Online fraud
What is online fraud?
Online fraud refers to any criminal activity carried out through the internet with the goal of obtaining illicit financial gain through deception, impersonation, or data manipulation. In the context of digital payments, it includes everything from unauthorized use of credit cards in CNP (card‑not‑present) transactions to schemes such as phishing, identity theft, and refund fraud or chargeback fraud. For any ecommerce business, it is not just a security issue: it is a profitability issue that erodes margins, increases operational costs, and destroys conversion rates.
How online fraud works
The process varies depending on the fraud type, but the operational cycle follows a recognizable pattern:
- Data acquisition: attackers obtain payment credentials through phishing, Magecart‑type malware, large‑scale data breaches, or social engineering.
- Card testing: bots launch micro‑transactions against payment gateways to verify whether stolen card data is valid. Without velocity controls or IP limits, the virtual POS becomes a tool for the fraudster.
- Execution of the fraudulent purchase: once validated, criminals make high‑value purchases in merchants with weak ecommerce fraud prevention controls.
- Monetization: goods are resold or a refund is requested before the merchant detects the anomaly, generating a chargeback that the business must absorb, with both financial and reputational impact.
An ecommerce business with a chargeback rate above 1% may be classified as a high‑risk merchant by card schemes, increasing processing fees and potentially leading to termination of the acquiring contract.
Regulatory impact and applicable security in online fraud
The European and Spanish regulatory framework establishes specific obligations to combat online fraud in digital payments:
PSD2 (Payment Services Directive 2) requires Strong Customer Authentication (SCA) for most electronic payments. This means verifying at least two factors (possession, knowledge, or inherence) through protocols such as 3D Secure 2. Regulated exemptions (low‑value transactions, transaction risk analysis, or trusted beneficiaries) help reduce friction without compromising security.
The PCI DSS v4.0 standard requires any entity that stores, processes, or transmits card data to implement 12 core security requirements, including strong encryption, continuous access monitoring, and vulnerability management. If the merchant uses tokenization and delegates PAN handling to its payment provider, its PCI scope is drastically reduced.
In Spain, the Royal Decree‑Law 19/2018 transposes PSD2 and reinforces the liability of the payment service provider. The cardholder’s maximum liability for unauthorized transactions is 50 € if they notify promptly.
The EBA/GL/2020/01 guidelines on PSD2 fraud reporting require payment service providers to periodically submit structured fraud data to the supervisor.
Operational advantages and disadvantages
| Aspect | Advantage of controlling fraud | Risk of not acting |
|---|---|---|
| Conversion | Smart SCA with exemptions keeps approval rates above 90% | Mass declines from issuers detecting suspicious patterns |
| Costs | Reduction in chargebacks and associated fees | Direct loss of goods, transaction amount, and dispute fees (15–50 € per chargeback) |
| Reputation | Increased trust from customers and acquirers | Classification as a high‑risk merchant or contract termination |
| Compliance | Alignment with PSD2, PCI DSS, and AML/CFT | Regulatory fines and higher processing fees |
The operational key is balance: overly aggressive fraud rules generate false positives that block legitimate sales. The combination of well‑orchestrated 3D Secure, tokenization, velocity checks, and hybrid monitoring (deterministic rules plus human review) allows businesses to protect revenue without sacrificing conversion.
According to Spanish financial sector data, credit card fraud in CNP transactions accounts for more than 40% of cybercrime cases in the banking sector, making active prevention an operational necessity rather than an option.
Was this term useful?
1 of 1 I found it useful
Leave a Comment