Prevent Card-Not-Present Fraud with PCI 3DS Secure

June 25, 2025
Posted by: Gradeon
Category: Compliance

How to Detect & Prevent Card-Not-Present

Card-not-present (CNP) fraud is rising fast, especially in online payments. For UK businesses, especially those operating in London, securing online transactions is now more critical than ever. PCI 3D Secure (PCI 3DS) offers a strong defence against CNP fraud by adding an extra layer of security during cardholder authentication.

In this guide, we’ll walk you through how PCI 3DS works, how it detects CNP fraud, and how to use it effectively to protect your customers and business.

What Is Card-Not-Present (CNP) Fraud?

CNP fraud happens when a transaction is made without physically presenting the card. It usually occurs online or over the phone. Since no physical card is involved, it’s easier for fraudsters to use stolen card information.

Common examples of CNP fraud:

Online shopping using stolen credit/debit card numbers.
Subscription signups with fake cardholder details.
In-app payments without real user authentication.

For e-commerce businesses and financial institutions in the UK, CNP fraud can lead to chargebacks, financial losses, and damaged brand trust.

What Is PCI 3D Secure (PCI 3DS)?

PCI 3DS, also known as 3D Secure, is a security protocol designed by EMVCo to reduce fraud in online card payments. The “3D” stands for three domains involved:

Issuer domain – the bank that issued the card.
Acquirer domain – the bank or merchant receiving the payment.
Interoperability domain – the payment infrastructure (e.g., Visa, Mastercard).

PCI 3DS helps businesses verify if the person making the online transaction is the real cardholder, using tools like OTPs (one-time passwords), biometrics, or device fingerprinting.

How PCI 3DS Detects CNP Fraud

1. Real-Time Authentication

When a customer enters their card details, PCI 3DS triggers an authentication step before processing the payment. This real-time check ensures that the transaction is not coming from a fraudster.

2. Risk-Based Analysis

Advanced PCI 3DS solutions use machine learning and behaviour analysis. They review user behaviour (like device type, location, transaction value) to detect suspicious patterns.

For example:
If a user typically shops from London, and suddenly there’s a transaction from a foreign IP address, the system can flag or block it.

3. Secure Tokenisation

Instead of transferring raw card data, PCI 3DS uses tokenisation. Tokens are one-time codes that represent card information without exposing it, making it harder for hackers to use stolen data.

How to Prevent CNP Fraud Using PCI 3DS

1. Enable 3DS on All Online Transactions

If you run an e-commerce website or handle card payments online, enable PCI 3DS across all payment channels. Major card networks like Visa (Verified by Visa) and Mastercard (Mastercard Identity Check) already support it.

2. Work with PCI-Compliant Payment Gateways

Choose a payment processor that supports PCI DSS and PCI 3DS protocols. Make sure they have fraud detection tools integrated. This ensures your customer data stays safe and meets global security standards.

3. Educate Customers About 3D Secure

Let your customers know that the extra authentication step protects their data. Display trust badges and short messages during checkout to build confidence.

4. Use Adaptive Authentication

For returning customers or low-risk transactions, use frictionless authentication. It keeps the checkout smooth without compromising security.

Example:
A repeat customer from the UK, using the same device and card, could skip OTP verification if the system finds no red flags.

Benefits of PCI 3DS for Businesses

Reduced Chargebacks

By authenticating users before a transaction, PCI 3DS shifts liability from the merchant to the card issuer in most cases.

Improved Customer Trust

Customers feel safer shopping when they know extra steps are taken to protect their payment information.

Compliance with PCI DSS Standards

Using PCI 3DS helps your business align with PCI DSS compliance requirements — a must for any company that stores, processes, or transmits cardholder data.

PCI 3DS for UK Businesses

For businesses in London and across the UK, adopting PCI 3DS is no longer optional. With the surge in digital payments post-pandemic and evolving fraud tactics, implementing PCI 3DS is now a key part of secure payment strategies.

Additionally, UK regulators and financial bodies are encouraging strong customer authentication (SCA) under the PSD2 regulation, making PCI 3DS a preferred method.

Final Thoughts

Card-not-present fraud is a real and growing threat, but with PCI 3D Secure, businesses can fight back. By adding strong authentication, using secure payment gateways, and educating users, you reduce your fraud risk and improve customer trust.

Whether you’re running an online store, a digital platform, or managing financial services in the UK, now is the time to embrace PCI 3DS.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_XJTBGPGZEW	2 years	This cookie is installed by Google Analytics.
_gat_UA-202583883-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	16 years 2 months 11 days 22 hours	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

How to Detect & Prevent Card-Not-Present (CNP) Fraud Using PCI 3DS