What is a Card Not-Present (CNP) Transaction?

What is a Card Not-Present (CNP) Transaction?

As a retailer, watching out for fishy customers and potentially fraudulent transactions is part of the job. But these days, it can feel like a full-time job.

Turning down a card not-present (CNP) transaction used to feel like a no-brainer. Pre-internet, CNP transactions were risky for merchants because they couldn’t verify the card holder’s identity as easily as they can online today. Now, thanks to eCommerce, CNP transactions are secure and processed by merchants around the world. 

But what exactly is a CNP transaction? Even with built-in security features from payment providers, are CNP transactions risky?

Let’s clear the air about CNP transactions, fraud and what retail merchants can do to protect themselves.

In this article you’ll learn:

  1. What a CNP transaction is
  2. What CNP transaction fraud is
  3. The different types of CNP fraud
  4. How to handle CNP fraud

Lightspeed POS now comes with integrated payments

Introducing Lightspeed Payments: Simple pricing, no hidden fees, and a secure checkout experience.


What is a card-not-present transaction?

A Card-Not-Present (CNP) transaction is any transaction using a credit card where the cardholder is not or cannot physically present their card for payment. 

Card-not-present transaction examples:

  • Online sales
  • Telephone orders/MOTO
  • Transactions where the card number is keyed in (even if the cardholder is present)

CNP transactions are considered riskier Card Present (CP) transactions. Merchants have a harder time verifying a shopper’s identity and can’t count on the usual fraud detection methods for most transactions since a card’s EMV chip is what powers fraud detection. As a result, banks charge higher processing fees and they’re more expensive for merchants to process. 


What is a card-present transaction?

A Card Present (CP) transaction is any transaction where the customer physically interacts with a payment terminal using their card.

Card-present transaction examples:

  • Swiping a card with a magnetic strip
  • Inserting a card with an EMV chip
  • Mobile payments (Apple Pay, Google Pay, etc.)

Any transaction manually keyed into a credit card machine does not count as a card present transaction, even when the card is physically present. In order to qualify as a CP transaction, the merchant must capture electronic data stored on the card.

CP transactions are considered more secure thanks to electronic security data transmitted when the card is used. EMV cards, or chip cards, help keep CP transactions safe and encrypted.  

Note: Budgeting for CNP transaction fees is difficult when processing fees are unpredictable, which is why you should always select a payment processor with one rate for all transaction types.

Lightspeed Payments charges 2.6% + $0.30 for all transaction types with no hidden fees for our Retail POS customers.


Why should merchants accept card-not-present transactions? 

Merchants can always choose not to accept CNP transactions, but that would mean they couldn’t open an online store.

Considering retail eCommerce sales in the U.S. were $146.2 billion the second quarter of 2019, not opening an online store can significantly reduce a retailer’s overall sales and revenue. 

Risk-averse merchants can always set up a “reserve online and pay in-store” online order fulfillment process, but that adds friction to your customer’s shopping experience and increases the probability of abandoned carts. 

Here’s an example to illustrate why this isn’t the best alternative:

Sophie is out shopping with friends when she sees a handbag she likes in your window display. Your store is closed, so she uses her smartphone to look up the handbag on your website. She finds it, adds it to her cart and checks-out.

To her surprise, the only available method of order fulfillment is to reserve the handbag and to pay and pick up in-store.

Since Sophie will be out of town and unable to pick up the handbag in-store, she holds off on finalizing her order until she gets back… but she never does. 

By not accepting CNP transactions, merchants add friction to their customer’s shopping experience, lowering the probability that they make a purchase. 

If you decide to accept CNP transactions, be sure to acquaint yourself with your payment processor’s fraud protection and prevention options. 


What is card-not-present fraud?

Card-not-present fraud is a type of credit card scam where the customer doesn’t physically present a card to the merchant during the fraudulent transaction. Card-not-present fraud typically occurs with transactions online or over the phone. Since the merchant can’t physically inspect the credit card for signs of fraud (like altered account numbers or a missing hologram), card-not-present fraud is considered harder to prevent than card-present fraud.

How does card-not-present transaction fraud occur?

CNP transaction fraud happens when someone either physically steals a credit card or copies a card’s information manually or using skimmers. Fraudsters then use that stolen information to purchase goods or services without the cardholder’s consent. Increasingly, fraudsters make illegitimate purchases online where they can easily fake their identity. 

If a cardholder discovers their card or personal information was stolen and that unauthorized purchases were made, the merchant’s bank revokes the funds received from the fraudulent transaction and returns them to the cardholder’s account.

Example of card-not-present fraud:

Let’s revisit the Sophie example above, but this time your site accepts CNP transactions. 

At checkout, Sophie selects regular shipping and pays for her order using her credit card.

A week later, you’re notified of a chargeback on Sophie’s order. As it turns out, someone stole Sophie’s credit card to make the purchase.

Payment processors like Lightspeed help merchants mitigate risk with built-in PCI compliance and fraud prevention, as well as chargeback assistance if ever you fall victim to fraud. 

Who is liable for card-not-present transaction fraud?

Fraud liability lies with the merchant for any CNP transaction until the chargeback case proves otherwise. 

This is generally not the case with CP transactions.

As of October 2015, if a merchant uses EMV protection, they aren’t held liable for CP fraud. If, however, a merchant takes CP transactions without EMV protection for chip cards, the liability for fraud falls on them. 

Pro tip: In the event that you must manually process a card by keying in the number, there are precautionary steps you can take to mitigate the risk of fraud and to prevent chargebacks. A simple step you can take is to have your customer fill out a credit card authorization form in cases where you do not have an existing relationship with the customer. Doing so will help ensure you have a strong case in the event of any disputes, and will often prevent a dispute from happening in the first place. Click here to download our free credit card authorization form.


The different types of card-not-present fraud

There are two types of card-not-present fraud:

  1. True fraud
  2. Friendly fraud

What is true fraud?

True fraud occurs when a credit card is used without the true cardholder’s knowledge or consent.

What is friendly fraud?

Friendly fraud occurs when a legitimate customer requests an illegitimate chargeback.


What is chargeback fraud?

Chargeback fraud occurs when the true cardholder makes a legitimate purchase and receives the goods or services they bought but still requests a chargeback from their bank.

If the merchant has the documentation to prove that the real cardholder authorized the transaction, they can win these chargeback cases, so make sure you’re keeping accurate transaction records. 

When you receive a chargeback, the issuing bank will assign to it a reason code. That reason code has specific compelling evidence requirements to overturn the bank’s decision and close the case in the merchant’s favor. 

In any case of chargeback fraud, the merchant needs to prove that the customer who made the purchase is the true owner of the card and benefitted from the sale. In cases where the customer claims they are dissatisfied with the merchant’s product or service, the merchant needs to prove the goods or services were delivered exactly as advertised and the customer agreed to your refund policy prior to the transaction.

Examples of compelling evidence for fighting CNP chargebacks:

  1. Customer identifying information (name, address, email, phone number)
  2. Refund/cancellation policies (publicly visible on your website or on the invoice/receipt)
  3. Shipping policies 
  4. Delivery confirmation (tracking number and confirmation of delivery)
  5. A signed contract or invoice (typically used for custom orders)
  6. Photos of items shipped or services rendered 
  7. Email communications (save these in case you need to refer back to build a timeline or confirm details)

Reminder: Even customers who present their card to you in person may be subject to chargebacks. How? Say the card’s chip reader doesn’t work and you’re forced to key the number in instead. This automatically qualifies the transaction as Card-Not-Present even if both the customer and card are physically present. Keyed-in transactions have a higher chance of chargebacks than average.


How to handle card-not-present fraud with Lightspeed

Your first step in accepting CNP transactions is to choose a payment processor that puts compliance and security first. It doesn’t hurt to also keep up with the best practices from credit card providers and security companies. 

With Lightspeed Payments, we take security seriously—and we help you deal with any chargebacks that occur. 

Say you’re notified of a chargeback request. In this case, Address Verification Service (AVS) is one of the most secure tools you have to defend yourself. When a CNP transaction is performed, AVS checks the numeric information (such as a ZIP or postal code) and authenticates it with the providing bank. If there’s a full AVS match, the transaction will go through; if there isn’t a match, the transaction is declined to prevent fraud.

In some cases, AVS may return a partial match result. If that happens, the transaction may still be approved by your processor if other information matches. The information they look for matches for includes:

  • Email address data
  • IP address data
  • The Card Verification Value/Code (CVV/CVC)

In order to dispute the chargeback, the merchant needs to prove that they or their payment processor made attempts to verify a transaction’s validity.

This is where AVS comes in. While a full AVS match doesn’t guarantee that merchants can stop the chargeback, it does greatly strengthen their case. 

Ready to see how Lightspeed Payments can help you accept CNP transactions securely in-store and online? Contact our team of experts today.