Benchmark data in payment fraud is scarce. Card networks publish summary statistics. Research firms release annual reports with numbers that age quickly. Individual processors rarely share performance data publicly. What follows are industry estimates and ranges drawn from publicly available card network disclosures, processor industry associations, and payment fraud research published through mid-2024. These figures represent cross-industry estimates, not performance data from any specific processor or customer.
Card-Not-Present Fraud Rate Trends
Card-not-present (CNP) fraud has been the dominant fraud vector since EMV chip adoption reduced counterfeit card fraud at physical terminals. The shift that began around 2015-2016 has not reversed. CNP transactions now account for a majority of payment card fraud losses in North America and Western Europe.
Industry estimates for CNP fraud rates at payment facilitators and acquiring processors in 2024 run between 0.08% and 0.18% of transaction volume, measured by dollar value. Top-quartile processors — those with more sophisticated fraud operations and better-calibrated detection — tend to cluster in the 0.06% to 0.10% range. Median performers operate at 0.12% to 0.18%. The spread is significant: a processor at 0.18% is carrying roughly three times the fraud loss rate of a top-quartile peer on the same transaction volume.
For a processor running $500 million in annual transaction volume, the difference between 0.08% and 0.18% fraud rates is $500,000 in annual fraud losses. That delta is the addressable gap — the portion of fraud losses that better detection infrastructure can prevent.
Card-Testing Attack Frequency
Card-testing attack frequency shows strong seasonal patterns. The period from late October through January — driven by holiday shopping volume and the associated expansion in CNP transaction activity — consistently shows elevated card-testing rates. Industry data suggests card-testing attack frequency increases 3x to 5x during the November-December window compared to baseline months.
The mechanism is straightforward: high-volume transaction periods provide more cover for testing activity. Velocity anomalies are harder to distinguish from legitimate traffic spikes. Processor operations teams are managing elevated overall volumes, reducing the bandwidth for anomaly investigation. Fraudsters optimize their testing cadence to exploit these conditions.
Processors without seasonal adjustment in their detection systems — those running static thresholds year-round — face a binary choice during peak periods: tighten thresholds (increasing false positives on elevated legitimate volume) or maintain baselines (accepting higher card-testing pass-through). Adaptive detection that adjusts velocity thresholds against rolling seasonal baselines avoids this tradeoff.
Outside holiday windows, card-testing campaigns also spike following large data breach announcements, when fresh card data enters the market. Processors should track public breach disclosures and elevate monitoring sensitivity in the 2-4 week window following major issuer data exposures.
Chargeback Rate Thresholds
Card network chargeback monitoring programs are a concrete operational risk for SMB processors. Visa's Visa Fraud Monitoring Program (VFMP) and Mastercard's Excessive Chargeback Program (ECP) both establish threshold rates that, when exceeded, trigger monitoring status with escalating financial consequences.
Visa's standard threshold is 1.0% chargeback-to-transaction ratio (measured monthly). Above 1.0%, a processor enters early warning status. Sustained rates above 1.5% trigger the high-risk designation with monthly fines. Mastercard's ECP threshold is 1.5% with similar escalation structure. Fines under both programs start at approximately $25 to $50 per chargeback over threshold and can escalate to $100 per chargeback plus fixed monthly program fees for extended non-compliance.
For context on what these numbers mean in practice: a processor running 200,000 monthly transactions with a 1.2% chargeback rate has 2,400 chargebacks per month. At 1.0% threshold, they're 400 chargebacks over the line. At even $25 per excess chargeback, that's $10,000 in monthly fines before factoring in the operational cost of dispute management. Sustained non-compliance can result in termination of card network membership — an existential outcome for an acquiring processor.
False-Positive Decline Rate Averages
False-positive decline rates — the fraction of decline decisions that block legitimate transactions — are among the least-reported metrics in the industry, partly because they require ground-truth resolution of declined transactions to calculate accurately. Industry estimates based on processor surveys and research firm studies suggest SMB processors running generic rule sets operate with false-positive rates of 8% to 15% of total declined transactions.
Translated to portfolio-level impact: a processor with a 4% overall decline rate (declined transactions as a share of all attempted transactions) and a 12% false-positive rate is declining approximately 0.48% of all attempted transactions incorrectly. On $500 million in annual transaction volume with a $150 average ticket, that's roughly 15,000 declined legitimate transactions per year and approximately $2.25 million in blocked merchant revenue the processor never collects its take rate on.
Top-quartile processors with per-merchant baseline calibration report false-positive rates of 3% to 6% of declined transactions — roughly half the median figure. That improvement is achievable with the right detection architecture and represents a meaningful gross margin improvement on the same transaction volume.
What Separates Top-Quartile Processors
The performance gap between top-quartile and median processors on fraud metrics is not primarily a function of transaction volume or merchant category mix. Processors handling similar SMB merchant portfolios show substantial performance dispersion, and the differentiating factors are consistent across the data:
- Per-merchant baseline calibration: Top performers maintain individual transaction profiles per merchant and evaluate anomalies relative to merchant-specific baselines, not population averages. This is the single largest contributor to lower false-positive rates.
- Rolling window analysis: Detection systems using 7-14 day rolling windows on key metrics outperform static threshold systems on bust-out and velocity anomaly detection. The rate-of-change signal is more specific than absolute-value thresholds.
- Portfolio-level BIN monitoring: Top-quartile processors track BIN distribution signals across their full merchant portfolio, enabling card-testing campaign detection that per-merchant monitoring alone would miss.
- Automated representment documentation: Processors that generate decision records automatically at authorization time recover more chargeback losses through successful representment, reducing net fraud loss even when gross fraud rates are similar.
These are architectural and operational characteristics, not purely budget-driven. SMB processors can implement all four with appropriately designed fraud infrastructure, regardless of transaction volume. The gap between top-quartile and median performance on fraud metrics is primarily an infrastructure and methodology gap, not a scale gap.