Retail

What is a Card-Not-Present Transaction?

by Luke O'Neill
2023-08-25

minute read

Pre-internet, card not present (CNP) transactions were risky for merchants because they couldn’t verify a card holder’s identity as easily as they can online today. Watching out for fishy customers and potentially fraudulent transactions is part of every retailer’s job, and one easy win? Turning down those CNP payments.

These days, CNP transactions are more common thanks to ecommerce, where CNP payments are the default by definition; Visa’s network saw a 55% increase in card not present transactions between 2019 and 2021 thanks to online shopping.

Thankfully, card not present transactions have become a lot more secure, with identity verification and common security practices like two-factor authentication.

But let’s take a few steps back here. What exactly is a CNP transaction?

And even with built-in security features from payment providers, are CNP transactions still risky? If they’re so common, why do they still have higher fees?

Let’s take a closer look.

Lightspeed POS now comes with integrated payments

Lightspeed Payments: Simple pricing, no hidden fees, and a secure checkout experience.

Learn more

What is a card-not-present transaction?

First up, a simple definition. A CNP transaction is any transaction using a credit card where the cardholder is not there and cannot physically present their card for payment.

Card-not-present transaction examples:

Online mobile and desktop sales
Mail order and telephone transactions (MOTO)
Transactions where a card number is keyed in (even if the cardholder’s there)

“Card not-present transactions cover any type of card payment where a card payment takes place remotely,” explains Libby James, co-founder of UK-based Merchant Advice Services which helps business-owners understand card payments.

“Basically, that can be any payment without the need for the customer to enter their pin, or verify with face ID, while using a credit or debit card physically or on a mobile phone.”

Why are card not present transaction fees higher?

As a merchant, you have a hard time verifying a shopper’s identity alone. And when accepting payments in person, you can’t count on outdated fraud detection methods for most transactions, since a card’s EMV chip is now what powers fraud detection.

This is partly why banks charge higher processing fees for CNP transactions and they’re more expensive for merchants to process.

Even though card not present transactions are more secure online, they still incur a higher fee thanks to the extra fraud detection risks. Chargebacks are costly, after all, and they’re more likely to happen with CNP payments.

What is a card-present transaction?

A Card Present (CP) transaction is any transaction where the customer physically interacts with a payment terminal using their card.

Card-present transaction examples:

Swiping a card with a magnetic strip
Inserting a card with an EMV chip
Mobile payments (Think Apple Pay, Google Pay or Samsung Pay)
Tap-and-go payments

Any transaction where the card numbers are manually keyed into a credit card machine does not count as a card-present transaction—even when the card is physically present. To qualify as a CP transaction, the merchant must ‘capture’ the card’s stored electronic data.

CP transactions are considered more secure thanks to electronic security data transmitted when the card is used. And EMV cards, sometimes called ‘chip and pin’ cards, help keep CP transactions safe and encrypted.

But …

“Card-present transactions are supposed to be safer because a merchant should check the card for any sort of damage or match a signature on the back of the card to the signature on a receipt,” says Ian. “In practice, card-present fraud is also a major problem. If you accidentally drop your credit card in the mall and someone picks it up, no store clerk will ever actually verify the user’s ID.”

Note: Budgeting for CNP transaction fees is difficult when processing fees are unpredictable, which is why you should always select a payment processor with one rate for all transaction types.

Lightspeed Payments charges 2.9% + $0.30 for all card-not-present transaction types with no hidden fees for Retail POS customers.

Why should merchants accept card-not-present transactions?

As a merchant, you could choose to avoid CNP transactions.

But that would mean you couldn’t open an online store.

Retail ecommerce sales in the U.S. rose by more than 30% to $211.5 billion in the second quarter of 2020. That figure gives you a sense of why sticking to in-store selling can eat into retailers’ sales and revenue potential.

That said, if you’re very risk-averse, you could set up a “reserve online and pay in-store” order fulfillment process. But bear in mind, this will add friction to your customers’ shopping experience. It’s also bound to increase the probability of abandoned carts—a common pain for online sellers.

“For some merchants there is no way not to take CNP transactions,” says Libby. “Lots use telephone booking systems such as interactive voice response (IVR) and for others it isn’t logical for the customer to visit an office or store to complete transactions.”

In 2023, it’s becoming more and more difficult to run a business solely offline. “For these merchants there is no option,” says Libby “CNP transactions are not to be feared as long as you have good security measures in place.”

Here’s an example.

Sophie is out shopping with friends when she sees a handbag she likes in your window display. Your store is closed, so she uses her smartphone to look up the handbag on your website. She finds it, adds it to her cart and checks-out.

To her surprise, the only available method of order fulfillment is to reserve the handbag and to pay and pick up in-store.

Since Sophie will be out of town and unable to pick up the handbag in-store, she holds off on finalizing her order until she gets back. But time goes by, life gets busy, and she forgets.

By refusing CNP transactions, the merchant above has added friction to Sophie’s shopping experience. So they lost the sale.

How to process a CNP transaction

In person, you should always accept card present transactions, and card present only.

For ecommerce (or telephone order) sales, however, you have a few options for processing CNP transactions:

Online checkouts: whether they use their credit card directly, an online-shopping enabled debit card, PayPal or otherwise, all you need to do is set up a secure online checkout. The system will help take care of fraud checks.

Keyed in from over the phone: if a customer is calling in to make a payment, proceed with a sale in your POS like usual. When it comes time to pay, select the option to enter details manually. Your POS will let sales associates know what information it needs to process the sale.

Invoices: if a customer isn’t comfortable with giving your sales associates their card details over the phone, you can use an invoicing tool like QuoteMachine to make them feel more secure.

Keep in mind that while card not present is standard for ecommerce, CNP transactions may put you into a “high-risk” category for card processing if you accept a lot of them offline.

As a high risk merchant, what are my options for merchant accounts?

If you plan to offer CNP transactions, you’ll still be able to obtain a merchant account. However, your rates and terms of your contract may be less desirable in comparison to your low-risk counterparts.

The good news is there are a lot of merchant service providers that specialize in high-risk merchant accounts. While many merchant service providers openly advertise their standard, low-risk merchant rates, high-risk account fees are usually less transparent because there are more variables to take into consideration.

Additionally, if you’re deemed as a high-risk business, your account provider will likely require you to keep a reserve. There are three types of reserve accounts you can expect from merchant service providers, and they are:

Rolling reserve. A rolling reserve is a risk management strategy the acquiring bank uses to protect themselves from potential fraud, chargebacks, or other incidents where the acquirer may lose money. Think of it as a buffer or an insurance policy on the high-risk nature of your business. Based on the terms of your merchant agreement, the payment provider will withhold a percentage of your daily revenue for a specified term, and then gradually release the funds.
Up-front reserve. If you’re a new business or have other less than ideal qualifying factors, some MSPs will require starting with an up-front reserve. Based on expected transaction volume, an up-front reserve is the amount of money that must be placed in escrow at the start of the merchant agreement — or allow the MSP to withhold 100 percent of credit card funds until the reserve balance is met.
Capped or fixed reserve. A fixed reserve is when the acquirer withholds a percentage of every transaction until the reserve reaches the cap agreed upon in the merchant agreement. Unlike a rolling reserve where the acquirer takes a portion of every sale indefinitely, in this model, once the cap is reached the acquirer will not take any additional funds. However, if the MSP needs to withdraw from the reserve for any reason, the withholding percentage will kick in again until the cap balance is replenished.

One last thing to note because of the high-risk nature of your business, you may also be susceptible to account freezes. During this freeze, you cannot continue to process credit or debit cards until the hold is lifted.

If there’s suspicious activity with your merchant account, a payment processor may temporarily freeze your account to analyze your processing habits and decide whether or not you’re operating within the terms of your agreement or are in breach of contract.

If it’s the latter and you’re fulfilling your side of the agreement, expect the MSP to do one of the following:

Rewrite the merchant agreement based on the assessment findings.
The temporary freeze will lead to a permanent termination.
The worst case scenario when a high-risk merchant account provider freezes your account and intentional fraud is found, the merchant can face fines or have criminal charges brought against them.

While account freezes may be unavoidable from time-to-time, the best way to avoid termination is to be honest on your merchant application. Be upfront about the types of products and services you offer and your expectations for credit card volume.

How to accept CNP transactions securely

In theory, card not present transactions are simple. Your sales associate keys in the card number, the payment goes through, and that’s it. But it’s not that simple—that’s a great way to fall victim to fraud, after all.

Here are some best practices you can follow:

Don’t accept card not present transactions in person. If someone is paying in your store, they should have their card with them. Instruct your sales associates to only take card present payments.
Use Address Verification Service. This system checks a customer’s card details against the address they provide. When in doubt, use AVS.
Perform card security checks. If someone is paying by card, they should have the three (or four) digit security code on the back of the card. Ask for it when in doubt—though your POS should require it to process CNP transactions anyway.
Use a PCI DSS level 1 certified payment processor. PCI compliance is required by the credit card industry already, so you might as well look for the highest level of security.

Tip: If you must manually process a card by keying in the number, you can take steps to mitigate the risk of fraud and to prevent chargebacks. Have your customer fill out a credit card authorization form in cases where you do not have an existing relationship with the customer. Doing so will help ensure you have a strong case in the event of any disputes, and will often prevent a dispute from happening in the first place.

Click here to download our free credit card authorization form.

What is card-not-present fraud?

Card-not-present fraud is a type of credit card scam where the customer doesn’t physically present a card to the merchant during a fraudulent transaction. Card-not-present fraud typically occurs with transactions online or over the phone.

“CNP fraud happens in a number of ways,” says Ian Sells, CEO of Rebate Key, an ecommerce discount platform for merchants and shoppers. “Scammers steal your information like your name, card number, address, security code and more. The hackers that get this information are sneaky, and they don’t ever need to see your card to steal this information. All of your data can be stolen electronically through phishing schemes.”

Since a merchant can’t physically inspect a stolen card for signs of fraud (like altered account numbers or a missing hologram), card-not-present fraud is considered harder to prevent than card-present fraud.

“CNP transactions are commonly targeted with stolen or cloned credit and debit cards,” says Libby. “This is something for merchants to be aware of. Adding additional levels of security will ensure these fraudulent payments are kept to a minimum.”

How does card-not-present transaction fraud occur?

CNP transaction fraud happens when someone either physically steals a credit card or copies a card’s information manually or with skimmers. Fraudsters then use that stolen information to purchase goods or services without the cardholder’s consent. Increasingly, fraudsters make illegitimate purchases online where they can easily fake an identity.

A merchant’s bank can revoke the funds received from the fraudulent transaction and return them to the cardholder’s account, if a cardholder discovers their card or personal information was stolen and that unauthorized purchases were made.

Example of card-not-present fraud:

Let’s revisit the Sophie example above, but this time your site accepts CNP transactions.

At checkout, Sophie selects regular shipping and pays for her order using her credit card.

A week later, you’re notified of a chargeback on Sophie’s order. As it turns out, someone stole Sophie’s credit card to make the purchase.

Payment processors like Lightspeed help merchants mitigate risk with built-in PCI compliance and fraud monitoring, as well as advice and assistance if a dispute is filed.

Who is liable for card-not-present transaction fraud?

Fraud liability lies with the merchant for any CNP transaction until the chargeback case proves otherwise.

Because of the risk of accepting these types of payments, a processing bank will not accept liability—and this is clearly covered in terms and conditions, as Libby explains. “Some banks will hold a rolling reserve when businesses process high amounts of these transactions, this acts as a safety net in the event of chargeback or fraud,” she says.

This is generally not the case with CP transactions.

As of October 2015, if a merchant uses EMV protection, they aren’t held liable for CP fraud. If, however, a merchant takes CP transactions without EMV protection for chip cards, the liability for fraud falls on them.

Pro tip: If you must manually process a card by keying in the number, you can take steps to mitigate the risk of fraud and to prevent chargebacks. Have your customer fill out a credit card authorization form in cases where you do not have an existing relationship with the customer. Doing so will help ensure you have a strong case in the event of any disputes, and will often prevent a dispute from happening in the first place. Click here to download our free credit card authorization form.

Five types of card-not-present fraud

Let’s delve even deeper into the kinds of card-not-present fraud you need to know about:

True fraud
Friendly fraud
Triangulation fraud
Clean fraud
Application and identity fraud

What is true fraud?

True fraud occurs when a credit card is used without the cardholder’s knowledge or consent.

“Card not-present transactions are an easy target for fraudulent payments largely because the security checks are less than those of face-to-face payments such as using a chip and pin machine,” says Libby, at Merchant Advice Services. “CNP accounted for 68% of fraudulent card payments in 2019. True fraud is using fake details to complete these types of card payments.”

What is friendly fraud?

Friendly fraud occurs when a legitimate customer requests an illegitimate chargeback.

“Friendly fraud” is also known as chargeback fraud,” explains Libby. “This is where the customer raises a chargeback directly with their bank, receiving a refund. A common reason for this is that the goods/services weren’t delivered. It’s then up to the merchant to prove otherwise, subsequently obtaining reimbursement.”

What is triangulation fraud?

This is when criminals set up a fake website to get customers to buy cheap goods. This is just a ploy. The goods never arrive and the fraudsters steal customers’ credit card details to use for their own ends.

What is ‘clean fraud’?

This may happen shortly after the triangulation fraud has happened. Clean fraud is when transactions look legitimate, but are being made using stolen credit card information to impersonate the cardholder.

What is application and identity fraud?

Just as fraudsters can steal anyone’s private and financial details, to pretend to be someone else to buy goods, so too can they use that information to apply for a card.

What is chargeback fraud?

Chargeback fraud occurs when the true cardholder makes a legitimate purchase and receives the goods or services they bought but still requests a chargeback from their bank.

If you can document that the real cardholder authorized the transaction, you can win these chargeback cases. So make sure you’re keeping accurate transaction records.

When you receive a chargeback, the issuing bank will assign to it a reason code. That reason code has specific compelling evidence requirements to overturn the bank’s decision and close the case in the merchant’s favor.

In any case of chargeback fraud, the merchant needs to prove that the customer who made the purchase is the true owner of the card and benefitted from the sale. In cases where the customer claims they are dissatisfied with the merchant’s product or service, the merchant needs to prove the goods or services were delivered exactly as advertised and the customer agreed to your refund policy prior to the transaction.

Seven examples of compelling evidence for fighting CNP chargebacks:

Customer identifying information (name, address, email, phone number)
Refund and cancellation policy (publicly shown on your site, invoices or receipts)
Shipping policies
Delivery confirmation (tracking number and confirmation of delivery)
A signed contract or invoice (typically used for custom orders)
Photos of items shipped or services rendered
Email communications (save these in case you need to refer back to build a timeline or confirm details)

Reminder: Even customers who present their card to you in person may be subject to chargebacks. How? Say the card’s chip reader doesn’t work and you’re forced to key the number in instead. This automatically qualifies the transaction as Card-Not-Present even if both the customer and card are physically present. Keyed-in transactions have a higher chance of chargebacks than average.

How to handle card-not-present fraud with Lightspeed

Your first step in accepting CNP transactions is to choose a payment processor that puts compliance and security first. It doesn’t hurt to also keep up with the best practices from credit card providers and security companies.

With Lightspeed Payments, we take security seriously—and we help you deal with any chargebacks that occur.

Say you’re notified of a chargeback request. In this case, Address Verification Service (AVS) is one of the most secure tools you have to defend yourself. When a CNP transaction is performed, AVS checks the numeric information (such as a ZIP or postcode) and authenticates it with the providing bank. If there’s a full AVS match, the transaction will go through; if there isn’t a match, the transaction is declined to prevent fraud.

In some cases, AVS may return a partial match result. If that happens, the transaction may still be approved by your processor if other information matches. The information they look for matches for includes:

Email address data
IP address data
The Card Verification Value/Code (CVV/CVC)

In order to dispute the chargeback, the merchant needs to prove that they or their payment processor made attempts to verify a transaction’s validity.

This is where AVS comes in. While a full AVS match doesn’t guarantee that merchants can stop the chargeback, it does greatly strengthen their case.

Accept CNP transactions securely in-store and online

Ready to see how Lightspeed Payments can give you peace of mind about CNP transactions? Contact our team of experts today.

News you care about. Tips you can use.

Everything your business needs to grow, delivered straight to your inbox.

Written by

Luke O'Neill

Luke O’Neill writes for growing businesses in fintech, legal SaaS, and education. He owns Genuine Communications, which helps CMOs, founders, and marketing teams to build brands and attract customers.