Card-not-present (CNP) fraud has become the dominant form of payment fraud as consumers increasingly shop online. In 2026, CNP fraud accounts for the majority of card fraud losses globally, creating significant challenges for merchants, issuers, and payment service providers.
This guide examines the CNP fraud landscape, key prevention strategies, and how modern authentication technologies like 3D Secure 2 can help organisations protect themselves and their customers.
Understanding CNP Fraud
What is CNP Fraud?
Card-not-present fraud occurs when payment credentials are used for transactions where the physical card is not presented—for example, online purchases, phone orders, or mail orders. Without the ability to verify the card physically or check chip authentication, fraudsters can use stolen or skimmed card details to make unauthorised purchases.
The shift to digital payments accelerated by COVID-19 has significantly expanded the attack surface for CNP fraud, and attack volumes have continued to rise in the years since.
Common CNP Fraud Methods
Fraudsters use a range of techniques to obtain and exploit payment credentials:
Credential Stuffing
Automated attacks using stolen username/password combinations from data breaches to access multiple accounts
Phishing & Social Engineering
Deceptive emails, websites, or phone calls that trick consumers into revealing card details
Card Details Theft
Stolen card numbers, expiry dates, and CVVs obtained through data breaches, skimming, or malware
Account Takeover
Fraudsters gain control of legitimate user accounts to purchase with stored payment credentials
Prevention Strategies
3D Secure 2 Authentication
3DS2 is the most effective tool for preventing CNP fraud, providing strong cardholder authentication while minimising disruption to the customer journey. Its key advantages over earlier approaches are significant:
Identity Verification
3DS2 enables issuers to verify that the person making the transaction is the legitimate cardholder, reducing unauthorised use of stolen credentials.
Liability Shift
When a transaction is successfully authenticated through 3DS2, liability for fraud-related chargebacks shifts from the merchant to the issuer.
Richer Data Sharing
3DS2 enables merchants to share extensive transaction data with issuers, improving risk assessment accuracy and enabling more informed authentication decisions.
Risk-Based Authentication
Risk-based authentication evaluates each transaction against multiple signals to determine the appropriate level of scrutiny. Low-risk transactions proceed frictionlessly, while higher-risk transactions trigger additional verification.
| Risk Level | Signals | Action |
|---|---|---|
| Low | Known device, typical value, familiar location, strong behavioural match | Frictionless — transaction proceeds seamlessly |
| Medium | New device, slightly elevated value, minor velocity flag | Step-up authentication via 3DS2 challenge |
| High | Unknown device, unusual location, high value, velocity breach | Manual review or decline |
Additional Controls
No single control is sufficient on its own. The most effective CNP fraud prevention combines multiple complementary measures applied at different stages of the transaction journey.
- Address Verification (AVS): Compares the billing address provided at checkout with the address held by the card issuer. Mismatches can be an early fraud signal.
- CVV Verification: Confirms the customer has physical possession of the card. Limited in isolation as CVV data is frequently stolen alongside card numbers.
- Tokenisation: Replaces sensitive card data with non-sensitive tokens that are useless to fraudsters, reducing the risk and impact of data breaches.
Balancing Security and Experience
The Friction Challenge
Excessive security measures can degrade the customer experience, leading to cart abandonment and lost revenue. The challenge is applying appropriate friction without creating unnecessary barriers for legitimate customers.
Declining legitimate transactions is a real cost. Monitoring false decline rates and engaging with issuers on their fraud rules is just as important as preventing fraudulent ones.
Best Practices
When additional verification is required, always explain why it is needed, provide clear instructions, minimise the steps required, and offer multiple verification methods where possible. Customers who understand why they are being asked for more information are far less likely to abandon their transaction.
Technology Solutions
Modern CNP fraud prevention relies on a combination of technologies working in concert:
Machine Learning
- Real-time transaction scoring
- Pattern recognition across large volumes
- Adaptive learning from new fraud patterns
- Reduced false positives vs rule-based systems
Behavioural Analytics
- Typing patterns and navigation behaviour
- Mouse movements and touch interactions
- Session duration and browsing patterns
- Device and browser characteristics
Device Fingerprinting
- Device ID and hardware characteristics
- Browser settings and plugins
- IP address and geolocation
- Historical device usage patterns
Frequently Asked Questions
Ready to strengthen your CNP fraud prevention?
Find out how Nexiant can support your payment fraud prevention with 3D Secure 2 and advanced authentication solutions.
Get in touch with our teamThis article is for informational purposes only and does not constitute legal or compliance advice. Organisations should consult with qualified legal professionals for guidance specific to their circumstances.
