Credit Card Fraud (CCF) happens when Peter uses Tom’s credit card.

Banks attempt to detect and prevent CCF by using Deterministic methods, Stochastic / Heuristic methods, or both.

Deterministic Methods

These are generally intrusive i.e. they interrupt the normal workflow and adversely impact UX.

Bank challenges the credit card user with questions about Cardholder Name, Billing Address, CVV, PIN, OTP, etc.

If the credit card user provides these information correctly, he is deemed to be Tom, and the Bank deems the transaction to be genuine and authorizes it.

If information provided by the credit card user is incorrect, Bank can deem the transaction to be fraud and may stop it.

The boldface-italic style used in the last line is intentional: It’s really up to the bank to decide what to do with such transactions.

There are cases where banks have passed a transaction even though the User entered a wrong CVV. More at Mitigating Fraud Does Not Pay The Bills.

Stochastic / Heuristic Methods

These are generally non-intrusive i.e. they run in the background and don’t impact UX too much.

Bank uses algorithms to process several pieces of data about the transaction e.g. physical location of User, IP address of User’s device, transaction value, cumulative transaction value for the month, average transaction value for given credit card #, and so on. Based on all that processing, a fraud metric – call it Fraud Potential Index – is computed. It could be on a scale of 0 to 100:

  • If FPI = 0, then transaction is definitely genuine. Bank approves the transaction.
  • If FPI = 100, then transaction is definitely a fraud. Bank declines the transaction.

FPI in between the two extreme https://modafinilhealth.com values signify that the transaction has a certain fraud potential. A Bank takes a call on whether to approve or decline those transactions. Different banks may take different calls depending on how aggressive or conservative they are. Even the same bank could take different calls at different times.

Should you be interested in knowing more, please see my article titled Controlling Credit Card Fraud Through Predictive Analytics.


Which, if any, credit card fraud detection and prevention methods are used by banks depends on the given bank, local business culture and local regulation.

As I pointed out in Winners Don’t Let Security Screw Up User Experience, “While many security technologies were invented in the USA, not many of them have been implemented there.” The sky hasn’t fallen there.

OTOH, as I pointed out in Why Do People Obsess Over Security And Then Make Payments Without A Password?, Indians are obsessed over security because they believe that fraud originated in India. Although they’re wrong, the Indian regulator has mandated extremely stringent fraud detection and prevention measures for credit card payments in India.

UPDATE DATED 28 JANUARY 2020:

I don’t know if anybody from the Indian regulator’s office read this answer or what but I’m happy to report that the regulator has now relaxed security measures for payments below INR 2000. Such payments now require only single factor authentication, unlike the two factor authentication required for all credit card payments in the past. I’m sure that the relaxed security regime will not lead to a disproportionate increase in credit card fraud in India but only time will tell how justified my optimism is.

https://twitter.com/s_ketharaman/status/1220730613902331906