In 2022, Card Not Present (CNP) fraud accounted for a staggering 81% of all card fraud in the UK, leading to £396 million in losses. This isn’t merely a statistic; it’s a fundamental challenge impacting our digital economy. With digital transactions now an accepted everyday occurrence, CNP fraud is a significant challenge demanding immediate action from all players in the financial transaction space.
At its core, CNP fraud occurs when a cardholder isn’t physically present to authenticate a transaction, typically during online or over-the-phone purchases. The difficulty in verifying a genuine cardholder remotely is the primary driver of its prevalence. While new technologies and robust processes promised to mitigate this, a truly perplexing sentiment has emerged: the idea that “the levels of fraud loss were within the banks’ budget.”
This notion immediately begs a critical question: are we not, by accepting this, inadvertently funding criminal enterprises? Why would any financial institution consider any level of fraud loss tolerable? Such a perspective implies a willingness to pay criminals, a cost ultimately borne by the very customers who depend on their banks to safeguard their money and personal information. It is perplexing to hear such sentiments from individuals whose primary responsibility is to protect cardholders and issuers from fraud. Combatting fraud requires a diverse set of tools and strategies; failing to act is akin to asking, “How much would you like to steal during a robbery?”
The evolving landscape of CNP fraud
Several factors have fuelled this surge. The pandemic dramatically accelerated digital adoption, creating an expansive new attack surface for fraudsters through the rise of e-commerce. Stolen card details, often complete with static CVV codes, are easily monetized on the dark web, providing criminals with a ready supply of ammunition. Modern criminals are not just opportunistic; they employ advanced tactics such as phishing, social engineering, credential stuffing, and sophisticated bot attacks to circumvent traditional defences.
The impact on businesses extends far beyond direct financial loss. Fraud erodes customer trust and loyalty, with a single compromised transaction leading to a lasting impression of insecurity and reputational damage. Businesses divert valuable time and resources towards investigations and mitigating the negative effects of fraudulent activity. In addition, over-the-top fraud detection systems can refuse legitimate transactions, leading to lost sales and increased customer frustration.
Our traditional defences have been creaking for quite some time
For many years, we’ve relied on increasingly ineffective anti-fraud technology. While providing initial checks, AVS (Address Verification System) and static CVV/CVC are easily bypassed. Stolen data often includes the CVV, or criminals employ card testing with small transactions to validate stolen details. Basic rule-based systems are easily outsmarted by adaptive fraudsters, leading to high false positives and many missed fraud attempts. While absolutely essential as a baseline for data security, PCI DSS Compliance alone is not a complete fraud prevention strategy. 3D Secure was a crucial step, offering strong customer authentication, but it can add an extra level of difficulty to the checkout process if not implemented thoughtfully.
On the front line with CNP Anti-Fraud Technology
The good news is that Artificial intelligence (AI) and machine learning (ML) technologies are transformative, moving us beyond simple rules. They enable real-time behavioural analytics; transaction history, device fingerprinting, IP address, geolocation, user behaviour patterns detect anomalies that human analysts or rule-based systems would miss. These techniques continuously learn from new fraud patterns, making them highly effective against evolving, “moving target” threats.
For CNP transactions, especially via mobile apps, biometrics offers smooth authentication. Fingerprint or facial recognition provides a robust, yet frictionless, layer of security. Tokenization technology replaces sensitive card data with unique, non-sensitive tokens, dramatically minimising the risk of data breaches and significantly reducing a merchant’s PCI compliance burden. Device fingerprinting and geolocation technologies create a distinctive profile of a user’s device and location, flagging suspicious activity if a transaction originates from an unusual device or geographical area. Behavioural biometrics analyses typing speed, mouse movements, and scrolling patterns to detect non-human (bot) activity or unusual user behaviour.
Dynamic CVV card technology: A real game changer
This deserves a dedicated spotlight, as it directly addresses a core vulnerability of CNP fraud. The fundamental problem with a static CVV printed on the card is its total vulnerability once stolen. When compromised, it’s a permanent key to immediately unlocking fraudulent transactions.
This is where dynamic CVV solutions are a real game changer. The more common and cost-effective approach involves the dynamic CVV being generated and displayed within the card issuer’s mobile banking app. The user logs into their app to retrieve the current, time-sensitive CVV for an online transaction. This CVV typically changes every few minutes, rendering stolen static CVVs useless. This makes stolen card details far less valuable to fraudsters. Even if card numbers are compromised, the constantly changing CVV acts as a formidable barrier. Indeed, An Post in Ireland has “virtually eliminated” credit card fraud for those registered customers using their Money app.
While the app-based approach adds a small step, it’s generally seamless and far more secure than relying on a static code that can be easily compromised. By requiring this extra layer of authentication, merchants may be further protected from chargebacks in some cases, potentially providing reduced liability. While app-based solutions are more common, some issuers have explored physical cards with e-ink screens displaying dynamic CVVs, but these are currently more expensive to produce and educating consumers about this new process is crucial for widespread adoption.
However financial institutions and associated Fintech players have to accept that no single solution is a miracle remedy. Effective CNP fraud prevention demands a multi-layered strategy that combines various technologies. We must continuously strive to balance robust security with a frictionless user experience. Friction leads to abandoned sales and lost transactions and in the current economic climate that is just not acceptable. Furthermore, collaboration is predominant. Merchants, payment processors, banks, and law enforcement must actively share intelligence to combat emerging threats more effectively.
The idea that fraud losses are “within budget” is a dangerous complacency. As CEO of Safecypher, I believe it’s our collective responsibility to fight relentlessly against this criminal scourge. Dynamic CVV solutions are not just another tool; they are a key part of the solution, offering a powerful way to mitigate the devastating impact of CNP fraud and significantly reducing the amount of criminals that benefit at the expense of genuine customers.
Ben Jordan
After an extensive career leading card and payments services companies, Ben founded Safecypher in 2022 to offer innovative solutions to online card fraud.
