What CNP fraud actually is
Card-not-present fraud — usually shortened to CNP fraud — is any fraudulent transaction made without the physical card being presented to the merchant. The category includes anything paid for online, by phone, by post, or by email. CNP fraud is a subset of payment-card fraud generally, but in markets where chip-and-PIN has driven down counterfeit and lost-or-stolen card-present fraud, CNP has become the largest remaining fraud category by value.
UK Finance figures put CNP losses at around 80 per cent of total card-fraud losses by value. A similar pattern holds in the US, where CNP fraud overtook card-present fraud after the 2015 EMV liability shift.
Why phone payments sit in CNP territory
A phone payment looks superficially safer than an online payment because there's a human on the other end of the line. In fraud-detection terms, that human is mostly working blind. They cannot see the card. They cannot verify the cardholder. They cannot check the device or browser fingerprint. They are listening to a stranger read out card numbers, and the controls available to them are largely after-the-fact — AVS results, CVV match, fraud-screen score.
This is why phone payments contribute disproportionately to CNP fraud loss for any contact centre that processes them. The fraud rate per transaction is typically two to four times higher than e-commerce.
The fraud patterns contact centres see most
Five patterns dominate phone-payment fraud in 2026:
Account takeover with social engineering.The fraudster has obtained the cardholder's name, address, date of birth, and last few transactions from a separate breach. They call the contact centre claiming to be the cardholder, pass identity verification, and either change the registered address (so future fraudulent online orders ship to them) or place a phone order with the new shipping address.
BIN testing through low-value transactions. The fraudster runs a series of small phone-payment transactions through different agents over a short window to identify cards that pass authorisation. Sequential card numbers, similar amounts, geographically inconsistent billing addresses.
Refund fraud.The fraudster places a legitimate phone order using a stolen card, then calls back claiming the order didn't arrive and requests a refund to a different card or bank account.
Synthetic identity sign-up.A new account or recurring-payment mandate is set up using a constructed identity — real name, real date of birth, real address, but for different people. Phone-payment flows that aren't tied to a strong identity verification step are particularly exposed.
Agent-side internal fraud. Less common but the most damaging per incident. An agent records or memorises card details from inbound calls and uses them later. Almost always involves call recordings that captured DTMF tones or cards spoken aloud, which agents replay outside the contact-centre environment.
The fifth pattern is the one DTMF masking eliminates entirely. The first four require operational and technical controls together.
The technical controls that work
The strongest single technical control against phone-payment CNP fraud is removing card data from the agent leg in the first place. If the agent never hears or sees the card details, internal fraud is structurally impossible and the call recording cannot be replayed to harvest card data. This is what DTMF masking does — the customer keys their card details on their handset, the tones are intercepted before they reach the agent's audio, and the recording captures silence in place of card data.
Around DTMF masking, the standard CNP fraud control stack applies:
- AVS (Address Verification Service)— checks the billing address numeric components against the issuer's record. Useful as a tier-2 signal; high false-positive rate for international cards and apartment-block addresses.
- CVV / CVC verification — the three or four digits on the back of the card (or the front, on Amex). Card scheme rules forbid storing CVV after authorisation. Useful single-use signal.
- 3D Secure 2 (3DS2)— challenge-flow authentication that pushes a verification step to the cardholder's banking app or device. Most effective against account takeover; less effective against synthetic identity. Not always invoked on MOTO transactions; check your acquirer settings.
- Tokenisation — replaces the PAN with a token the agent or system can reference without holding the actual number. Reduces CNP fraud exposure on stored-card flows.
- Velocity rules — issuer-side and merchant-side rules that flag unusual transaction patterns (multiple cards from same caller, sequential BINs, unusual amounts). Catch BIN-testing patterns.
- Device intelligence on follow-up flows — for any post-call action (reset password, change shipping address, refund-to-bank) that touches a digital channel, device intelligence catches account-takeover patterns the phone leg cannot see.
No single control catches everything. The combination matters more than any individual layer. For the broader compliance context behind these controls, see our overview of PCI DSS v4.0.1 for contact centres.
The operational controls that matter
Three operational controls quietly do most of the work:
Agent training on social-engineering patterns. Most phone-payment account takeovers fail because an agent notices something off — caller hesitates on the maiden name question, asks about transactions the cardholder would already know, gets aggressive when challenged on identity. Training agents on these patterns and giving them an explicit escalation path is more effective than any automated control.
Escalation thresholds. A high-value transaction or a change-of-address request should trigger a defined escalation pattern — call-back to the registered phone number, verification through a second channel, or referral to a fraud team. The threshold should be set at the level where false-positive friction is worth the avoided loss.
Chargeback feedback loops. When chargebacks come back from the issuer, the contact centre needs to learn from them. Most contact centres treat chargebacks as a finance problem rather than a fraud-prevention signal. Closing this loop reduces fraud-detection blind spots.
Where Paytia fits
Paytia is a phone-payment security platform. The flagship product, DTMF masking, removes card data from the agent leg, the call recording, and the contact-centre LAN — closing the internal-fraud surface area entirely and making the call-recording archive unable to be used as a card-harvesting source. Paytia has been PCI DSS Level 1 since founding — the highest tier, maintained through every revision of the standard. Up to 96 per cent of contact-centre PCI scope can be removed by routing card capture through Paytia, which means the controls listed above can be focused where they actually move fraud rates rather than spread thin across an oversized environment.
If you're sizing a CNP fraud prevention programme for a contact centre and you're not sure where DTMF masking and secure phone payments fit, talk to a Paytia specialist. We can walk through your current call leg in 30 minutes and tell you what's exposed and what isn't.
