The low security of the credit card system presents countless opportunities for fraud. This opportunity has created a huge black market in stolen credit card numbers, which are generally used quickly before the cards are reported stolen.

The goal of the credit card companies, as they say, is not to eliminate fraud, but to "reduce it to manageable levels", such that the total cost of both fraud and fraud prevention is minimized. This implies that high-cost low-return fraud prevention measures will not be used if their cost exceeds the potential gains from fraud reduction.

Most Internet fraud is done through the use of stolen credit card information which is obtained in many ways, the simplest being copying information from retailers, either online or offline. There have been many cases of hackers obtaining huge quantities of credit card information from company databases. Not unusual are cases of employees of companies that deal with millions of customers in which they were selling the credit card information to criminals.

Despite efforts to improve security for remote purchases using credit cards, systems with security holes are usually the result of poor implementations of card acquisition by merchants. For example, a website that uses SSL to encrypt card numbers from a client may simply email the number from the webserver to someone who manually processes the card details at a card terminal. Naturally, anywhere card details become human-readable before being processed at the acquiring bank is a security risk. However, many banks offer systems such as ClearCommerce, where encrypted card details captured on a merchant's webserver can be sent directly to the payment processor.

The Federal Bureau of Investigation is the agency responsible for prosecuting criminals who engage in credit card fraud in the United States, but they do not have the resources to pursue all criminals. In general, they only prosecute in cases exceeding $5,000 in value. Even though the FBI usually does not investigate, most common credit card networks have not implemented procedures to prevent credit card fraud. Three improvements to card security have been introduced to the more common credit card networks but none has proven to help reduce credit card fraud so far. First, the on-line verification system used by merchants is being enhanced to require a 4 digit Personal Identification Number (PIN) known only to the card holder. Second, the cards themselves are being replaced with similar-looking tamper-resistant smart cards which are intended to make forgery more difficult. The majority of smartcard (IC card) based credit cards comply with the EMV (Europay MasterCard Visa) standard. Third, an additional 3 or 4 digit code is now present on the back of most cards, for use in "card not present" transactions. See CVV2 for more information.