Card-Not-Present Fraud in 2026: What Merchants Are Actually Seeing

The fraud picture merchants saw on their chargeback reports in 2025 is not the fraud picture they're seeing in 2026. The shift in the last twelve months has been faster than usual, driven by both attacker behavior (AI-assisted social engineering, more efficient enumeration tooling) and defender behavior (network-side authentication improvements that pushed certain attack patterns down). For merchants whose fraud rules were last meaningfully tuned more than a year ago, the rule set is almost certainly no longer optimized for what's actually arriving.

This is the merchant-side view of what's changed, what it means for the chargeback line on your P&L, and where the realistic adjustments sit.

1. Account takeover is up — and the playbook changed

Account takeover fraud against merchant accounts (rather than card accounts) is up materially across most retail verticals. The mechanic that's shifted: AI-assisted social engineering against customer-service channels is working at scale. Attackers who would previously have relied on credential-stuffing against the login form are now driving account takeovers through authenticated password-reset flows, SIM-swap-driven OTP interception, and increasingly persuasive customer-service impersonation.

For merchants, the practical implications:

• Classic ATO-detection signals (login-from-new-device, velocity, impossible travel) catch fewer of these attacks because the attacker has worked through the merchant's own recovery flows.
• Customer-service channels are now part of the fraud surface, not just a recovery path. Authentication of inbound contacts matters in ways it historically didn't.
• The post-takeover purchase patterns are evolving — fewer large single purchases, more smaller distributed ones designed to stay below merchant detection thresholds.

2. Card enumeration is down (mostly)

BIN-based enumeration attacks — the classic small-amount-validation pattern that probes stolen card ranges before fraud sells them on — are measurably down from 2025 levels. The decline tracks with network-side velocity controls, faster issuer-side decline cascading, and broader rollout of CVV2-required-by-default behavior across major gateways.

Two caveats. First, "mostly" matters: small merchants without sophisticated rate limiting and velocity rules continue to be enumeration targets, and the absolute volume on those targets hasn't shifted. The decline is concentrated where merchants invested in the controls. Second, the displaced volume hasn't evaporated — it shifted into harder-to-detect patterns.

3. Friendly fraud is quietly the largest dispute category

For a meaningful and growing share of card-not-present merchants, friendly fraud (sometimes called first-party fraud) is now the largest single dispute category — larger than classic third-party card fraud, larger than non-receipt disputes, larger than service-quality complaints. The shift has been gradual enough to escape headlines but large enough to matter on chargeback budgets.

Several mechanics drive it. The mainstreaming of chargeback-as-customer-service in some consumer populations — issuers' chargeback flows have become easier to file than the merchant's refund flow, and consumers are voting with their feet. The continued growth of card-on-file subscription billing — recurring charges that lose customer-side context easily and become chargeback candidates a few months in. And the post-2024 run of macroeconomic pressure on consumer budgets, which empirically correlates with friendly-fraud rates.

4. The signals that still work

Through all the noise, certain merchant-side signals remain durable in 2026:

• Customer history depth. A multi-year relationship with consistent purchase patterns remains one of the strongest fraud-negative signals available to merchants.
• Device-and-account binding.A device that's been associated with the customer's account through multiple sessions over time is a stronger signal than any individual session attribute.
• Behavioral consistency on high-friction flows. Address changes, payment-method changes, and customer-service interactions that match historical patterns vs. ones that don't.
• Bin-aware fraud rules. The fraud profile of debit vs. consumer credit vs. commercial credit vs. crypto-funded vs. prepaid varies enough that treating them as one category leaves real signal on the table.

5. Practical 2026 adjustments

For merchants who haven't recently retuned, the adjustments worth considering:

• Tighten the customer-service channel. Inbound-contact authentication, callback verification on high-value account changes, and friction on password-reset flows. The customer-service surface is where ATO is now landing.
• Build a friendly-fraud workflowdistinct from third-party fraud. Representment evidence, refund policy enforcement, and customer-communication patterns that work for one don't work for the other.
• Segment your dispute reporting so you can see friendly-fraud rates separately. The aggregate chargeback rate hides the trend; the segmented view surfaces it.
• Audit your enumeration controlsif you're a smaller merchant who hasn't previously prioritized them. Velocity, CVV2-required, minimum-transaction logic, and gateway-side rate limiting.

6. What the chargeback budget should look like

For most merchants, the right 2026 chargeback budget allocates more to friendly-fraud handling and less to classic third-party fraud rules than the 2024 budget did. The exact split is portfolio-specific, but the directional shift is consistent across merchant segments and large enough that "keep doing what we did last year" leaves real money on the table.

How Superior Payments helps

Superior AI segments your dispute history into third-party fraud, friendly fraud, non-receipt, and service-quality categories — surfacing where the actual losses are coming from rather than aggregating them into a single chargeback rate. For merchants with elevated friendly-fraud exposure, our automated representment workflow handles the evidence-bundling and submission directly.