Last updated: February 2025

Card payments are structurally vulnerable to fraud. Open banking and AI-driven authentication change the model — here's how Pay by Bank via Fena removes the fraud vectors that card payments can't, and what that means for UK merchants.

Fraud isn't a problem card payments can solve — it's a problem they create

Card payment fraud is not a failure of implementation. It's a structural feature of a payment model built around credentials — a sixteen-digit number, an expiry date, a three-digit security code — that can be obtained, replicated, and used without the cardholder's knowledge or presence.

The scale of the problem reflects this. Global ecommerce fraud losses reached $48 billion in 2023, according to Juniper Research. UK merchants absorb a meaningful share of that — through direct fraud losses, chargeback costs, fraud prevention tooling, and the operational overhead of managing disputes. And the underlying vulnerability hasn't changed: as long as payments rely on card credentials that can be stolen, the fraud exposure is structural rather than fixable.

Open banking changes the model. Instead of credentials that exist independently of the person who owns them, open banking authenticates the actual account holder within their own banking environment at the moment of payment. There's nothing to steal, because there's no static credential to intercept.

This guide explains where card fraud actually comes from, what AI and open banking change about the fraud risk model, and what UK Shopify and WooCommerce merchants can expect from switching volume to Pay by Bank via Fena.

Quick summary

• Card fraud is structural: the credentials required to make a card payment — card number, expiry, CVV — can be compromised without the cardholder's involvement, creating an inherent fraud surface

• Open banking replaces static card credentials with real-time, bank-level authentication — the customer proves they are who they say they are within their own banking environment at the moment of payment

• AI fraud detection applied to open banking data assesses transaction risk using live account behaviour rather than inferred patterns from card usage, reducing false positives and improving detection accuracy

• Account-to-Account (A2A) payments — the settlement model underlying Pay by Bank — are near-final once authorised, removing the card chargeback mechanism that enables friendly fraud

• For UK Shopify and WooCommerce merchants, Pay by Bank via Fena delivers this model today: FCA-regulated, bank-authenticated, with no chargeback exposure on Pay by Bank transactions

Why card payments are structurally vulnerable to fraud

Understanding why open banking represents a genuine improvement requires being honest about what makes card payments vulnerable in the first place.

A card payment is essentially a credential transaction. The customer presents a set of numbers — card number, expiry date, CVV, and sometimes billing address — and the payment system verifies that those numbers are valid and associated with an account that can cover the transaction. The verification doesn't confirm that the person presenting the credentials is the person who owns the account. It confirms that the credentials are correct.

This is the root of the problem. Card credentials can be obtained through data breaches, phishing attacks, card skimming, or dark web markets without the cardholder being involved in any way. Once obtained, they can be used to make card-not-present purchases — which is the majority of online transactions — with nothing to stop them beyond fraud scoring systems that are working with imperfect information.

The three primary fraud vectors this creates are distinct but related.

Unauthorised card use.

Stolen credentials used to make purchases the cardholder didn't authorise. The merchant ships goods, the cardholder disputes the transaction, and the chargeback reverses the sale — often weeks after the fact when the goods can't be recovered.

Identity theft.

More sophisticated fraud that combines card credentials with personal data to create a convincing fraudulent identity, enabling larger-scale exploitation before detection.

Friendly fraud.

Legitimate cardholders who dispute transactions they did make — claiming non-delivery, unrecognised billing, or product dissatisfaction — to obtain a refund via chargeback rather than through the merchant's returns process. The card dispute mechanism makes this straightforward, and it's a significant and growing contributor to merchant chargeback costs.

Each of these exploits a different aspect of the same underlying vulnerability: a payment system that authenticates credentials rather than people.

What open banking changes about the authentication model

Open banking replaces the credential model with a person-present authentication model. Instead of presenting card numbers that exist independently of the cardholder, the customer authorises payment within their own banking environment using their existing banking credentials — biometrics, PIN, or bank login.

The significance of this is straightforward. Stolen card numbers are irrelevant to Pay by Bank because there are no card numbers in the flow. A fraudster who has obtained card credentials from a data breach cannot use them to make a Pay by Bank payment. The payment requires the genuine account holder to be present and to actively authenticate — the same way they authenticate to check their own balance.

This is Strong Customer Authentication (SCA) by design, not by addition. SCA was introduced as a regulatory requirement for card payments to address exactly this vulnerability, by requiring a second factor beyond card credentials. Open banking builds equivalent or stronger authentication into the fundamental structure of the payment — it's not an add-on layer, it's the mechanism.

The result is a payment that is authenticated by the bank, on behalf of the account holder, at the moment it's made. There's no static credential to steal, no card-not-present transaction to exploit, and no gap between credential validity and account holder presence.

How AI strengthens the open banking fraud model

Open banking's authentication model removes the primary card fraud vulnerability. AI adds a further layer of intelligence that improves fraud detection accuracy and reduces the false positive rates that cause legitimate transactions to be blocked.

Behavioural analysis at the account level.

AI applied to open banking data can assess a transaction's risk profile using the customer's actual account behaviour — spending patterns, regular payees, typical transaction sizes, account history — rather than inferring risk from card transaction patterns that could have been generated by someone other than the account holder. A transaction that looks unusual in isolation looks different in the context of that customer's real financial behaviour.

Real-time anomaly detection.

AI systems can identify anomalies in transaction context — device, location, time, session behaviour — and flag or block transactions that deviate from what's expected for that account and that merchant, in real time. This operates faster than manual review and with more contextual information than card fraud scoring systems typically have access to.

Reduced false positives.

Card fraud detection systems generate false positives — legitimate transactions blocked because they match fraud patterns — at rates that cost merchants meaningful conversion. AI operating on open banking data, with richer and more accurate account-level context, can distinguish legitimate unusual transactions from genuine fraud attempts more accurately. Fewer blocked legitimate purchases means better conversion alongside better security.

Continuous learning.

AI fraud models improve with volume. As more open banking transactions are processed and the models are exposed to more examples of genuine and fraudulent behaviour, detection accuracy improves over time. This is a structural advantage over static rule-based fraud detection systems that require manual updating.

Chargebacks: the friendly fraud problem and how A2A payments address it

Friendly fraud — where a legitimate cardholder disputes a genuine transaction — is the fraud category that card payment systems are structurally least equipped to address. The chargeback mechanism exists to protect consumers from unauthorised transactions, but it can be invoked by any cardholder for any transaction, and the burden of proof falls on the merchant.

The cost is direct: the reversed transaction, the chargeback fee, and the staff time to compile and submit evidence. The indirect cost is the merchant's chargeback ratio — elevated dispute rates lead to higher processing fees, rolling reserves, and the risk of card network monitoring programmes.

A2A payments are near-final once authorised. When a customer authenticates a Pay by Bank payment within their banking app, they are making an active, bank-verified decision to transfer funds. There's no card network dispute process to invoke after the fact because there's no card network involvement. The payment doesn't have a chargeback mechanism.

Disputes between merchants and customers can still arise — a customer may claim goods weren't delivered, or a product wasn't as described — and these should be resolved through the merchant's customer service and refund process. But the card chargeback mechanism, with its fees, timelines, and third-party arbitration, doesn't apply. For merchants in categories where friendly fraud is a recurring cost, this is a structural improvement rather than a marginal one.

What this means in practice for UK merchants

The fraud reduction benefits of Pay by Bank via Fena are immediate and don't require additional configuration or third-party fraud tooling beyond what Fena provides.

Every Pay by Bank transaction is bank-authenticated by the customer at the point of payment. Unauthorised transaction fraud — the primary card fraud vector — is structurally prevented because the payment requires active authentication by the genuine account holder. Card credential theft is irrelevant because there are no card credentials in the flow.

Chargeback exposure on Pay by Bank volume is zero. The card dispute mechanism doesn't apply to these transactions. Fena provides full transaction confirmation and audit trails for every payment, giving merchants the documentation needed to resolve any genuine customer disputes directly without card network involvement.

For UK merchants in categories with elevated fraud or chargeback rates — digital goods, high-value retail, supplements, vape, CBD, and similar — the combination of structural fraud prevention and chargeback elimination makes Pay by Bank via Fena particularly valuable. These are precisely the categories where card payment fraud and dispute costs are highest, and where the contrast with open banking's authentication model is most pronounced.

Fena's Pay by Bank integration adds this payment option to Shopify and WooCommerce alongside existing card and wallet options. It doesn't require removing card payments — it gives customers an alternative that removes the fraud vulnerabilities inherent in the card model for those who use it.

A realistic view: what open banking doesn't prevent

Honest fraud prevention guidance includes what the new model doesn't solve as well as what it does.

Open banking and AI significantly reduce unauthorised transaction fraud and eliminate card chargebacks. They don't eliminate all fraud risk.

Authorised Push Payment (APP) fraud — where a genuine account holder is socially engineered into making a payment to a fraudster's account — operates at the bank account level and is not prevented by strong authentication. The customer authenticates the payment themselves, believing it to be legitimate. This is a growing concern in the UK, and the PSR has introduced new reimbursement requirements that apply to APP fraud across the banking system.

Customer disputes around genuine service failures — non-delivery, product quality, misrepresented goods — remain a merchant responsibility regardless of payment method. Pay by Bank removes the card dispute process from these situations, but the underlying customer service obligation remains.

What open banking changes is the fraud surface available to external bad actors who want to exploit the payment system itself. That surface — card credential theft, card-not-present fraud, and friendly fraud via the chargeback mechanism — is substantially reduced. What remains is APP fraud and genuine customer disputes, both of which require different controls.

Frequently asked questions

Does Pay by Bank prevent payment fraud?

Pay by Bank prevents the primary forms of card payment fraud by removing card credentials from the flow entirely. Unauthorised transactions using stolen card details aren't possible because there are no card details to steal. Each payment requires active authentication by the genuine account holder within their banking environment. It doesn't prevent authorised push payment fraud, where a genuine customer is deceived into making a payment voluntarily.

How does open banking reduce fraud compared to cards?

Card payments authenticate credentials — numbers that can be obtained without the cardholder's involvement. Open banking authenticates the person — the genuine account holder, within their own banking environment, at the moment of payment. This removes the credential theft vector that drives the majority of card-not-present fraud.

Do chargebacks apply to Pay by Bank transactions?

No. Pay by Bank transactions don't go through card networks, so the card chargeback mechanism doesn't apply. Disputes between merchants and customers are handled directly, without card network involvement, fees, or timelines. For merchants with elevated chargeback rates, this is a structural improvement in both cost and operational overhead.

Is Pay by Bank via Fena regulated and secure?

Yes. Fena is FCA-authorised to provide open banking payment services in the UK. Every Pay by Bank transaction uses bank-level authentication meeting the Strong Customer Authentication (SCA) standard required by UK regulation. The payment infrastructure operates on the same open banking framework used by the major UK banks and over 11 million UK consumers monthly.

What fraud risks remain with open banking payments?

The primary residual risk is Authorised Push Payment (APP) fraud, where a genuine account holder is deceived into authorising a payment to a fraudster's account. This type of fraud operates at the account holder level and isn't prevented by strong authentication, because the authentication is genuine — it's the payment decision that's been manipulated. The PSR's APP fraud reimbursement framework applies across the UK banking system. Genuine customer disputes around service quality or delivery also remain a merchant responsibility regardless of payment method.

How does AI improve fraud detection in open banking payments?

AI applied to open banking data can assess transaction risk using actual account behaviour — spending patterns, transaction history, typical amounts — rather than inferring risk from card transaction patterns that may have been generated by a fraudster. This produces more accurate fraud detection with fewer false positives, meaning fewer legitimate transactions are blocked and more genuine fraud attempts are identified.