Credit card fraud detection: protect your ecommerce business

Fraud represents a major worry for merchants and consumers alike. In 2022, fraud losses on UK-issued cards reached a staggering £556.3 million. And while stronger card authentication is helping to reduce card fraud, it remains prevalent.

The problem is especially apparent for online merchants. Ecommerce payment fraud continues to increase; Juniper Research estimates that global losses will reach $48 billion (~£39 billion) in 2023.

It's vital that ecommerce businesses learn to protect themselves against different types of fraud. This article will help merchants understand more about credit card fraud — including how to detect and reduce it. 

What is credit card fraud?

Credit card fraud refers to unauthorised transactions made using a counterfeit card, a stolen card, or stolen card details. There are various types of card fraud, and they can result in losses for both cardholders and merchants. 

Card fraud encompasses the misuse of lost or stolen cards, where fraudsters use a card that belongs to someone else to withdraw money at a cash point or make a purchase in a physical location. But that’s not the only way it happens. In many instances, card fraud results from perpetrators employing different techniques to access card details and then using that information to make a transaction online.

Types of credit card fraud

Within credit card fraud, there are two primary categories: card-present fraud and card-not-present (CNP) fraud. 

Card-present fraud happens when someone makes an unauthorised card payment in a physical location, such as a shop or a cash machine. Types of card-present fraud include:

• Counterfeit: transactions involving fake cards created with stolen card data

• Lost and stolen: when fraudsters exploit lost or stolen cards to make unauthorised purchases

• Card not received: where scammers intercept cards sent by banks through the post

CNP (also known as remote purchase fraud) fraud happens when someone uses card details that aren’t theirs to make purchases without possessing the physical card. This is the most common type, accounting for 84% of card fraud in recent years.

Fraudsters use various techniques to obtain card details and make remote purchases: 

• Data breaches: fraudsters often go after retailers and banks by exploiting security weaknesses to steal card details and other identity information to make transactions

• Phishing: criminals pretend to be legitimate organisations to trick others into sharing their card details through emails, websites, messages, or phone calls

• Skimming: criminals use devices at ATMs or point-of-sale terminals to capture card information

• Malware: fraudsters infect a device with malware to record keystrokes to steal card details

Credit card fraud vs. debit card fraud

While credit and debit card fraud share similarities, they're not the same thing. 

Debit cards take money directly from the user's bank account, causing immediate financial loss if unauthorised transactions occur. In contrast, credit cards are different because unauthorised charges don't immediately affect the cardholder's bank account. 

Some people consider credit cards safer because if fraudsters steal their credit card information, they can't empty their bank accounts. However, credit card fraud can hurt a consumer’s credit score.  

Both debit and credit card issuers tend to protect consumers in the case of card fraud, limiting their liability. However, this is generally under the condition that the cardholder promptly reports lost cards and any fraudulent transactions. 

Credit card fraud vs. chargeback fraud

With credit card fraud, a criminal makes an unauthorised transaction using someone else's card. In contrast, chargeback fraud, sometimes called friendly fraud, involves a legitimate cardholder falsely disputing a valid transaction, resulting in merchant losses.

Chargeback fraud can occur when a consumer wrongly initiates a chargeback because they mistakenly believed they didn’t authorize a payment. For instance, if they forgot they made a purchase or didn’t recognise the billing descriptor. Equally, it can happen when a customer purchases something and then fraudulently claims they didn’t authorise the transaction or receive the product. 

While card issuers and banks protect consumers from card fraud, merchants have little protection against chargeback fraud.

Consumers can initiate chargebacks through their banks, and merchants have to try to prove that the cardholder authorised the transaction. Although merchants can contest chargebacks, banks and card issuers often rule in favour of consumers, resulting in losses and chargeback fees for merchants. 

How card fraud impacts ecommerce merchants

Card fraud causes financial losses for merchants because they're often held liable. Additionally, instances of fraud give customers a negative image of the merchant, damaging customer trust and impacting retention.

Three parties could potentially be held liable for card fraud:

• The cardholder: if they violate the terms or conditions of the card agreement, are found to be negligent in safeguarding their card details, or fail to report the fraud in a timely manner

• The bank/card issuer: if their security or verification systems are inadequate

• The merchant: if they don’t comply with security regulations, their security systems fail, or if it’s deemed they didn’t do enough to verify the identity of the person making the payment 

In the case of card fraud resulting from large data hacks, insurance companies might also pay for some of the costs of the fraud. 

Usually, if the cardholder reports the fraud promptly, they're not held liable, or their liability is limited to a small amount (£50 or less). Banks tend to refund their customers, which means they lose money in the short term. However, banks and card companies can claim that the merchant is liable, blaming poor security. 

When the card was present for a transaction, the merchant can show it was authorised with chip and PIN. Regulators have introduced initiatives like strong customer authentication (SCA) to make CNP payments safer with extra verification steps. However, because CNP payments aren't authorised by a pin, they're still seen as less secure. The onus is on the merchant to secure their site and detect fraud, so they're liable for the losses if fraudsters get past their security measures. 

Clearly, this results in financial damage for online merchants. Let's say a fraudster uses a stolen card to purchase something from your online store. You'd end up having to refund the customer for the purchase amount, plus you lose inventory for the purchase. 

How to reduce card fraud 

Ecommerce businesses have good reason to worry about card fraud: it harms customers and hinders growth. Here are a few ways to address it:

Watch out for suspicious activity

If everyone who deals with orders and payments on an ecommerce team is alert to the signs of CNP fraud, they can block or pause any potentially fraudulent transactions they notice. 

Here are some potential indicators of card fraud to look out for:

• multiple attempts to place an order 

• orders made with the same card from different IP addresses 

• orders where the billing address and delivery address are different 

• multiple orders sent to the same delivery address

• unusual or spam-like email addresses 

Follow online payment best practices

Ecommerce merchants must take action to keep fraudsters from using stolen cards on their sites. In general, they’ll need to implement measures in their payment flows to verify that the person making the payment is the cardholder. 

Two-factor authentication (2FA) adds extra steps to a payment flow so customers can verify their identity. When 2FA is enabled, shoppers must enter additional information like a password or code sent via SMS to their phone. This makes it trickier for criminals to use someone else's card. 

SCA is now required for online card payments in the UK and most countries in the European Economic Area. This regulation means all ecommerce businesses should have extra authentication steps in their card payment flows. SCA asks customers to verify their identity with two of the following: 

• something they know — like a password

• something they own — like a card or a phone

• something they are — biometric data like fingerprints 

One way merchants can make sure they comply with these requirements is by using open banking payments, which have SCA built-in without adding any friction. 

Another way to make payments on an ecommerce site more secure is to ensure they operate in line with Payment Card Industry Data Security Standards (PCI DSS). PCI DSS is a set of regulations that protect sensitive financial information during transactions and when stored or processed by businesses. 

By complying with PCI DSS, merchants make it more difficult for hackers to obtain customers' card data. Non-compliance can leave merchants liable in the case of a data breach. 

Use card fraud detection software

Card fraud detection software makes it easier to spot fraud. It uses algorithms to automatically check transactions and alerts merchants to potential instances of fraud. It will pause or flag a transaction for review if it looks suspicious. 

Machine learning (ML) algorithms are making fraud detection software more effective. It finds patterns in a dataset without explicit programming. With ML, fraud detection systems can more accurately pinpoint fraudulent credit card transactions, decreasing the number of false positives. 

However, this kind of software is about detecting and blocking fraud, and while it helps, it’s not 100% effective. If businesses reduce fraudulent attempts, they won't need to spend as much energy and resources on detecting them. 

Offer secure checkout with open banking 

Even with added SCA steps, fraudsters can still steal cards and card details, making card payments inherently vulnerable to fraud. Offering alternative payment methods that are inherently more secure than cards helps protect businesses from credit card fraud. 

Open banking payments, for example, are more secure than card payments. While card payments use SCA, the implementation of SCA for online card payments remains inconsistent. Most examples today show that it adds significant friction to the online commerce experience. On the other hand, open banking user flows have been designed and refined to comply with SCA in a simple and consistent way.

Additionally, open banking helps to reduce instances of fraud because there are no opportunities for fraudsters to steal card details. Open banking providers connect securely with the customer's bank to initiate the payment — no sensitive information is shared with the merchant.

Read more about the advantages open banking has over card payments.