Card Not Present Fraud: Your Guide to Stopping It

Disputes & Chargebacks
Chargeback Tips & Statistics
Card Not Present Fraud: Your Guide to Stopping It
Losing money to card not present fraud? Learn how to detect, prevent, and automatically fight CNP chargebacks to protect your Shopify store's revenue.
April 12, 2026

If you run a Shopify store, card not present fraud is not a background risk. It’s a profit problem sitting inside your checkout.

Global card-not-present fraud reached $34 billion in 2023 and is projected to hit $49 billion by 2030, with cumulative card fraud losses forecasted at $404 billion over the next decade according to FICO’s analysis of payment fraud trends. That money doesn’t disappear in the abstract. It gets pulled out of merchant accounts, reversed through chargebacks, and turned into lost inventory, shipping costs, support time, and avoidable stress.

If you sell online, you’re in the blast zone by default.

The good news is that card not present fraud is not random. Fraudsters repeat the same patterns. Bad orders leave clues. Chargebacks follow a process. Once you know what attackers look for, what your payment stack can block, and what evidence banks respond to, you can stop more fraud upfront and recover more money on the back end.

Why CNP Fraud Is Costing Your Store Real Money

For a Shopify merchant, card not present fraud hits your P and L long before it shows up in a fraud report.

The loss starts with a bad order, but it rarely ends there. You can lose the sale, the inventory, the shipping cost, the payment processing fee, and the staff time needed to review the order and answer the customer. If the cardholder files a chargeback, you also take the dispute hit and the administrative burden that comes with it. One fake order can turn into a stack of small losses that wreck margin.

That is why we should treat CNP fraud as an operating cost problem, not just a checkout problem.

Why Shopify stores feel the pain faster

Online stores approve orders without the physical card, a chip read, or face-to-face verification. You are relying on billing data, device signals, address checks, shipping behavior, and order patterns. Fraudsters know that. They test stolen cards, exploit weak review rules, and place orders that look just legitimate enough to get through.

Shopify makes selling fast. It also makes it easy for attackers to move fast if your controls are loose.

The problem gets worse when you count only obvious stolen-card attacks. A chargeback filed as friendly fraud still drains revenue from your store. So does a first-party misuse dispute from a real customer. From your side, the financial outcome is the same. Money leaves your account, your team burns time, and your dispute rate gets harder to control.

What this means in practice

If you ship before you review risk, you are betting product and cash flow on incomplete information.

A workable defense has three parts:

  1. Stop clear fraud before payment approval
  2. Review risky orders before fulfillment
  3. Recover revenue after chargebacks with a repeatable process

Here, many Shopify merchants lose money. They install basic filters, trust that the payment gateway will catch the rest, and only react once disputes start piling up. That approach is expensive.

You need tighter screening upfront and a recovery system on the back end. ChargePay fits that second job. It helps automate chargeback recovery so fraud losses do not end at the order screen. That is the difference between absorbing fraud as overhead and actively pulling revenue back into the business.

Understanding Card Not Present Fraud and Its Types

Card not present fraud happens when someone uses payment credentials in a transaction where the physical card is not present. Online checkout is the most common example. So are phone orders, subscription rebills, and other remote payments.

A simple way to think about it is this. Buying in a store is like handing over your card at a counter. Buying online is like reading card details over the phone. One gives the merchant physical confirmation. The other depends on data.

A split image showing a credit card payment terminal and a person typing on a laptop screen.

That’s why e-commerce became the obvious target. The value of CNP transactions on major card networks surged more than fivefold between 2011 and 2021, from $360 billion to $1.8 trillion, according to Federal Reserve-linked analysis cited here. More online volume created a much bigger attack surface.

True fraud

This is what most merchants think of first.

A criminal gets stolen card data and uses it on your store. The legitimate cardholder never approved the purchase. If the order slips through and ships, you lose the product and often the revenue too.

Common signs include mismatched billing and shipping details, rushed shipping requests, and contact information that looks improvised.

Friendly fraud

This one frustrates merchants more because it looks legitimate at first.

The customer placed the order, received the product, and later disputes the charge anyway. Sometimes it’s confusion. Sometimes it’s buyer’s remorse. Sometimes it’s deliberate abuse.

If you want a deeper breakdown of that pattern, this guide on friendly fraud is worth reviewing because friendly fraud often gets mislabeled as standard card fraud when it is a post-purchase evidence problem.

Chargeback fraud

Chargeback fraud is the intentional version of friendly fraud.

The buyer knows the order was valid. They know the item arrived. They still file a dispute because they think the bank will reverse it faster than you can respond.

This is why a clean fraud strategy can’t stop at prevention. Some bad actors won’t show up until after fulfillment.

Why chip cards changed the game

The fraud shift didn’t happen by accident.

When EMV chip cards made in-person counterfeit fraud harder, criminals moved online. The card isn’t present in e-commerce, so they could still test stolen credentials and push purchases through digital checkouts.

Here’s a quick explainer that shows the difference between card-present and card-not-present risk in plain terms:

The three types at a glance

TypeWhat happensWhat you need
True fraudStolen card data is used without the cardholder’s permissionStrong checkout controls and fast order screening
Friendly fraudA legitimate customer disputes a valid purchaseClear order records and post-purchase evidence
Chargeback fraudA buyer knowingly abuses the dispute processTight documentation and aggressive representment

Most Shopify merchants don’t have one fraud problem. They have two. Bad orders at checkout, and bad disputes after delivery.

How Fraudsters Target Your Online Store

Fraudsters rarely start with the order you notice. They start with the test.

They probe your store, your checkout, your payment gateway rules, and your tolerance for small suspicious activity. If nothing blocks them, they scale.

Card testing attacks

A common playbook looks like this. The attacker gets stolen card data, points bots at your checkout, and runs tiny authorizations to see which cards still work.

A digital visualization showing a botnet attacking an online website form designed for credit card testing.

Card testing often involves bots making micro-transactions under $5. These scripts can attempt 10 to 50 charges per card across different IP addresses, and more than five failed authorizations in 60 seconds is a key sign of an attack, based on Stripe’s explanation of card-not-present fraud.

That pattern matters because merchants often ignore tiny failed transactions. Fraudsters count on that.

What it looks like in practice

  • Low-dollar attempts that don’t match your usual order size
  • Repeated declines from one device or a cluster of similar devices
  • Multiple cards used with the same shipping details
  • Rapid-fire checkout attempts within a short window

If you sell lower-priced products, card testing can blend into normal traffic. That’s why context matters. One small order is fine. A burst of them with mismatched details is not.

Account takeover

Sometimes the attacker doesn’t use a stolen card on a fresh guest checkout. They break into a real customer account.

Once inside, they can place orders with saved payment methods, use stored addresses, and look more legitimate than a first-time buyer. These attacks are harder to catch because the account history looks normal until the behavior changes.

Watch for login resets, sudden address changes, and high-risk orders from long-dormant customer accounts.

Triangulation fraud

This one is messier.

A fraudster runs a fake storefront, sells an item to a real consumer, then uses stolen card data to buy that item from a legitimate merchant like you and ship it to the consumer. The consumer gets the product. You get the chargeback later.

From your side, the order can look clean. The shipping address may even match the actual end customer. That’s why simple filters often miss it.

Fraudsters don’t need your store to be weak everywhere. They just need one blind spot they can repeat.

What attackers are really testing

They’re not just checking cards. They’re checking whether you:

  • Allow too many retries
  • Ship too quickly on risky orders
  • Trust old customer accounts too much
  • Lack alerting for unusual payment patterns

Once you see these attacks as systems, not isolated incidents, your response gets much better. You stop asking, “Why did this one order happen?” and start asking, “What pattern let this through?”

Essential Tools to Prevent Fraudulent Transactions

You don’t need a giant fraud team to tighten your store. You need your basic controls turned on and configured with intent.

For most Shopify merchants, the first line of defense is a simple stack: CVV checks, AVS checks, and 3D Secure. If one of these is off or loosely enforced, you’re leaving easy opportunities open.

CVV and AVS do the first screening

CVV checks whether the buyer has the card’s security code. It won’t stop all fraud, but it helps catch attackers who only have partial card data.

AVS compares the billing address entered at checkout with the billing address on file at the issuing bank. It’s useful because many stolen-card transactions fail on address details before they fail anywhere else.

If your team routinely approves mismatched AVS or missing CVV responses without reviewing the order context, you’re inviting preventable losses.

3D Secure adds issuer-side confirmation

3D Secure adds another layer by asking the cardholder’s bank to verify the transaction. That might mean a one-time passcode, biometric confirmation, or another issuer-driven check.

You should think of 3D Secure as selective friction. It’s not there to annoy good customers. It’s there to force risky transactions to prove themselves before you ship.

Tokenization matters more than most merchants realize

Tokenization replaces sensitive card data with a token so your systems and downstream tools aren’t handling raw card information where they don’t need to. It doesn’t solve every fraud problem, but it reduces exposure and makes payment data harder to misuse if something upstream gets compromised.

If you want a practical breakdown, this explanation of tokenization in payments covers where it fits inside a broader fraud stack.

Your real goal is not zero friction

A lot of merchants make the same mistake. They optimize checkout only for conversion and treat fraud controls as something that might hurt sales.

That’s backwards.

A healthy checkout creates targeted friction. Good buyers move through. Suspicious traffic hits more checks. You want your store to feel easy for customers and annoying for criminals.

A simple toolkit view

ToolWhat it checksWhy you should care
CVVWhether the shopper has the card security codeHelps catch incomplete stolen-card data
AVSBilling address match with issuer recordsSurfaces identity mismatches early
3D SecureBank-side customer verificationForces risky orders through stronger authentication

What to do inside your process

Don’t stop at payment gateway settings. Train your team to review suspicious orders with a standard routine.

  • Check contact consistency. Does the email match the buyer name? Does the phone number feel real and reachable?
  • Review shipping logic. Expedited shipping to a new address deserves more scrutiny than a normal order to a familiar destination.
  • Look outside the order. In some cases, especially with high-ticket goods, basic identity verification helps. If your team needs a general resource on performing online background checks, use it carefully and within your legal and operational standards.

Don’t approve “almost fine”

This practice is how stores lose money.

A lot of fraudulent orders are not obviously fake. They are slightly off. One mismatch. A rushed note. An unusual shipping request. A weak signal that gets ignored because the queue is long.

Merchant rule: If an order gives you two separate reasons to hesitate, pause it. Review before fulfillment, not after the dispute.

Basic controls won’t block every bad order. But when they’re set up properly, they remove a large share of easy fraud and make advanced attacks easier to spot.

Spotting Red Flags with Advanced Detection Methods

Once your baseline controls are in place, you need detection that looks at patterns, not just fields.

That’s where velocity checks, device fingerprinting, and behavioral analytics matter. These methods don’t ask only “Did the billing address match?” They ask, “Does this transaction behave like a real buyer?”

Why layered detection works

Countries that adopted broader layered defenses saw meaningful reductions. After the shift from in-person fraud to online fraud following EMV chip migration in 2015, layered defenses such as combining 3D Secure with risk modeling and real-time monitoring reduced CNP fraud by 20 to 30 percent in countries that adopted them widely, according to the Kansas City Fed briefing.

That’s the right model for Shopify too. One tool catches simple abuse. Multiple signals catch intent.

A computer monitor displaying complex red cybersecurity network graphics with two red flags on the desk.

Velocity checks

Velocity checks look for bursts.

A legitimate customer usually doesn’t submit repeated payment attempts in quick succession with multiple cards, names, or addresses. Fraud bots do. So do card testers.

Good velocity logic can flag:

  • Repeated authorization attempts within a short period
  • Multiple orders from one IP using different cards
  • Fast retries after declines
  • Clusters of small charges that don’t fit your normal pattern

Device fingerprinting

Device fingerprinting helps you see whether the same browser and device setup appears across different identities.

A fraudster can change names, cards, and email addresses quickly. They often don’t change the underlying device pattern cleanly enough. That gives you another layer of context.

If you’re not familiar with address-based validation, this guide to AVS address verification pairs well with device signals because AVS tells you whether the billing identity looks right, while device intelligence tells you whether the behavior looks familiar or suspicious.

Behavioral analytics

Behavior matters because fraudsters shop differently.

They may paste data into fields instead of typing naturally. They may skip browsing and go straight to checkout. They may choose unusual combinations of products because they aren’t shopping. They’re testing what gets approved.

Red flags that deserve review

  • Shipping and billing mismatch with no clear explanation
  • New customer account making a high-risk order immediately
  • Odd checkout behavior such as repeated retries or abrupt changes
  • Store behavior mismatch where the order pattern doesn’t resemble your normal customers

A single flag shouldn’t trigger panic. A cluster of flags should trigger a decision.

The point of advanced detection is not to block everything unusual. It’s to give you enough context to route orders correctly. Approve clean ones fast. Hold suspicious ones. Force stronger verification when the pattern says you should.

The Hidden Costs of a Single CNP Chargeback

A single card not present chargeback can turn a profitable Shopify order into a loss across multiple teams in one day.

You do not just lose the sale. You lose the product if it already shipped. You lose pick-and-pack time, postage, payment processing costs, and staff hours spent documenting a case you may still lose.

A diagram outlining the seven sequential steps involved in a Card Not Present chargeback and its associated costs.

One dispute creates multiple losses

For a Shopify merchant, the primary impact is operational.

A disputed order pulls money out of your cash flow fast. Then your team has to reconstruct what happened. They gather order details, customer emails, tracking records, policy pages, and checkout evidence. That work has a cost even before you know whether the issuer will rule in your favor.

If chargebacks keep showing up, the problem gets bigger than one bad order. Higher dispute activity can trigger processor reviews, reserve requirements, or stricter monitoring. That puts pressure on your margins and your ability to scale cleanly.

The cost is bigger than the fee

Many merchants fixate on the penalty and miss the rest of the bill.

The fee matters. The larger problem is everything attached to it:

  • Lost inventory when the item is never recovered
  • Shipping and fulfillment expense already spent on the order
  • Support and operations time tied up in case prep
  • Cash flow disruption while funds are held or reversed
  • Processor risk exposure if disputes remain high

If you want a clear breakdown of the processor side, this guide on what a chargeback fee is explains how each dispute adds direct cost beyond the refund itself.

PayPal can add another layer of work

If you sell through more than one payment channel, chargeback handling gets harder.

PayPal cases come with their own rules, evidence standards, and timelines. Your team cannot treat them like a standard card dispute and hope for the same result. This overview of PayPal chargeback disputes is useful if your team needs a legal-process view of how those cases can unfold.

Manual response gets expensive fast

Manual chargeback work looks manageable at low volume. On a growing Shopify store, it turns into margin leakage.

Different team members make different judgment calls. Evidence quality slips. Deadlines get missed. Valid disputes go uncontested because nobody has time to package the case properly. That is how preventable loss becomes routine.

The hidden cost is not abstract. It shows up in lower recovered revenue, wasted staff time, and more pressure from payment providers. If you want to protect margin, you need to treat every chargeback as both a fraud problem and an operations problem.

Automate Your Defense and Recover Lost Revenue

At some point, manual chargeback work stops being disciplined and starts being expensive.

You already know the pattern. A dispute comes in. Someone on your team exports order details, screenshots delivery status, checks customer messages, drafts a response, and hopes the evidence matches the reason code. That process is slow, inconsistent, and easy to get wrong.

Why automation matters now

The pressure on merchants isn’t easing. On some networks, merchant fraud loss rates more than doubled from 5.4 to 12.8 basis points between 2021 and 2023, and automated dispute tools that use network-specific data are critical for reversing this trend and achieving win rates over 90%, as noted in the Kansas City Fed briefing on newer fraud data.

That’s the key point. Prevention matters, but prevention alone won’t recover already-lost money. You need automated dispute operations too.

What good automation should do

A proper chargeback system should handle the work your team shouldn’t be doing by hand:

  • Pull evidence automatically from Shopify and connected systems
  • Match evidence to reason codes instead of sending generic responses
  • Submit before deadlines without relying on reminders and spreadsheets
  • Standardize quality so one strong analyst isn’t carrying the whole process

If your current workflow is inbox-driven, you’re not running a system. You’re reacting.

What to look for in an automated setup

Not every tool is worth adding.

Choose one that is built around representment quality, not just notifications. Alerts are useful, but alerts don’t win disputes. Evidence wins disputes. Reason-code alignment wins disputes. Fast submission wins disputes.

This guide to automated chargeback and dispute management using AI is a practical reference if you want to compare what manual teams do versus what a serious automated workflow should cover.

The outcome you want

You want a fraud stack that does two jobs:

  1. Reduce bad transactions before fulfillment
  2. Recover money from invalid or weak disputes after fulfillment

Too many merchants stop at filters and fraud apps. That leaves a huge gap. Some disputes will still happen, especially around friendly fraud and post-delivery claims. When they do, fast and structured representment is what protects your revenue.

A merchant who prevents some fraud but ignores dispute recovery is still leaving money on the table.

Your Practical CNP Fraud Action Checklist

You don’t need a theory deck. You need a store checklist your team can use.

Start with this.

Before orders are approved

  • Turn on CVV and AVS checks and make sure your team doesn’t casually override mismatches.
  • Use 3D Secure for risky orders instead of treating every checkout the same.
  • Review velocity patterns for repeated declines, small test charges, and bursts of attempts.
  • Set hold rules for orders with multiple warning signs before they reach fulfillment.

Before orders are shipped

  • Check customer details for consistency across email, phone, billing, and shipping.
  • Inspect account history when a long-quiet customer account suddenly places a risky order.
  • Pause unusual expedited shipments if the order has other suspicious signals.
  • Document everything you may need later, including tracking, delivery status, and customer communication.

When a chargeback arrives

  • Read the reason code carefully before responding.
  • Gather the right evidence instead of sending generic screenshots.
  • Respond fast because weak timing loses valid cases.
  • Track patterns so repeated fraud methods turn into updated rules, not repeated losses.

What to fix this week

  • Audit your Shopify fraud settings
  • Review your last disputed orders
  • Identify orders your team should have held
  • Put dispute handling on a real process, not a shared inbox

Card not present fraud won’t disappear. But it becomes much less expensive when you treat prevention and recovery as one system.


ChargePay helps Shopify merchants turn chargebacks from a constant drain into a managed process. It’s built for Shopify, carries a Built for Shopify badge, and has a strong star rating. ChargePay has handled numerous disputes, recovered significant revenue, and delivers a high win rate. If you’re tired of losing time and revenue to preventable disputes, install ChargePay from the Shopify App Store and let automation fight the cases for you.