Card-not-present fraud (CNP)
Fraudulent use of stolen card details to make purchases online or by phone, where the physical card doesn't need to be presented.
Also known as: CNP fraud, online card fraud, no-card-present fraud
Last reviewed: 1 June 2026
Card-not-present (CNP) fraud occurs when a criminal uses someone else's card number, expiry date, and CVV to make purchases in environments where the physical card is not required — primarily online stores, phone orders, and subscriptions.
Card details used in CNP fraud are typically obtained through phishing, data breaches, malware on infected e-commerce sites (known as 'magecart' or web-skimming attacks), physical card skimming, or purchased from dark web marketplaces.
The introduction of 3D Secure (3DS2) authentication — the 'Verified by Visa' or 'Mastercard SecureCode' step — has reduced CNP fraud on participating merchants by requiring the genuine cardholder to approve transactions via their banking app. However, fraudsters continue to find workarounds, and many smaller merchants don't enforce 3DS.