Skip to content
DisputeCoach Freeze Risk

Card-Not-Present Fraud Chargebacks: 3DS & Authentication Guide

Card-not-present (CNP) fraud disputes claim the cardholder didn’t authorize an online, phone, or mail-order transaction. These are treated as fraud, carry critical freeze risk, and have low win rates without 3D Secure authentication.

What “Card-Not-Present Fraud” Means

Section titled “What “Card-Not-Present Fraud” Means”

This dispute occurs when:

  • A cardholder claims an online transaction was unauthorized
  • Card details were used without the cardholder’s knowledge
  • The transaction occurred in a card-not-present environment (no physical card)
  • Fraudsters used stolen card credentials for online purchases

Critical distinction: This is a fraud claim, not a service issue. The cardholder denies any knowledge of the transaction.

Common Triggers

Section titled “Common Triggers”
  • Stolen card credentials used for e-commerce purchases
  • Account takeover where fraudsters access customer accounts
  • Weak authentication (no 3DS, no CVV verification)
  • First-time customer with no purchase history
  • High-risk indicators (VPN, mismatched addresses, unusual behavior)

How Banks Evaluate CNP Fraud Claims

Section titled “How Banks Evaluate CNP Fraud Claims”

Issuers default to the cardholder on fraud claims. Their decision process:

  1. 3D Secure: Was 3DS authentication completed successfully?
  2. Device/IP evidence: Does it match the cardholder’s history?
  3. Fraud report: Did the customer file a police report?
  4. Transaction pattern: Does this match typical cardholder behavior?

Default position: Banks side with cardholders unless you have 3D Secure authentication or compelling device evidence.

Win Likelihood: Low (10-20%)

Section titled “Win Likelihood: Low (10-20%)”

Win probability: Low

You can improve odds only with 3D Secure:

Evidence That Wins

Section titled “Evidence That Wins”

3D Secure (3DS2) authentication - This is the game-changer
AVS and CVV match confirming address and security code
Device fingerprint matching customer’s known devices
IP address history matching previous successful orders
Account activity post-purchase (logins, usage, downloads)
Customer communication about the purchase

Evidence That Rarely Works

Section titled “Evidence That Rarely Works”

❌ Delivery proof alone (doesn’t prove cardholder ordered it)
❌ No 3DS authentication
❌ Generic transaction records
❌ “We have fraud prevention” statements
❌ Terms acceptance (fraudster can accept)

Freeze Risk Assessment: Critical

Section titled “Freeze Risk Assessment: Critical”

Freeze risk: Critical

Why CNP fraud disputes are extremely dangerous:

  • Fraud rate tracking: Counts toward fraud rate (stricter than dispute rate)
  • Lower thresholds: 0.5% fraud rate vs. 1% dispute rate
  • Immediate action: 2-3 CNP fraud disputes can trigger holds
  • Network penalties: Visa/Mastercard impose fines for high fraud rates
  • Account termination: Persistent fraud leads to permanent closure

Critical thresholds:

  • 0.4% fraud rate: Monitoring begins
  • 0.6% fraud rate: Reserve or hold highly likely
  • 0.75% fraud rate: Account freeze or termination risk

Prevention: Implement 3D Secure

Section titled “Prevention: Implement 3D Secure”

The 3D Secure Advantage

Section titled “The 3D Secure Advantage”

3D Secure (3DS2) shifts liability from you to the issuing bank:

  • Liability shift: If 3DS succeeds, the bank bears chargeback liability
  • Auto-win: CNP fraud disputes with successful 3DS are typically reversed
  • Lower fraud: 3DS reduces fraud rates by 50-70%

Implementation: Enable in Stripe Dashboard → Settings → Radar → Rules

Essential Fraud Prevention Tools

Section titled “Essential Fraud Prevention Tools”
  1. 3D Secure (3DS2): Mandatory for CNP transactions - shifts liability
  2. Stripe Radar: Machine learning fraud detection (included)
  3. AVS verification: Validates billing address
  4. CVV verification: Confirms card security code
  5. Device fingerprinting: Tracks suspicious devices
  6. Velocity limits: Restrict transactions per card/IP

Operational Best Practices

Section titled “Operational Best Practices”
  • Require 3DS for all transactions over $100
  • Require 3DS for first-time customers
  • Manual review for high-risk orders (VPN, mismatched data)
  • Delay fulfillment 24-48 hours for suspicious orders
  • Clear billing descriptors to prevent confusion
  • Customer verification for high-value purchases

Clear Verdict: When to Fight vs. Accept

Section titled “Clear Verdict: When to Fight vs. Accept”

Fight Only If You Have:

Section titled “Fight Only If You Have:”

Successful 3D Secure authentication (this is critical)
✅ Device/IP match with customer history
✅ Account activity post-purchase
✅ Direct customer communication
✅ Fraud rate below 0.4%

Accept Immediately If:

Section titled “Accept Immediately If:”

No 3D Secure authentication
❌ First-time customer with no history
❌ Suspicious order signals (VPN, mismatched addresses)
❌ Fraud rate already elevated (greater than 0.5%)
❌ Multiple fraud disputes in past 60 days

Strategic acceptance: Without 3DS, you will likely lose. Accept to minimize fraud rate impact.

Response Timeline

Section titled “Response Timeline”

You have 7-21 days to respond.

Action plan:

  1. Day 1: Check for 3DS authentication logs
  2. Day 1-2: Gather device/IP evidence
  3. Day 3-5: Build evidence package
  4. Day 5-7: Submit via Stripe Dashboard

What to Submit If Fighting

Section titled “What to Submit If Fighting”

Your evidence package should include:

  1. 3DS authentication logs (most important)
  2. AVS/CVV match results
  3. Device fingerprint and IP data
  4. Account activity logs
  5. Customer communication
  6. Delivery proof (if physical goods)

Format: PDF leading with 3DS authentication proof.

Assess Your Dispute Risk (30 seconds)

Related guides: Unauthorized10.4 FraudWhen NOT to Fight1% Chargeback Rate