For e-merchants, credit card fraud is managed during a payment, e.g., by defining rules limiting the type of cards allowed or by activating 3DSecure, and after a payment, e.g., via automated or manual verifications that look for payments at risk of fraud. For issuing banks, fraud is prevented in a number of ways, e.g., by putting limits on the type of transactions allowed for a card holder or by having automated verifications that look for payments at risk of fraud.
We review how issuers and e-merchants prevent the risk of credit card fraud during and after payments.
During a payment
Issuers (i.e., the bank that issues the credit card) may verify cardholders through a two-factor authentication system called 3DSecure. The first factor is a correct credit card number with its CVC, and the second is a valid authentication code received by the cardholder on her phone or email that is entered on the payment screen.
If e-merchants opt into 3DSecure, the liability of the loss shifts to the issuer when a case of fraud occurs, and they are protected. However, 3DSecure tends to be an expensive solution because of cart abandonment. Moreover, 3DSecure is a sort of insurance for which limits apply. Notably, e-merchants may get excluded for certain reasons, e.g., if the delay between payment and delivery is too long, or their volume of fraud is too high. Therefore, to reduce their risk or remain within the limits of 3DSecure, many e-merchants decide (or need) to run payment verifications.
After a payment
E-merchants can implement two types of payment verification: those done by automated processes and those done by review analysts. An automated verification process tests new payments against a series of rules and scores. If the risk is low, the payment is let through. However, if the risk is high, the payment is either directly rejected or is passed to a team of review analysts. In turn, analysts have three options. They can validate the payment, reach out to the client for additional verification, or reject the payment.
Issuers must know their exact liabilities for each fraud subtype. Depending on those liabilities, they may transfer the loss to the e-merchant, e.g., if the transaction is not 3DSecure-enabled, or to the cardholder, e.g., if the cardholder fails to detect and notify her bank in time.
We reviewed how issuers and e-merchants manage credit card fraud, i.e., by implementing a series of security measures during and after payments.
 How does credit card fraud management work? Quora.