Subscribe to the Non-Human & AI Identity Journal

What breaks when merchants rely only on CVV and two-factor authentication to stop friendly fraud?

Those controls stop stolen-card fraud, but they do not help when the cardholder is the person abusing the dispute process. Friendly fraud happens after a legitimate purchase, so the merchant needs evidence, behaviour monitoring, and customer-history signals rather than checkout authentication alone. The real failure is assuming identity verification at purchase also controls post-purchase abuse.

Why This Matters for Security Teams

CVV and two-factor authentication are designed to reduce stolen-card misuse at checkout, not to settle who authorised a legitimate order after the fact. That distinction matters because friendly fraud is a dispute problem, evidence problem, and customer-behaviour problem all at once. Merchants that treat checkout authentication as a complete fraud control often underinvest in delivery proof, device intelligence, refund history, and dispute workflows. NHI Mgmt Group notes that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, a reminder that weak identity assumptions often show up later in operational abuse paths, not just at login. See the Ultimate Guide to NHIs and the control expectations in NIST SP 800-53 Rev 5 Security and Privacy Controls for the broader governance pattern.

In practice, many security teams encounter chargeback abuse only after the payment flow has already “passed” every identity check.

How It Works in Practice

Friendly fraud usually unfolds after a normal transaction: the cardholder receives the goods or service, then claims the charge was unauthorised, not received, or not as described. CVV proves possession of card details at purchase time, and two-factor authentication may prove the payer controlled a second factor. Neither proves that the later dispute is honest. That is why merchants need layered evidence that can survive a chargeback review, including order history, login context, shipping confirmation, device signals, return behaviour, and support transcripts. The operational goal is not to stop all disputes, but to make legitimate transactions defensible and abusive patterns visible.

Current guidance suggests aligning fraud operations with a case-based evidence model rather than a checkout-only model. Useful signals include:

  • Delivery proof with timestamps, signatures, or geo-confirmation where appropriate.
  • Customer history such as repeat disputes, refund frequency, and account tenure.
  • Behavioural anomalies like rapid repurchases, account takeover indicators, or mismatched device patterns.
  • Policy evidence showing clear terms, fulfilment notices, and dispute-resolution steps.

This is also where identity governance intersects with payment fraud. A merchant that authenticates a buyer at checkout still needs to verify the integrity of the post-purchase journey, including customer service access, refund tooling, and internal roles that can approve exceptions. The strongest outcomes usually come from combining payment controls with lifecycle controls, similar to how Twitter Source Code Breach analysis illustrates the damage that follows when access assumptions are too narrow and downstream activity is not well governed. For control baselines, ISO/IEC 27001:2022 Information Security Management and NIST access-control expectations both support evidence retention, role separation, and monitored exception handling. These controls tend to break down when digital goods are delivered instantly and customer-service teams can reverse decisions without preserving a defensible audit trail.

Common Variations and Edge Cases

Tighter fraud controls often increase friction, so organisations must balance lower chargeback exposure against conversion loss and support overhead. There is no universal standard for this yet because the right threshold depends on product type, delivery method, and dispute volume. Subscription merchants face a different pattern from physical-goods sellers, and marketplaces must also account for seller performance and fulfilment disputes. For high-risk segments, current guidance suggests stronger evidence collection and stricter refund governance rather than simply adding more checkout prompts.

One edge case is legitimate customer confusion: a cardholder may recognise a charge only after a delayed shipment, a parent may dispute a family purchase, or a product description may be ambiguous. Another is internal abuse, where weak refund permissions or poor documentation create false positives that look like fraud but are actually process failure. Merchant teams should therefore separate three questions: was the transaction authorised, was the item or service delivered, and is the dispute credible. That separation improves analyst decisions and makes escalation easier when evidence is incomplete. In practice, the hardest cases are digital goods, recurring billing, and cross-border orders because delivery evidence is weaker, customer expectations are less consistent, and dispute rules vary by issuer and region.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-63 set the technical controls, while PCI DSS v4.0 define the regulatory obligations.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AA-01 Identity proof at checkout is only one control; the issue is broader access and transaction assurance.
NIST SP 800-63 IAL2 The question centers on what authentication can and cannot prove about a party's identity.
PCI DSS v4.0 8.3.1 Payment controls must be paired with secure authentication handling and transaction governance.

Use identity proofing and authentication for their intended assurance level, not dispute resolution.