Costing £212.6m each year in the UK and growing at an annual rate of 16 per cent, cardholder-not-present (CNP) fraud is now the biggest category of plastic card deception.

Criminals are highly innovative users of payment systems and London has become the capital of credit card swindles, closely followed by Manchester and Kilmarnock, with online retailers being severely hit.

The internet retail industry in the UK is growing at an exceptional rate and credit card fraudsters are attacking the softer targets of the online sector. As new banking channels have opened up – including internet and telephone banking and e-commerce – not to mention with the boom in credit card use, criminals have migrated to attack these less mature transaction methods.

The introduction of chip-and-Pin has also had a strong impact on UK fraud patterns, pushing card fraud to the internet, says Neil Wilson, financial crime director at high street bank Abbey.

‘While there has been a reduction in counterfeit and lost and stolen cards, there has been an increase in card-not-present fraud and a growth in cross border risks,’ he says. ‘Fraudsters have modified their behaviour to ensure economic returns are maintained in the light of growing technological complexity and by following the path of least resistance.’

Dishonestly obtained card details are generally used with fabricated personal details to make fraudulent CNP purchases. Paul Thomas, head of merchant acquisition at secure electronic payment processors Valu, says that the card details have normally been copied without the cardholder’s knowledge, taken either from discarded receipts or by skimming.

‘The key is that when the transaction goes through our payment processing system it is picked up,’ he says. ‘The UK is a particular hotspot for credit card fraud, with one in five card users having already been a victim.’

With CNP fraud currently representing almost half of all card losses, there is a lot that online retailers can do to minimise the risk. Mark Bowerman, spokesman for banking industry association Apacs says it is important that merchants familiarise themselves with the contract they have with their bank and understand exactly where liability rests.

‘Often the contract will say that if a transaction is fraudulent then it will be the merchant who is liable, even if he has gained bank authorisation for the transaction,’ he says. ‘All authorisation means is that the card hasn’t been reported stolen and that there are sufficient funds or credit on the account.’

Although 36 per cent of consumers, according to a recent Ipsos Mori survey carried out on behalf of database specialist Secerno, would not put personal information online, 11 per cent of this group have still been victims of data theft. ‘Cardholders have a rather blasé attitude,’ says Bowerman. ‘You don’t have to be someone who shops online to be a victim of internet credit card fraud.’

To combat fraud, retailers should take a layered approach to its management. While criminals can often bypass a single scanning technique, it is less likely that they will be able to beat three or four different tools used together.

Third-party systems fall broadly into three categories: identity checking systems that verify names, addresses and other aspects of identity including date of birth; rule-based and neural networks that can be built into payment processing systems in order to identify potentially deceitful transactions; and data sharing services that allow merchants to exchange available information on fraudulent activity.

The banking industry has developed the Address Verification Service (AVS) and Card Security Code (CSC) to help minimise fraud.

‘Unlike a Pin code or signature, neither AVS nor CSC is a full confirmation of the cardholder’s identity,’ says Bowerman. ‘However, when used together they allow merchants to decide whether to proceed with a transaction. Merchants implementing AVS/CSC have seen reductions of up to 70 per cent in fraud losses.’