Card-Not-Present fraud (CNP): Five things retailers can do to protect themselves from CNP attacks

February 2, 2021  |  Nahla Davies

This blog was written by an independent guest blogger.

Cybercriminals have been well ahead of the curve when it comes to cybersecurity in the online retail industry. Specifically, criminals have been exploiting changes in purchasing behavior that favor online transactions and adapting their methods to take advantage of the authentication challenges arising when a card is not present (CNP) at the time of the transaction. 

Indeed, in recent years, CNP fraud has become the predominant form of credit card fraud, accounting for more than 50% of all credit card-related financial losses. Unfortunately, when it comes to CNP attacks, both consumers and online retailers are only too willing to give hackers a helping hand. 

Consumers frequently fall victim to phishing attacks, lose their data to skimming attacks (where card data is stolen during a physical card transaction) or fail to verify that their transactions are taking place on secure websites. Meanwhile, numerous online businesses (particularly smaller, less sophisticated businesses) fail to properly secure their networks or implement sufficient methods of authenticating the identity of the card user during a transaction.

Fortunately, as detailed below, there are a number of precautions online retailers should consider to protect themselves and their customers from CNP attacks and provide the most secure online shopping experience possible. While many can be implemented internally, it is also always a good idea to consult a reliable provider of compliance solutions, particularly if an organization is not well-versed in cybersecurity.

1 - Ensure that your payment processing application is PCI compliant

As businesses continue to shift to online sales models, there is an increasing need for robust payment processing systems that can identify and defeat CNP attacks. Online retailers can suffer significant reputational effects when they have to disclose a large-scale attack affecting consumers’ financial data, as well as potential financial liabilities associated with individual attacks as they process chargebacks following a consumer’s challenge of a fraudulent transaction. 

This is why Compliance with Payment Card Industry (PCI) standards for payment processing software is not just a good idea, it’s an essential obligation of any business that collects credit card data or uses it in consumer transactions.

In early 2019, PCI released new standards designed to maximize security throughout the software development lifecycle (SDLC) of payment software, as well as during use in alpha, beta and commercial products.

One of the most important standards for organizations to follow is to have adequate testing of payment processing software during the development cycle. Developers should approach testing using both “white box,” inside-out testing early on in the SDLC (static application system testing of SAST) and “black box,” outside-in testing later in the SDLC (dynamic application system testing or DAST). 

SAST helps identify issues as the code is being built, while DAST identifies issues that arise in the runtime environment. Because each of these approaches has benefits and drawbacks, as software engineer Mark Preston of Cloud Defense discusses, a multi-layer approach is always required in order to ensure that the software you create is secure.

2  - Use additional authentication methods for each transaction

Multi-factor authentication methods have become standard for e-commerce and m-commerce (the mobile subset of e-commerce, which currently accounts for nearly 50% of all e-commerce transactions). Online retailers should continue to apply additional authentication methods during CNP transactions. 

Commonly-accepted methods include address verification or use of card verification value CVV codes. More advanced methods like 3D Secure (used by services such as Visa Secure and Mastercard Identity Check) require card users to verify their information with their bank or card provider directly through a separate screen as part of the transaction. 

And an increasing number of retailers are using biometric data, such as fingerprints or facial scans, as an added layer of verification. Organizations need to be diligent when using biometric data, however, as it poses potentially difficult issues with data privacy laws around the world.

3 - Use your help desk to identify and resolve fraud concerns

It is imperative that online retailers have systems in place to track CNP attacks and effectively use the data from the attacks to reinforce how their systems deal with future attacks. Putting a help desk in place through using appropriate help desk software can assist businesses in maximizing their prevention efforts. 

Help desks can be used to deal with processing customer concerns regarding payment security, as well as assisting less tech-savvy customers in ensuring the security of their transactions. 

The data collected (naturally with all proper data privacy protections in place) during help desk sessions can be used to build databases of customer identification information and customer preferences. 

Future transactions can then be vetted by comparison to customer data; for example, by building algorithms that cross-check a transaction against a customer’s known buying behavior. And both the customer profile and the verification algorithms can be improved over time using current artificial intelligence or machine learning techniques.

4 - Update, update, update

Despite years of warnings that out-of-date software poses security risks, many individuals and businesses still fail to update software in a timely manner. While much of the resistance to updates comes from legitimate concerns about reliability of updates, businesses must balance their concerns against the substantial security risks of failing to properly update software. 

The inconvenience of a small bug in functionality will never outweigh the costs associated with a significant data breach, whether they be reputational costs, revenue loss or chargeback costs.

Hackers will seek to exploit any security fault as soon as it occurs. And the frequency of attacks highlights the criticality of systematically applying updates. Focusing on the mobile device market alone reveals a stunning level of attacks; indeed, a new cyberattack on mobile devices is launched every 39 seconds, which highlights the urgency of updating your online payment systems frequently and consistently.

5 - Use tokenization

Finally, organizations should also consider payment systems that use tokenization, or the replacement of sensitive information such as credit card numbers with separate identifiers, typically single use. 

Depending on the type of token used, its use can also be limited to certain devices, merchants or payment systems, further minimizing the ability of a hacker to misuse the token.


Remember that any solutions an organization implements should be part of a comprehensive cybersecurity strategy that is continually tested, verified and updated. The rise of online shopping done on mobile devices will continue to drive payments to online systems where a card is not physically present at the time of the transaction. 

As a result, prudent organizations will need to double down on their efforts to secure their payment processing systems. At the end of the day, a well-implemented and tested payment system doesn’t just secure the payment process - it also secures the customer relationship and the organization’s reputation and finances. 

Share this with others

Featured resources



2024 Futures Report

Get price Free trial