Card Not Present Fraud Remains a Leading Concern as Payment Systems Evolve

Authorized push payment (APP) fraud has been center stage for a while now, both for the media and for the industry, driven by the growth of real time payments (RTP).

RTP has been a hit for both banks and consumers, largely because of the speed with which payments can now be made and settled. However, it's also introduced vulnerabilities into the payments ecosystem, creating unique opportunities for criminals and significant fraud management challenges for financial institutions. Understandably, a lot of industry and regulatory focus has been on these negative side effects.

Reality Check: Scams vs Card Fraud

With the rapid growth and volume of RTP, many predicted that it would replace payment cards over time and that APP fraud would overtake card fraud, including card-not-present (CNP) fraud. But the reality is somewhat different. While global fraud losses to APP fraud are projected to climb to $6.8 billion by 2027, it's not overtaking the biggest income generator for criminals: card fraud.

Card fraud accounted for a staggering $34 billion in worldwide losses during 2022 and is projected to reach $43 billion by 2026. It remains a key area of losses for banks and issuers, so it must continue to be a key focus for the industry.

Card payment fraud is driven substantially by CNP fraud. By 2030, CNP fraud is projected to reach an unbelievable $49 billion globally, and looks set to remain a leading channel for criminals. In Australia, for example, CNP fraud was up 33.8% with losses documented at $608.1M.

It's worth noting that digital wallets may be contributing to the CNP epidemic. Digital wallets have seen rapid growth and adoption worldwide, pushing card transaction values to an all-time high. In 2023, wallets accounted for 50% of global e-commerce spend.

The Tactics Keeping CNP Fraud at the Top

The ways criminals acquire personal data to commit CNP fraud continue to evolve. In recent years, data breaches have been driving a significant proportion of these opportunities, with a record-breaking number of data breaches taking place in 2023. And 2024 kicked off with the 'mother of all breaches' exposing 26 billion records of user information from popular services, including Twitter, Dropbox, LinkedIn, Adobe, Canva, and Telegram.

The breach involves 12 terabytes of leaked user data. This huge outpouring of consumer information has had a significant impact on fraud and the individuals affected by it. Around the globe, identity theft related crimes have seen at least 50% increases - 50% in APAC, 50% in EMEA, 52% in LATAM and 55% in North America.

Another tactic we're seeing more of is the use of card skimming devices. There has been a significant increase in compromised cards as a result. As I previously reported, total compromised debit cards were up 96% in 2023 and in bank ATM compromises were up 90%. It is a particular challenge in the US market where the FBI has estimated that card skimming costs consumers and banks around $1 billion annually.

And it is evolving into digital skimming - where fraudsters embed malware onto e-commerce sites to capture card payment information. A recent two-month operation in Europe culminated in Europol and law enforcement agencies from 17 countries highlighting 443 online sellers whose customer payment card data had been compromised. 119 million cards were found for sale on the dark web, with an estimated $9.4 billion in preventable fraud losses.

There have been initiatives to combat CNP fraud, a key one being 3D Secure - a three-part protocol providing an extra layer of authentication during a transaction. However, it experienced growing pains since launching in 2001. 3D Secure 2.2, the latest version released in 2018, has received more positive reviews and the Payment Services Directive (PSD2) made it mandatory in Europe in 2021. However, it is still optional in markets like the US.