Card-Not-Present Transactions: Reducing CNP Fraud and Chargebacks

Card-not-present transactions account for 63% of global payments today, split between online purchases (37%) and mobile app transactions (26%), according to Datos Insights 2024 data. This shift toward digital payments has created a fraud problem that costs U.S. businesses $10.16 billion annually, representing 74% of all card payment fraud (Nilson Report, 2024).

The math is stark: CNP transactions have a fraud rate of 0.93% compared to 0.06% for card-present transactions. That’s 15 times higher risk. For a business processing $100 million in online payments, that difference translates to roughly $870,000 more in potential fraud exposure than the same volume processed in-store.

What are card-not-present transactions?

A card-not-present transaction occurs when the cardholder isn’t physically present with their payment card at the point of sale. This includes purchases made online, over the phone, through mobile apps, or via mail order. The merchant can’t verify the card’s physical security features or the cardholder’s identity through in-person interaction.

The distinction matters because it determines who bears liability when fraud occurs. In a card-present transaction, the card network and issuing bank absorb most fraud losses. In a card-not-present transaction, the merchant is liable by default.

E-commerce, subscription services, and any business that processes payments remotely operates in the CNP environment. The same applies to SaaS platforms that embed payment processing for their customers, travel booking systems, and marketplace platforms that facilitate transactions between third parties.

The business cost of CNP fraud

U.S. CNP fraud losses reached $10.16 billion in 2024, with global losses projected to hit $28.1 billion by 2026, according to Juniper Research. But the headline number understates the true cost to merchants.

Key point: The LexisNexis True Cost of Fraud Study found that merchants lose $4.61 for every $1 of fraud in 2025, a 37% increase from 2020.

That multiplier includes:

The original transaction amount (which you’ve already shipped or delivered)
Chargeback fees from your payment processor ($15-$25 per incident)
Operational costs for dispute investigation and response
Potential fines if your chargeback ratio exceeds network thresholds
Higher processing rates after repeated chargebacks

A $100 fraudulent transaction actually costs your business $461. Scale that across the average e-commerce fraud rate and you’re looking at real budget impact.

The revenue loss extends beyond direct fraud. Visa reported a 200% increase in blocked attacks during Black Friday and Cyber Monday 2024 using AI-enabled bots. Merchants without modern fraud detection tools either let these transactions through (and eat the losses) or block too aggressively (and lose legitimate sales).

Why chargebacks hit harder in CNP

Chargebacks cost merchants $33.79 billion globally in 2025, with that figure projected to reach $41.69 billion by 2028 (Chargebacks911). CNP transactions have chargeback rates of 0.6%-1% compared to 0.5% for card-present transactions.

The financial impact breaks down into direct and indirect costs. Direct costs include the refunded transaction amount, network chargeback fees ($15-$25 per dispute), and any goods already shipped or services delivered. These are line items you can track.

Indirect costs are harder to measure but often larger. Staff time spent gathering documentation, writing response letters, and managing dispute workflows adds up. High chargeback ratios trigger scrutiny from payment processors and can result in higher processing fees, reserve requirements, or merchant account termination.

Card networks impose thresholds that trigger monitoring programs with escalating fines:

Network	Threshold	Consequence
Visa	0.9% ratio	Monitoring program with escalating fines
Mastercard	1.0% ratio	Monitoring program with escalating fines
Both	Sustained	Fines up to $100,000/month

Crossing these thresholds places merchants in monitoring programs that can cost $100,000 per month at the high end.

The liability question is central to managing chargebacks. Without additional authentication, the merchant bears full responsibility for proving a transaction was legitimate. This default liability assignment is why 3D Secure authentication has become standard for CNP transactions.

Authentication without friction: 3D Secure 2.0

3D Secure 2.0 addresses the core problem of CNP authentication: verifying that the person making the purchase is the actual cardholder without creating so much friction that they abandon checkout.

The original 3D Secure (introduced in 2001) required customers to remember a separate password for each card, leading to abandonment rates as high as 70% when challenged. 3DS2 replaces this with risk-based authentication that analyzes over 100 data points (device fingerprint, transaction history, shipping address consistency) to determine whether a challenge is necessary.

The results are measurable. According to Visa’s 3D Secure data:

45% fraud reduction on 3DS-authenticated transactions compared to non-authenticated
85% of 3DS2 transactions route through the frictionless flow (no customer challenge required)
70% decrease in cart abandonment compared to 3DS1
4% authorization rate increase combined with 7 basis points fraud reduction

The business case for 3DS2 goes beyond fraud reduction. Successful 3D Secure authentication triggers a liability shift: if fraud occurs on an authenticated transaction, the card issuer bears the loss instead of the merchant. This applies to both the transaction amount and the associated chargeback fees.

European markets require 3DS2 under PSD2’s Strong Customer Authentication (SCA) mandate for transactions above EUR 30. Similar requirements exist in the UK, India, Japan, and Brazil. Even in markets without regulatory mandates, implementing 3D Secure is increasingly table stakes for managing CNP risk.

Tokenization: Protecting card data at the source

Tokenization replaces actual card numbers with randomly generated tokens that have no value outside your specific payment environment. If someone breaches your database and steals tokenized data, they can’t use it to make purchases elsewhere.

The fraud prevention impact is significant. Visa’s tokenization data shows:

28-30% fraud reduction with network tokenization compared to using PANs (primary account numbers)
40% fraud reduction specifically on CNP transactions when using network tokens
4-6% authorization rate increase on tokenized transactions

The authorization rate improvement comes from reduced false declines. Network tokens stay current even when a physical card is reissued, eliminating failed transactions from expired credentials. For subscription businesses or any model with recurring payments, this directly impacts revenue.

Tokenization also reduces your PCI DSS compliance scope. If card data never touches your systems because it’s tokenized before reaching you, you don’t need to meet the same compliance requirements as merchants who store raw card numbers.

78% of retail and e-commerce merchants now use tokenization according to 2023 industry data. For businesses not yet implementing it, the combination of fraud reduction, authorization improvement, and compliance scope reduction makes the business case straightforward.

PCI DSS v4.0 requirements for CNP

PCI DSS v4.0 became mandatory on April 1, 2025, with specific requirements targeting CNP and e-commerce environments. Two requirements deserve particular attention:

Requirement	What it mandates
6.4.3	Maintain inventory of all scripts on payment pages; implement controls to authorize script execution
11.6.1	Deploy tamper-detection mechanisms on payment pages that alert on unauthorized changes

These requirements address Magecart-style attacks where malicious scripts skim card data from checkout pages.

Non-compliance carries financial consequences. Fines start at $5,000-$10,000 per month and can escalate to $100,000 per month after six months of non-compliance, according to McDermott Law’s PCI DSS analysis.

For businesses evaluating how to meet these requirements, there are two paths: implement the technical controls yourself, or use a payment compliance solution that handles card data on your behalf, reducing your compliance scope.

The expanded MFA requirements in v4.0 also affect CNP operations. All access to cardholder data environments now requires multi-factor authentication, not just remote access. For businesses with payment processing integrated into their applications, this can require architectural changes.

How payment orchestration reduces CNP risk

Payment orchestration platforms address CNP challenges through a single integration point that connects to multiple payment processors, fraud tools, and authentication services. For businesses managing CNP risk, this architecture provides several advantages:

Advantage	How it works
Reduced attack surface	Single integration means fewer touchpoints where card data can be intercepted or compromised
Optimized 3DS2 routing	Route transactions to the processor with the best authentication performance for each transaction
Unified fraud rules	Consistent fraud logic regardless of which processor handles the transaction
PCI scope reduction	Card data tokenized before reaching your systems decreases compliance burden

A multi-processor strategy through orchestration applies consistent fraud logic regardless of which processor ultimately handles the transaction.

The financial case for orchestration in CNP environments connects directly to the statistics above. Every 1% improvement in authorization rates on $1 billion in volume represents $10 million in recovered revenue (Worldpay, 2025). Combine that with reduced fraud losses, lower chargeback rates, and decreased compliance costs, and the ROI calculation becomes clear.

For e-commerce PCI compliance specifically, orchestration offers a path to meeting v4.0 requirements without extensive internal technical investment. The platform handles payment page security, tokenization, and authentication while you focus on your core product.

Frequently asked questions

What percentage of e-commerce transactions are card-not-present?

63% of global transactions occur in CNP environments (37% online, 26% mobile apps), according to Datos Insights 2024 research. This share has grown consistently as consumers shift purchasing behavior toward digital channels.

How much does CNP fraud cost businesses annually?

$10.16 billion in the U.S. alone in 2024, representing 74% of all card fraud. Global CNP fraud is projected to reach $28.1 billion by 2026 according to Juniper Research. When accounting for chargebacks, fees, and operational costs, merchants lose $4.61 for every $1 of fraud.

What is 3D Secure and does it prevent CNP fraud?

3D Secure 2.0 adds identity verification to online payments through risk-based authentication. Visa data shows 45% fraud reduction on authenticated transactions compared to non-authenticated. Successful authentication also shifts fraud liability from the merchant to the card issuer, eliminating chargeback exposure on those transactions.

How can I reduce chargebacks on CNP transactions?

Implement 3DS2 authentication to shift liability to issuers. Use tokenization to prevent credential theft that leads to fraud-based chargebacks. Deploy real-time fraud scoring to block suspicious transactions before they complete. Ensure your transaction descriptors clearly identify your business so customers recognize charges on their statements.

Does PCI DSS apply to card-not-present transactions?

Yes. PCI DSS v4.0 (mandatory April 2025) adds specific CNP requirements including payment page script inventory (6.4.3) and tamper detection (11.6.1). These requirements address the specific vulnerabilities of online payment environments.

Who is liable for fraud in card-not-present transactions?

The merchant bears full liability unless 3D Secure authentication is successfully completed, which shifts liability to the card issuer. This liability shift applies to both the transaction amount and associated chargeback fees, making 3DS2 implementation a financial necessity for CNP merchants.

What is the true cost of a chargeback?

Merchants lose $4.61 for every $1 of fraud in 2025 when accounting for merchandise, fees, operational costs, and potential penalties, according to the LexisNexis True Cost of Fraud Study. This represents a 37% increase from 2020, reflecting rising operational complexity and stricter network enforcement.