Credit Card Fraud Recovery

Types of Credit Card Fraud

Card-Not-Present Fraud

The fraudster uses stolen card credentials card number, expiry date, CVV, and billing address to execute online transactions without the physical card. Card-not-present fraud is the most prevalent credit card fraud type in Europe, enabled by data breaches, phishing attacks, and dark web credential markets. The cardholder does not authorise the transactions and typically discovers them through account statement review or card issuer fraud alerts.

Card Skimming and Cloning

A physical skimming device attached to an ATM, payment terminal, or fuel pump captures card data when the cardholder uses their card legitimately. The captured data is used to create a cloned card, which is then used for in-person transactions in locations without chip-and-PIN verification requirements. Skimming operations in European tourist locations including ATMs in Spain, Italy, Greece, and Portugal have targeted Asian visitors who use their cards at compromised terminals.

Phishing-Obtained Card Credentials

A fraudster obtains card credentials through phishing directing the cardholder to a fake banking website, payment page, or merchant checkout that captures card details entered by the cardholder. The captured credentials are used immediately for card-not-present fraud or sold on criminal marketplaces. This variant is addressed in the phishing article in this series but is included here in its card fraud recovery context.

Fraudulent Merchant Transactions

A cardholder authorises a payment to a fraudulent merchant a fake online store, a fraudulent service provider, or a scam investment platform believing the merchant is legitimate. The merchant collects payment and provides no genuine goods or services. The cardholder disputes the transaction through the chargeback process citing non-delivery, item not as described, or services not rendered. This variant is the primary credit card recovery mechanism for online store fraud, investment fraud, and advance payment fraud where card payment was used.

Friendly Fraud and Chargeback Abuse

A fraudster acting as a buyer makes a legitimate purchase, receives goods or services, and then files a false chargeback claiming non-delivery or unauthorised transaction. The merchant loses both the goods and the payment. This variant targets merchants rather than consumers and is addressed here in the context of merchant recovery from abusive chargebacks a distinct recovery challenge from consumer card fraud.

Account Takeover

A fraudster obtains access to the cardholder’s online banking or card account through phishing, SIM swapping, or credential theft and adds a new payee, changes contact details, or executes transactions from within the genuine account. The cardholder does not authorise these actions. PSD2 unauthorised transaction refund obligations apply in full.

The Legal and Regulatory Framework

PSD2 – Unauthorised Transaction Refund Obligations

PSD2 (Directive 2015/2366/EU) is the primary regulatory framework governing card issuer obligations for unauthorised transactions: Article 73 Refund obligation: Where a payment transaction was not authorised by the cardholder, the payment service provider must refund the full transaction amount immediately no later than the end of the following business day after notification. The refund obligation applies without requiring the cardholder to first identify the fraudster or prove how the fraud occurred. Article 74 Gross negligence threshold: The refund obligation does not apply where the payment service provider demonstrates that the cardholder acted with gross negligence or fraud. A cardholder who was deceived by a sophisticated phishing attack into disclosing card credentials has not acted with gross negligence where the deception was not identifiable through reasonable care. The gross negligence threshold is assessed against the specific circumstances not applied as a blanket defence by the card issuer. Article 97 Strong customer authentication: Card issuers are required to apply SCA for electronic payment transactions. Where SCA was not applied and an unauthorised transaction was processed, the card issuer bears full liability for the resulting loss regardless of any gross negligence argument.

Card Scheme Chargeback Rules

Card scheme chargeback rules under Visa, Mastercard, American Express, and equivalent networks provide contractual recovery mechanisms for disputed card transactions that operate independently of PSD2: Non-delivery chargebacks: Available where goods or services paid for by card were not received. Filed within 120 days of the transaction date or the expected delivery date, whichever is later. Item not as described chargebacks: Available where goods or services received were materially different from what was represented at the time of payment. Filed within 120 days of the transaction date. Fraudulent transaction chargebacks: Available where the cardholder did not authorise the transaction card credentials were used without the cardholder’s genuine consent. No time limit beyond the 120-day window. Credit not processed: Available where a merchant agreed to provide a refund or credit and failed to do so. Chargeback claims are initiated through the card issuer and pursued against the merchant’s acquiring bank requiring the acquiring bank to demonstrate that the transaction was legitimate. A fraudulent merchant that cannot provide evidence of genuine goods delivery loses the chargeback dispute and the funds are returned to the cardholder.

EU Consumer Rights Directive

Under Directive 2011/83/EU, consumers purchasing goods or services through card payments have statutory rights including the 14-day right of withdrawal for distance purchases and the right to a remedy for non-conforming goods. These statutory rights support chargeback claims and provide an independent recovery basis where the merchant disputes the chargeback.

Immediate Steps After Identifying Credit Card Fraud

Step 1 – Report to Your Card Issuer Immediately

Contact your card issuer immediately upon identifying any unauthorised or fraudulent transactions through the card issuer’s 24-hour fraud reporting line. Request immediate cancellation of the compromised card and reissuance. For unauthorised transactions, formally notify the card issuer of the dispute and request a PSD2 refund the notification starts the card issuer’s refund processing timeline. Do not delay notification PSD2 refund obligations run from the date of notification.

Step 2 – File a Chargeback for Each Disputed Transaction

For each fraudulent or disputed transaction, formally file a chargeback claim with your card issuer citing the applicable reason code: unauthorised transaction, non-delivery, item not as described, or credit not processed. Provide all supporting documentation order confirmations, delivery records, merchant communications, and evidence of the fraud. Chargeback rights close at 120 days from the transaction date filing immediately preserves the full window for the card issuer’s investigation.

Step 3 – Preserve All Evidence

Save all records related to the fraudulent transactions transaction statements, merchant communications, order confirmations, phishing communications that obtained your credentials, and any documentation provided by the fraudulent merchant. For card skimming, document the ATM or terminal location and report it to the operator and local authorities. Evidence preserved immediately after discovery is more complete than evidence assembled after delay.

Step 4 – File a Criminal Complaint

File a criminal complaint with the national cybercrime unit or financial crime police in the EU member state where the fraudulent merchant is registered or where the fraud originated. Criminal complaints access merchant account records, payment processor identity data, and cross-border judicial cooperation the primary tools for identifying card fraud operators and tracing extracted funds. For large-scale card fraud operations data breaches, skimming networks, organised CNP fraud rings criminal complaints engaging Europol’s EC3 provide the most comprehensive investigative framework.

Step 5 – Report to the Relevant Regulator

File a complaint with the relevant national financial regulator where the card issuer failed to apply SCA, refused a PSD2 refund without adequate justification, or failed to respond to a fraud notification within required timeframes. Regulatory complaints create enforcement records, trigger supervisory investigation, and support civil proceedings where the card issuer’s PSD2 compliance is in question.

Legal Options for Credit Card Fraud Victims

PSD2 Refund Claims

PSD2 refund claims are the fastest and most accessible recovery mechanism for unauthorised card transactions the card issuer is required to refund immediately upon notification unless it demonstrates gross negligence. Where the card issuer disputes the refund obligation without adequate justification, regulatory complaints to the national financial regulator and civil proceedings to enforce PSD2 liability are available. PSD2 claims target a regulated, solvent defendant the card issuer independently of the fraudster’s identifiability or asset position.

Chargeback Claims

Card scheme chargebacks provide recovery for a broader range of disputed transactions than PSD2 including authorised payments to fraudulent merchants where no goods or services were provided. Chargeback claims are available within 120 days of the transaction date and are processed through the card issuer without requiring civil proceedings. Success rates for well-documented non-delivery and fraudulent merchant chargebacks are high where the dispute is filed promptly and with complete supporting documentation.

Civil Litigation Against the Fraudster

Civil proceedings against the identified fraudster for fraudulent misrepresentation and unjust enrichment are available in all EU jurisdictions. For large-value card fraud losses where chargeback and PSD2 mechanisms have failed or are insufficient civil proceedings achieve full recovery of all amounts lost, compensatory damages, EAPO asset freezes, and disclosure orders compelling payment processors and acquiring banks to produce merchant identity and transaction records.

Banking and Acquiring Bank Liability

Where the acquiring bank that processed the fraudulent merchant’s transactions failed to conduct adequate due diligence on the merchant including verification of the merchant’s identity, business legitimacy, and compliance with card scheme rules civil negligence claims may be available against the acquiring bank for losses sustained by cardholders who transacted with the fraudulent merchant. Acquiring banks carry Know Your Merchant obligations under card scheme rules and AML Directives that create liability where merchant fraud was foreseeable and preventable through adequate verification.

Asset Tracing and the EAPO

For large-scale card fraud operations organised CNP fraud rings, skimming networks, or fraudulent merchant operations forensic accounting and civil disclosure tools can trace fund movements through payment processor and acquiring bank records. The EAPO under Regulation (EU) No. 655/2014 freezes accounts across all EU member states simultaneously on an ex parte basis where there is a documented risk of dissipation.

Factors That Determine Recovery Outcomes

Nature of the Fraud and Applicable Recovery Mechanism

Unauthorised transactions where card credentials were used without genuine cardholder consent attract the strongest PSD2 protections and the most straightforward recovery path. Authorised payments to fraudulent merchants are most effectively addressed through card scheme chargebacks within the 120-day window. Large-value losses where chargeback and PSD2 mechanisms are insufficient require civil litigation and, where the fraudster is identified, EAPO asset freezing.

Speed of Card Issuer Notification

PSD2 refund processing begins from the date of notification not from the date of the fraudulent transaction. Immediate notification maximises the refund processing timeline and limits the cardholder’s liability for losses incurred before notification. Card scheme chargeback rights are available for 120 days from the transaction date filing chargebacks immediately upon identifying fraud preserves the full investigative window.

Quality and Completeness of Documentation

Transaction statements, merchant communications, order confirmations, phishing records, and delivery documentation form the evidentiary foundation for both chargeback claims and civil proceedings. Complete documentation filed with the chargeback claim at the outset produces significantly higher success rates than claims filed with incomplete records requiring subsequent supplementation.

Card Issuer SCA Compliance

Where SCA was not applied to a fraudulent transaction, the card issuer bears full liability regardless of how the fraud occurred eliminating the gross negligence defence entirely. Verifying whether SCA was applied to disputed transactions is a critical early step in assessing the card issuer’s PSD2 liability position.