Card-not-present (CNP) fraud is the dominant fraud type for ecommerce merchants. Without a physical card to verify, every online transaction carries inherent authentication risk. Understanding CNP fraud mechanics and implementing the right prevention tools is essential for any WooCommerce store processing card payments.
ConvesioPay includes a full CNP fraud prevention stack — AVS, CVV, 3DS2, device fingerprinting, and velocity controls, built into every WooCommerce integration. Get started →
1. What Is CNP Fraud?
Card-not-present fraud occurs when stolen card details are used to make a purchase without the physical card being present. In ecommerce, the card is never physically swiped or tapped, payment is made by entering card numbers, expiry dates, and CVV codes. Fraudsters who obtain these details (through data breaches, phishing, or dark web purchases) can use them to buy goods online.
CNP fraud is fundamentally harder to prevent than card-present fraud because there’s no EMV chip authentication, no PIN, and no visual card verification possible.
2. Address Verification Service (AVS)
AVS checks the billing address provided at checkout against the address on file with the card issuer. It validates the numeric street address and ZIP/postal code separately, returning a response code for each.
Common AVS response codes:
| Code | Meaning | Recommended action |
|---|---|---|
| Y | Street and ZIP both match | Proceed |
| A | Street matches; ZIP does not | Proceed with caution; review high-value orders |
| Z | ZIP matches; street does not | Proceed with caution |
| N | Neither street nor ZIP matches | Decline or hold for manual review |
| U | Information unavailable | Common on international cards; apply alternative screening |
Best practice: decline transactions with a full AVS mismatch (code N) for domestic cards. For international cards where AVS isn’t available, apply additional friction, 3DS2 challenge or manual review for high-value orders.
For full AVS details, see Address Verification Service (AVS): How It Works and When to Use It.
3. CVV Verification
The CVV (Card Verification Value) is the 3–4 digit security code on the physical card. Requiring CVV at checkout confirms the purchaser has physical possession of the card, it should never be stored and isn’t included in most data breaches.
Always require CVV for card-not-present transactions and decline orders where CVV fails. A CVV failure rate above ~2% for your store may indicate a card testing attack, review your authorization logs.
4. 3D Secure 2.0
3DS2 is the most powerful CNP fraud prevention tool available. It adds an authentication layer where the issuing bank verifies the cardholder’s identity before authorizing the transaction. For authenticated transactions, fraud chargeback liability shifts from the merchant to the issuer.
3DS2 improvements over legacy 3DS1:
- Frictionless flow — most low-risk transactions authenticate silently, with no cardholder action required
- Risk-based authentication — issuers use rich transaction data (device, behavior, history) to decide whether to challenge
- Mobile-native — supports biometric authentication in banking apps
- SCA compliance — required for European merchants under PSD2 Strong Customer Authentication rules
ConvesioPay supports 3DS2 natively through Adyen’s infrastructure. See 3D Secure Payments: What Merchants Need to Know About 3DS2.
5. Device Fingerprinting
Device fingerprinting collects technical attributes of the customer’s device (browser version, screen resolution, installed fonts, IP address, timezone, etc.) to create a unique identifier. This identifier is used to:
- Recognize returning customers across sessions (positive signal)
- Detect devices associated with prior fraud attempts
- Identify multiple accounts using the same device (potential fraud ring)
- Detect VPN, proxy, and TOR usage (elevated risk)
Device fingerprinting is transparent to legitimate customers and adds no checkout friction.
6. Velocity Checks
Velocity rules monitor the rate of transactions from a given source. Common velocity rules for CNP fraud prevention:
- Block cards with more than 3 declined authorization attempts in 24 hours
- Flag accounts placing more than 5 orders in a single day
- Hold orders from an IP address that has been used for more than 10 transactions in an hour
- Review orders where multiple cards have been attempted on the same account or device
Velocity checks are particularly effective against card testing attacks, where fraudsters run automated scripts through your checkout to test stolen card validity.
7. Behavioral Analytics
Behavioral signals during the shopping session add another fraud detection layer:
- Session duration — very fast checkout (seconds) may indicate automated purchase; very slow checkout with many cart modifications may indicate manual fraud testing
- Mouse movement patterns — bot-like movement vs. natural human behavior
- Copy-paste detection — card numbers pasted rather than typed are common in fraud scenarios
- Number of sessions before purchase — legitimate customers typically browse; fraudsters often navigate directly to purchase
8. WooCommerce Implementation Checklist
For a WooCommerce store using ConvesioPay, the CNP fraud prevention checklist:
- ☑ Enable AVS with automatic decline for full mismatch (code N)
- ☑ Require CVV on all card transactions
- ☑ Enable 3DS2 — frictionless flow for low-risk; challenge for flagged transactions
- ☑ Configure velocity rules matching your order patterns
- ☑ Enable device fingerprinting in checkout
- ☑ Set order value thresholds for manual review (e.g., first-time customers over $500)
- ☑ Monitor authorization decline rate for spikes (card testing signal)
- ☑ Configure billing descriptor to be recognizable (reduces “unrecognized charge” disputes)
ConvesioPay’s CNP fraud prevention stack is built in and ready to configure from your WooCommerce dashboard. Get started →