Card-Not-Present (CNP) Transactions: Why They Matter
Much of the global economy revolves around some form of card payments. In fact, consumers worldwide are swiping, scanning, or tapping their cards countless times daily. Sales in which the card’s electronic data isn’t immediately captured comprise a rapidly growing percentage of overall card transactions.
Specifically, these “card-not-present” debit-based transactions climbed an impressive 21 percent in 2019, says the 2020 Debit Issuer Study. Card-not-present payments’ growth rate was over 10 times that of card-present payments during the same period.
This landmark study was commissioned by the Discover Financial Services PULSE debit card network. Oliver Wyman conducted the comprehensive 2020 analysis.
What is a card-not-present (CNP) transaction?
The definition of a card-not-present transaction is clear and muddy at the same time. By definition, a card-not-present (or CNP) sale means the merchant doesn’t obtain the card’s electronic data during the transaction. The sale’s processing method largely determines whether the CNP designation applies.
For example, let’s say a cardholder hands her credit card to a craft show vendor. The artisan makes a manual imprint of the card, processes the sale, and hands the buyer a receipt. Although a physical card was provided, this transaction still qualifies as a CNP transaction. Remember, no electronic data changed hands.
However, if the customer swipes, dips, or taps their card, a card-present transaction takes place. Retailers who permit phone-tap card payments will receive credit for a card-present sale. This will be the case even if the merchant never sees the customer’s Visa or MasterCard.
How do CNP transactions differ from card-present transactions?
To reiterate, card-not-present transactions are sales in which the payment is received in some remote manner. If a retailer keys in the card number, even if the cardholder is present, that’s a CNP transaction.
Mail order and over-the-phone sales are also good examples of CNP transactions. Finally, eCommerce sales and recurring payments (or subscriptions) also qualify as card-not-present transactions.
A card-present transaction often involves credit card processing via a countertop card terminal or point-of-sale (POS) station. As an alternative, the merchant can swipe the customer’s card into a smartphone or tablet card reader. Completing a contactless card payment via a digital wallet also qualifies as a card-present transaction.
Why should a merchant process card-not-present sales?
Because CNP transactions carry some inherent risks, cautious merchants could certainly choose not to accept these types of sales. However, that would prohibit business owners from operating online retail stores. With impressive eCommerce growth in recent years, restricting a business to in-store sales could shut off an important revenue source.
As a work-around, a brick-and-mortar retailer could establish an “order online and pay in the store” policy. However, this would likely make customers’ shopping experiences more inconvenient and less enjoyable. Even worse, the practice would probably raise the chances of abandoned shopping carts. This issue already creates problems for many online merchants.
Why do card-not-present transactions cost more?
As a rule, merchants will pay higher fees for accepting card-not-present transactions compared with card-present transactions. Two risk-related factors are behind this practice.
For perspective, realize that all card transactions carry some inherent risks. However, CNP transactions are especially vulnerable to fraudulent in-store sales and online payment problems.
The merchant isn’t able to verify the customer’s identity, so it’s much easier for fraudulent transactions to go through. The credit card companies pass this elevated risk onto the merchant by charging higher transaction fees.
Next, realize that some card-not-present transactions present more risks than others, and therefore cost more. For example, online transactions are relatively secure, as each customer must enter their credit card number and expiration date. Next, they must supply their address and credit card security code (or CVV number).
Although online transactions aren’t foolproof, they have several safeguards that are lacking in keyed transactions. As a result, the keyed transactions are at higher risk for credit card fraud. So, merchants pay higher processing fees for these sales.
What is card-not-present fraud?
When a cardholder doesn’t personally present their card to a merchant, the door is open for criminals to commit card-not-present fraud. Fraudsters know that phone, mail order, and online transactions lack security safeguards common to chip-based card sales. So, they’re always ready to take advantage of opportunities to enrich themselves.
Sometimes, a criminal steals a cardholder’s physical card and uses it to embark on a frenzied shopping spree. However, most fraudsters engage in virtual card fraud, completing a series of fraudulent transactions online. The actual credit card is never stolen or lost. The criminal simply runs up the balance until the credit limit is reached or the fraud is discovered.
Examples of virtual card fraud
Three types of virtual card fraud affect businesses of all sizes and types. Worse yet, almost 90 percent of smaller United States companies don’t have data protection in place. Therefore, the businesses are often victims of the following illegal practices:
Hacking: A criminal takes over the merchant’s computer system to gather sensitive customer data.
Phishing: A fraudster pretends to be a trusted source to get a user to provide sensitive data such as card numbers or passwords.
Skimming: A perpetrator uses a card-skimming device to steal credit card information from legitimate transactions.
Chargeback fraud (or friendly fraud): A chargeback occurs when a customer contacts their card issuer to dispute a purchase and request a refund. Maybe the customer never received the goods in question. Or, perhaps they did receive the merchandise, but want the refund anyway.
How can you protect your business from card-not-present fraud?
Battling card-not-present fraud can be a mentally exhausting exercise. It also takes the small business owner’s attention away from activities that will help the company to grow. Therefore, a well-crafted fraud prevention strategy is the best approach.
Meeting preset data security requirements will help to protect against CNP fraud. Businesses that process credit and debit cards should adhere to the Payment Card Industry Data Security Standards (or PCI DSS). Collectively, these standards spell out what a company must do to protect its customers’ data.
Fortunately, it’s relatively easy to comply with the PCI criteria. All payment processors, payment gateways, and equipment suppliers must undergo a rigorous certification process. This strict evaluation ensures that the company’s products comply with industry data security requirements.
Transaction-based security enhancements
Besides ongoing PCI compliance, three additional security measures will help businesses to safely navigate CNP transactions. Companies of all types and sizes will benefit from following these practices.
Address verification system (AVS)
The address verification system (or AVS) is a central database that contains customers’ credit card billing information. Merchants use the AVS to verify that a CNP customer’s billing address is identical to the card owner’s billing address. By completing this address verification, the merchant can prevent a fraudulent transaction from taking place.
Card security checks
In this CVV check, a customer must provide their credit card CVV code (or security code) to the merchant. This three-digit number appears on the card’s reverse side (an American Express card has four digits).
When the customer provides the correct numbers, the merchant can verify that the customer possessed the card during the purchase. If the shipping address has changed, the customer should be asked to re-enter the CVV number.
Using a 3-D secure code provides merchants with an added security layer during a CNP transaction. Visa, MasterCard, and American Express each have their own versions of the code.
For example, a MasterCard SecureCode sequence requires entry of a PIN code into an inline window. The issuing bank securely hosts this window, and the merchant never sees the number. This extra authentication step enhances security and lessens merchant liability.
Best practices for card-not-present transactions
Merchants should take a three-pronged approach to enhancing security of CNP transactions. All customer-facing team members should also receive proper instruction on these protocols. The credit card companies are likely a good source of CNP sales best practices recommendations.
How to present information
The company’s contact information should appear on all website pages, catalog pages, shipping forms, and correspondence templates. The business should also provide policy and procedure details for billing, shipping, and product returns processes. A toll-free phone number and an email address reduce the chances that the customer will contact the card issuer.
How to gather and protect data
Obtaining each customer’s complete contact information is important. This is especially necessary if the billing and shipping addresses are different. Finally, this protocol is essential when processing high-dollar sales.
Gathering complete credit card details is also a key fraud prevention tactic. The card type, customer’s exact name on the card, and the expiration date are important. The CVV code, and ideally an online transaction’s secure code, are also useful.
How to minimize interchange fees and chargebacks
For merchant accounts that utilize interchange-plus pricing, CNP transactions carry an increased interchange rate. Because the card networks are accepting more risk, they want a better return on the transaction.
Third-party processors include their own base rate markups for CNP sales. To get more favorable interchange rates, each transaction should follow the card brands’ specific rules.
To minimize chargebacks, businesses should take clear, decisive action to quickly resolve every customer issue. Through timely communication, many problems can be handled before they escalate to the card issuer. If this occurs, the business is likely to be faced with a costly chargeback.
Every CNP transaction carries significant risks. The small business owner should train customer-facing staff on the difference between card-present and card-not-present transactions. Ecommerce business owners should ensure that they (and their payment processor) follow appropriate security protocols. Once these procedures are in place, there’s a greater likelihood of profitable, trouble-free transactions that enhance the business’ bottom line.
Q: What are card-not-present transactions?
A: Card-not-present transactions are transactions where a payment is made without the physical presence of a payment card. This can occur when making purchases online, over the phone, or by mail order.
Q: What are the risks associated with card-not-present transactions?
A: The risks associated with card-not-present transactions for merchants include a higher risk of fraud and the potential for chargebacks or disputes.
Q: How can merchants protect themselves against fraud in card-not-present transactions?
A: Merchants can protect themselves against fraud in card-not-present transactions by using fraud detection tools, verifying the customer’s identity, and requiring additional authentication, such as a password or security question. Merchants can also use AVS (Address Verification Service) to ensure that the billing address matches the address on file with the card issuer.
Q: What are the steps to take to prevent chargebacks in card-not-present transactions?
A: To prevent chargebacks in card-not-present transactions, merchants should provide clear descriptions and images of the product or service being offered, ensure that the customer is aware of all terms and conditions, and provide excellent customer service to resolve any issues quickly and efficiently.
Q: What is 3D Secure and how can it be used to protect merchants in card-not-present transactions?
A: 3D Secure is a protocol that provides an additional layer of security for card-not-present transactions by requiring customers to enter a password or security code to verify their identity. Merchants can use 3D Secure to reduce the risk of fraud and chargebacks in card-not-present transactions.
Q: What are the legal requirements for merchants in card-not-present transactions?
A: Merchants in card-not-present transactions must comply with various legal requirements, including PCI-DSS (Payment Card Industry Data Security Standards), which provide guidelines for protecting customer payment card information. Merchants must also comply with consumer protection laws, such as providing clear descriptions of products or services and disclosing any fees or charges.
Q: What are some best practices for merchants in card-not-present transactions?
A: Best practices for merchants in card-not-present transactions include using fraud detection tools, verifying the customer’s identity, requiring additional authentication, providing clear descriptions and images of products or services, and providing excellent customer service to resolve any issues quickly and efficiently.
Q: What should merchants do if they suspect fraud in a card-not-present transaction?
A: If merchants suspect fraud in a card-not-present transaction, they should contact their payment processor immediately to report the suspicious activity and request assistance. Merchants should also keep detailed records of the transaction and any communication with the customer.