Watching out for fishy customers and potentially fraudulent transactions is part of every retailer’s job.
Nowadays, though, this can feel like a full-time effort. And much of this is down to card-not-present (CNP) transactions.
Turning them down used to be clear and simple. Pre-internet, CNP transactions were risky for merchants because they couldn’t verify a card holder’s identity as easily as they can online today.
Now, CNP transactions are more secure — thanks to eCommerce, identity verification and common security practices like two-factor authentication. As a merchant, you can accept them from anywhere around the world at any time.
But let’s take a few steps back here. What exactly is a CNP transaction?
And even with built-in security features from payment providers, are CNP transactions still risky?
Let’s take a closer look.
In this article you’ll learn:
- What a CNP transaction is
- What CNP transaction fraud is
- The different types of CNP fraud
- How to handle CNP fraud
Lightspeed POS now comes with integrated payments
Lightspeed Payments: Simple pricing, no hidden fees, and a secure checkout experience.
What is a card-not-present transaction?
First up, a simple definition. A CNP transaction is any transaction using a credit card where the cardholder is not there and cannot physically present their card for payment.
Card-not-present transaction examples:
- Online mobile and desktop sales
- Mail order and telephone transactions (MOTO)
- Transactions where a card number is keyed in (even if the cardholder’s there)
“Card not-present transactions cover any type of card payment where a card payment takes place remotely,” explains Libby James, co-founder of UK-based Merchant Advice Services which helps business-owners understand card payments.
“Basically, that can be any payment without the need for the customer to enter their pin, or verify with face ID, while using a credit or debit card physically or on a mobile phone.”
As a merchant, you have a hard time verifying a shopper’s identity alone. And you can’t count on outdated fraud detection methods for most transactions since a card’s EMV chip is now what powers fraud detection.
This is partly why banks charge higher processing fees for CNP transactions and they’re more expensive for merchants to process.
What is a card-present transaction?
A Card Present (CP) transaction is any transaction where the customer physically interacts with a payment terminal using their card.
Card-present transaction examples:
- Swiping a card with a magnetic strip
- Inserting a card with an EMV chip
- Mobile payments (Think Apple Pay, Google Pay or Samsung Pay)
- Tap-and-go payments
Any transaction where the card numbers are manually keyed into a credit card machine does not count as a card-present transaction—even when the card is physically present. To qualify as a CP transaction, the merchant must ‘capture’ the card’s stored electronic data.
CP transactions are considered more secure thanks to electronic security data transmitted when the card is used. And EMV cards, sometimes called ‘chip and pin’ cards, help keep CP transactions safe and encrypted.
“Card-present transactions are supposed to be safer because a merchant should check the card for any sort of damage or match a signature on the back of the card to the signature on a receipt,” says Ian. “In practice, card-present fraud is also a major problem. If you accidentally drop your credit card in the mall and someone picks it up, no store clerk will ever actually verify the user’s ID.”
Why should merchants accept card-not-present transactions?
As a merchant, you could choose to avoid CNP transactions.
But that would mean you couldn’t open an online store.
Retail eCommerce sales in the U.S. rose by more than 30% to $211.5 billion in the second quarter of 2020. That figure gives you a sense of why sticking to in-store selling can eat into retailers’ sales and revenue potential.
That said, if you’re very risk-averse, you could set up a “reserve online and pay in-store” order fulfillment process. But bear in mind, this will add friction to your customers’ shopping experience. It’s also bound to increase the probability of abandoned carts—a common pain for online sellers.
“For some merchants there is no way not to take CNP transactions,” says Libby. “Lots use telephone booking systems such as interactive voice response (IVR) and for others it isn’t logical for the customer to visit an office or store to complete transactions.”
In 2020, it’s becoming more and more difficult to run a business solely offline. “For these merchants there is no option,” says Libby “CNP transactions are not to be feared as long as you have good security measures in place.”
Here’s an example.
By refusing CNP transactions, the merchant above has added friction to Sophie’s shopping experience. So they lost the sale.
Keep in mind, however, that accepting CNP transactions may put you into a “high-risk” category for card processing.
As a high risk merchant, what are my options for merchant accounts?
If you plan to offer CNP transactions, you’ll still be able to obtain a merchant account. However, your rates and terms of your contract may be less desirable in comparison to your low-risk counterparts.
The good news is there are a lot of merchant service providers that specialize in high-risk merchant accounts. While many merchant service providers openly advertise their standard, low-risk merchant rates, high-risk account fees are usually less transparent because there are more variables to take into consideration.
Additionally, if you’re deemed as a high-risk business, your account provider will likely require you to keep a reserve. There are three types of reserve accounts you can expect from merchant service providers, and they are:
- Rolling reserve. A rolling reserve is a risk management strategy the acquiring bank uses to protect themselves from potential fraud, chargebacks, or other incidents where the acquirer may lose money. Think of it as a buffer or an insurance policy on the high-risk nature of your business. Based on the terms of your merchant agreement, the payment provider will withhold a percentage of your daily revenue for a specified term, and then gradually release the funds.
- Up-front reserve. If you’re a new business or have other less than ideal qualifying factors, some MSPs will require starting with an up-front reserve. Based on expected transaction volume, an up-front reserve is the amount of money that must be placed in escrow at the start of the merchant agreement — or allow the MSP to withhold 100 percent of credit card funds until the reserve balance is met.
- Capped or fixed reserve. A fixed reserve is when the acquirer withholds a percentage of every transaction until the reserve reaches the cap agreed upon in the merchant agreement. Unlike a rolling reserve where the acquirer takes a portion of every sale indefinitely, in this model, once the cap is reached the acquirer will not take any additional funds. However, if the MSP needs to withdraw from the reserve for any reason, the withholding percentage will kick in again until the cap balance is replenished.
One last thing to note because of the high-risk nature of your business, you may also be susceptible to account freezes. During this freeze, you cannot continue to process credit or debit cards until the hold is lifted.
If there’s suspicious activity with your merchant account, a payment processor may temporarily freeze your account to analyze your processing habits and decide whether or not you’re operating within the terms of your agreement or are in breach of contract.
If it’s the latter and you’re fulfilling your side of the agreement, expect the MSP to do one of the following:
- Rewrite the merchant agreement based on the assessment findings.
- The temporary freeze will lead to a permanent termination.
- The worst case scenario when a high-risk merchant account provider freezes your account and intentional fraud is found, the merchant can face fines or have criminal charges brought against them.
While account freezes may be unavoidable from time-to-time, the best way to avoid termination is to be honest on your merchant application. Be upfront about the types of products and services you offer and your expectations for credit card volume.
What is card-not-present fraud?
Card-not-present fraud is a type of credit card scam where the customer doesn’t physically present a card to the merchant during a fraudulent transaction. Card-not-present fraud typically occurs with transactions online or over the phone.
“CNP fraud happens in a number of ways,” says Ian Sells, CEO of Rebate Key, an ecommerce discount platform for merchants and shoppers. “Scammers steal your information like your name, card number, address, security code and more. The hackers that get this information are sneaky, and they don’t ever need to see your card to steal this information. All of your data can be stolen electronically through phishing schemes.”
Since a merchant can’t physically inspect a stolen card for signs of fraud (like altered account numbers or a missing hologram), card-not-present fraud is considered harder to prevent than card-present fraud.
“CNP transactions are commonly targeted with stolen or cloned credit and debit cards,” says Libby. “This is something for merchants to be aware of. Adding additional levels of security will ensure these fraudulent payments are kept to a minimum.”
How does card-not-present transaction fraud occur?
CNP transaction fraud happens when someone either physically steals a credit card or copies a card’s information manually or with skimmers. Fraudsters then use that stolen information to purchase goods or services without the cardholder’s consent. Increasingly, fraudsters make illegitimate purchases online where they can easily fake an identity.
A merchant’s bank can revoke the funds received from the fraudulent transaction and return them to the cardholder’s account, if a cardholder discovers their card or personal information was stolen and that unauthorized purchases were made.
Example of card-not-present fraud:
Let’s revisit the Sophie example above, but this time your site accepts CNP transactions.
Who is liable for card-not-present transaction fraud?
Fraud liability lies with the merchant for any CNP transaction until the chargeback case proves otherwise.
Because of the risk of accepting these types of payments, a processing bank will not accept liability—and this is clearly covered in terms and conditions, as Libby explains. “Some banks will hold a rolling reserve when businesses process high amounts of these transactions, this acts as a safety net in the event of chargeback or fraud,” she says.
This is generally not the case with CP transactions.
As of October 2015, if a merchant uses EMV protection, they aren’t held liable for CP fraud. If, however, a merchant takes CP transactions without EMV protection for chip cards, the liability for fraud falls on them.
Five types of card-not-present fraud
Let’s delve even deeper into the kinds of card-not-present fraud you need to know about:
- True fraud
- Friendly fraud
- Triangulation fraud
- Clean fraud
- Application and identity fraud
What is true fraud?
True fraud occurs when a credit card is used without the cardholder’s knowledge or consent.
“Card not-present transactions are an easy target for fraudulent payments largely because the security checks are less than those of face-to-face payments such as using a chip and pin machine,” says Libby, at Merchant Advice Services. “CNP accounted for 68% of fraudulent card payments in 2019. True fraud is using fake details to complete these types of card payments.”
What is friendly fraud?
Friendly fraud occurs when a legitimate customer requests an illegitimate chargeback.
“Friendly fraud” is also known as chargeback fraud,” explains Libby. “This is where the customer raises a chargeback directly with their bank, receiving a refund. A common reason for this is that the goods/services weren’t delivered. It’s then up to the merchant to prove otherwise, subsequently obtaining reimbursement.”
What is triangulation fraud?
This is when criminals set up a fake website to get customers to buy cheap goods. This is just a ploy. The goods never arrive and the fraudsters steal customers’ credit card details to use for their own ends.
What is ‘clean fraud’?
This may happen shortly after the triangulation fraud has happened. Clean fraud is when transactions look legitimate, but are being made using stolen credit card information to impersonate the cardholder.
What is application and identity fraud?
Just as fraudsters can steal anyone’s private and financial details, to pretend to be someone else to buy goods, so too can they use that information to apply for a card.
What is chargeback fraud?
Chargeback fraud occurs when the true cardholder makes a legitimate purchase and receives the goods or services they bought but still requests a chargeback from their bank.
If you can document that the real cardholder authorized the transaction, you can win these chargeback cases. So make sure you’re keeping accurate transaction records.
When you receive a chargeback, the issuing bank will assign to it a reason code. That reason code has specific compelling evidence requirements to overturn the bank’s decision and close the case in the merchant’s favor.
In any case of chargeback fraud, the merchant needs to prove that the customer who made the purchase is the true owner of the card and benefitted from the sale. In cases where the customer claims they are dissatisfied with the merchant’s product or service, the merchant needs to prove the goods or services were delivered exactly as advertised and the customer agreed to your refund policy prior to the transaction.
Seven examples of compelling evidence for fighting CNP chargebacks:
- Customer identifying information (name, address, email, phone number)
- Refund and cancellation policy (publicly shown on your site, invoices or receipts)
- Shipping policies
- Delivery confirmation (tracking number and confirmation of delivery)
- A signed contract or invoice (typically used for custom orders)
- Photos of items shipped or services rendered
- Email communications (save these in case you need to refer back to build a timeline or confirm details)
How to handle card-not-present fraud with Lightspeed
Your first step in accepting CNP transactions is to choose a payment processor that puts compliance and security first. It doesn’t hurt to also keep up with the best practices from credit card providers and security companies.
With Lightspeed Payments, we take security seriously—and we help you deal with any chargebacks that occur.
Say you’re notified of a chargeback request. In this case, Address Verification Service (AVS) is one of the most secure tools you have to defend yourself. When a CNP transaction is performed, AVS checks the numeric information (such as a ZIP or postcode) and authenticates it with the providing bank. If there’s a full AVS match, the transaction will go through; if there isn’t a match, the transaction is declined to prevent fraud.
In some cases, AVS may return a partial match result. If that happens, the transaction may still be approved by your processor if other information matches. The information they look for matches for includes:
- Email address data
- IP address data
- The Card Verification Value/Code (CVV/CVC)
In order to dispute the chargeback, the merchant needs to prove that they or their payment processor made attempts to verify a transaction’s validity.
This is where AVS comes in. While a full AVS match doesn’t guarantee that merchants can stop the chargeback, it does greatly strengthen their case.
Accept CNP transactions securely in-store and online
Ready to see how Lightspeed Payments can give you peace of mind about CNP transactions? Contact our team of experts today.