
There are several ways that card not present fraud can negatively affect UK business owners, including but not limited to:
Financial losses
Though CNP fraudsters seek to use stolen card information to defraud the card holders themselves, card not present fraud can lead to direct financial losses for merchants themselves. If a customer loses money due to a fraudulent transaction, the merchant is typically held responsible for the resulting chargeback. This means that you could lose not only the money that was paid for the product, but also the product itself.
Reputational damage
If a security breach is sizable enough, the news of this can spread through online review platforms, social media, and other outlets, causing potential damage to your brand equity. This can not only hurt the sense of trust and customer loyalty consumers have for your brand, but also undermine future marketing initiatives to bring in new business.
Operational difficulties
When a business encounters card not present fraud, the resulting investigations can be extremely draining on resources. This is especially true for start-ups that may be stretching their available resources already. When you’re having to manage chargebacks, coordinate with payment providers, investigate suspicious transactions, and more, these can all divert your attention from the day-to-day running of the business and hurt your business’s regular operations.
Increased insurance premiums
If you’re insured against CNP fraud and have to make a claim following an attack or breach, this is likely to increase your insurance premiums in the future.
Legal issues
Even when a business has taken every possible precaution to protect their customers’ data, they can still fall victim to card not present fraud. However, if a fraud incident occurs and you haven’t fulfilled your obligations in the way of keeping customers safe, your business could be the target of costly legal action.
Examples of card not present transactions for small business owners
Consumers expect a high level of convenience, and small businesses have a range of options when it comes to taking payments without a customer physically present.
In order to mitigate the risk of card not present fraud, it’s important for merchants to understand the mechanics of popular card not present payment methods and how they can be exploited by criminals.
Here are some common examples of card not present transactions commonly used by small merchants.
Website and e-commerce purchases
When selling products through your website, whether physical products in an e-commerce setting or smaller digital products like e-books, payments are generally processed in the same way. After selecting the products they want, customers will navigate to a secure payment gateway where they’ll provide their payment information and finalise the purchase.
Due to the large volumes of payment card data that pass through websites with this kind of setup, they can often be attractive targets for cyber criminals. Furthermore, if a customer has their payment information saved to their account, hackers can potentially steal this without carrying out any user behaviour that would usually raise suspicion.
Pickup in-store orders
While it used to be the territory of big-name retailers, click and collect or pickup in-store orders have started to become more popular among smaller merchants.
In this kind of card not present transaction, customers can place orders online using a payment gateway, and collect the items they’ve paid for in-person from a physical store. This offers a higher degree of convenience for shoppers who want the broad selection offered by e-commerce stores, but don’t want to wait for their products to ship.
Offering pickup in-store orders requires robust levels of encryption to prevent payment data from being intercepted by hackers. It’s also possible for criminals to intercept the details of an order they didn’t make, then come to the store and take products that they haven’t paid for, leading to the loss of merchandise for the business owner.
Recurring payments and subscriptions
Recurring payment models are often used by service-based businesses, such as personal trainers, to allow customers to pay for a predetermined service at set intervals, rather than manually actioning the payments as they go.
This kind of auto pay model promises convenience for both the merchant and the customer, removing the need for manual admin from both parties.
Recurring payment businesses can be an attractive place for cyber criminals to use stolen credit card data, as because the payments tend to be quite small, there’s a reduced chance that a legitimate cardholder will notice anything suspicious on their statement.
If your business requires customers to set up recurring payments, it’s more likely that you will need to store customer payment data so that the payments can keep being made seamlessly, making a data breach a prime target for card detail theft.
Merchants must follow established security protocols for data storage and ensure they’re doing all they can to prevent data breaches.
Over the phone purchases and virtual terminals
You may want to take card payments over the phone to accommodate for customers who want to discuss the details of a product or a booking and pay for it in one smooth interaction.
With this payment method, your customer will contact you by phone and communicate their card details verbally. Then, your staff will enter these details into a virtual terminal to complete the payment.
This way of taking payments can make your business a popular target for CNP fraud, as your staff may not take the necessary steps to verify a caller’s identity. If staff don’t take a conscientious approach to security, a fraudster can simply read out stolen card details and initiate a payment the legitimate cardholder hasn’t consented to.
If your business takes card payments over the phone, it’s essential that you and your staff follow a set process with a step to verify the customer’s identity, such as asking them for an account number, a line of their address, or another piece of verifying information.
Digital wallet payments
Digital wallets allow customers to link their payment card information to an app on their personal devices. They then use this to complete purchases in a faster, more convenient way than they would having to enter card information manually.
Although many of these apps come with robust security layers, such as tokenization and biometric locks, they’re not 100% immune to breaches. If a cyber criminal is able to gain access to a customer's device or login information, they could use the saved card details to make unauthorised payments.
To guard against CNP fraud via digital wallets, it’s essential that you have systems in place for flagging unusual user behaviour that may be a sign of fraudulent activity.
Mail orders
Though far less common since the advent of online payment methods, mail orders are still offered by a range of merchants and still preferred by certain audience segments.
With this payment method, customers will fill out a form specifying their order and card details, then mail this into the merchant who will use this information to process the order.
Unlike payment methods where payment information is transferred electronically, there’s a chance that mail order forms can be physically intercepted by bad actors looking to steal peoples’ card information. Merchants must remain vigilant to this kind of threat, and investigate complaints about late orders in case this is a sign that forms were intercepted.
Gift cards
Many merchants such as clothing retailers and coffee shops offer both physical and digital gift cards which can be loaded with credit for your business and redeemed as the card holder likes.
As with other digital payment methods, there’s a risk that cyber criminals can steal a gift card’s identifying information and use this to make fraudulent purchases.
As a merchant, it’s essential to take all possible steps to secure gift card information, and not focus all your security resources on more common payment methods.
Invoice payments
With digital invoices, businesses like interior designers and professional service providers can generate documents breaking down the cost of a service or product and share them with clients through communication channels such as an email. The client can then click a link on the invoice which will take them to a secure payment gateway, and pay the outstanding amount by entering their payment card details.
Fraudsters can carry out card not present fraud on an invoice mainly by impersonating a merchant and falsifying payment details so that the customer pays the criminal, rather than you. Hackers may also be able to access customers’ details if they gain access to your email or other communication channels.
To prevent invoice CNP fraud, as a business owner, you must maintain strong account passwords and change them frequently in order to minimise the risk of a costly breach. It’s also important to adhere to PCI compliance by not storing credit card information or communicating it outside of the designated systems.
Card-on-file payments
Card-on-file payments can cover several different payment methods, including simple e-commerce orders and subscription-based recurring payments.
In this scenario, customers consent to your business keeping their payment information on a database so that it can be used for future purchases when needed, allowing for faster and more convenient payments.
Hackers know that merchants who facilitate card-on-file payments maintain large databases of sensitive payment information, making them a prime target for attacks. To minimise risk, you must ensure that customer data is protected by reliable encryption and strict access control policies.
5 tips for small business owners to prevent and minimise card not present fraud
Card not present fraud is a widespread issue that can affect practically any remote payment method. To keep your customers safe and your business functional, it’s essential to take all possible measures to prevent and minimise card not present fraud.
Though a truly effective security policy will need to be tailored to your specific business, there are still a number of more general steps you can take to minimise the risk at your business.
Here are 5 tips that any small business owner should be aware of when trying to combat card not present fraud:
Know your customers
In many cases, card not present fraud can occur because suspicious user behaviour wasn’t picked up on by the staff at a business.
It can be challenging to keep track of user behaviour patterns among a large volume of transactions. However, gathering as much customer information as possible (while still respecting privacy) will better equip you and your team to notice discrepancies.
These can come in many forms, for example if someone adds a new delivery address miles away from where their orders are usually shipped.
Provided you’re able to gain your customers’ consent, some of the key pieces of information you should try to record include:
Billing addresses.
Email addresses.
Phone numbers.
The kinds of devices they use to access your website.
The more accurate and detailed your user profiles are, the easier it will be to notice if a user account becomes compromised and starts engaging in suspicious behaviour.
Keep your business in-line with relevant security protocols
There are a number of cybersecurity and payment industry protocols recommended for businesses that handle or store payment data.
Researching these and taking steps to make your business compliant will give you a clear marker for success to work towards and make it easier to tell if your security practices are effective.
The Payment Card Industry Data Security Standard (PCI DSS), for example, walks businesses through several different aspects of payment security covering:
Networks and systems.
Vulnerability management.
Best practices for controlling staff access to data.
While this standard can be applied to any business that takes card payments, there may be more industry-specific security protocols you can use to prevent card not present fraud.
Use as many resources as possible to find out about the precise security requirements of your business, and the steps you’ll need to take to meet them.
Be aware of test transactions
When fraudsters manage to steal payment information, it’s a common practice to carry out a few small test purchases to make sure the stolen information is usable, before moving on to larger transactions.
These small transactions could be the first warning signs of a much larger instance of fraud, so it’s essential to stay vigilant.
Having a system in place to detect unusually small purchases could help you tackle instances of fraud before they become a serious problem, saving you and your customers from serious financial losses.
Use 3D Secure for card payments
3D Secure is a security protocol designed specifically to guard against CNP fraud, which works by adding additional verification requirements to your payment gateways.
Typically, this security measure works by directing a customer to an authentication page operated by their card issuer’s website, where they then have to enter a password that was set previously, or a one-time code that’s sent to a phone or via a two factor authentication app.
This means that if a fraudster tries to make a purchase on your website using stolen card information, the legitimate cardholder will be notified immediately. When a 3D Secure check is triggered by an attempt at fraudulent activity, it will not only protect the cardholder from losing funds, but also alert the card issuer and merchant to the attempted CNP fraud and help them take appropriate action.
Educate yourself on chargeback fraud
Chargeback fraud occurs when someone makes a CNP purchase, then disputes the charge to receive a refund while still keeping the goods or services that were originally paid for.
This can take many forms, and if successful can cause your business to lose both merchandise and the funds taken for the transaction.
Some common forms of chargeback fraud include:
Friendly fraud, where a legitimate cardholder will make a purchase at your business and later dispute the charge to their card, claiming that they didn’t receive the goods paid for, that the order they received was defective or not as described, or other claims.
Return fraud, where a customer with a receipt will return an order to the retailer and erroneously claim that the product is defective, often when the product is in good condition.
Digital goods fraud, which works in more or less the same way as other kinds of chargeback fraud, but specifically works off purchases of digital products like software licences. This kind of fraud is often difficult to combat, as a customer can easily download the product between making a purchase and disputing it.
Some new business owners can let chargeback fraud go on for some time without addressing it, as they’re not aware of the prevalence of the issue and want to maintain high levels of customer service. It’s important to approach chargebacks with a critical eye and avoid processing chargebacks without making sure they’re legitimate.
Disclaimer: The contents of this page are intended for informational purposes only and should not be construed as professional advice. For matters requiring legal or financial expertise, it’s recommended to seek guidance from qualified professionals.
Card Not Present (CNP) Fraud FAQs
Who is liable for fraudulent card not present transactions?
How is cardholder not present fraud detected?
Why has card not present (CNP) fraud increased in recent years?
What is an example of a card not present transaction?