The go-to guide for accepting card not present payments securely

A card not present (CNP) transaction is when a consumer does not physically hand over their card to the merchant or use it in-store.

By Content team

7 min read • Last edited: 15 January 2024

In this article you will find

In the ever-expanding world of payments, it can be challenging to figure out the most secure and efficient way of accepting different payment methods. Card payments can be broadly split into two categories, card present and card not present. The latter is what we are choosing to focus on today. This article will define what exactly card not present payments are, the transaction flow and statistics relating to card not present fraud in the UK. Additionally, we will explore the best practice for accepting card not present payments, including the importance of PCI compliance, AVS and chargeback prevention.

What does card not present mean?

In the simplest of terms, a card not present (CNP) transaction is when a consumer does not physically hand over their card to the merchant or use it in-store. Therefore, payments placed over the internet, telephone, mail or mobile are all considered as card not present. For CNP transactions, the card numbers are integral; the information required depends on the card brand, but typically consumers need to know the long number across the front of their card, expiration date and card security code. Alongside this, the consumer will usually be required to provide their billing address.

Card not present transaction types

MOTO (Mail Order/ Telephone Order), mobile and internet payments are all card not present transactions as the card is not physically visible to the merchant, unlike when a consumer pays at a store. However, mobile payments can be conducted in person without the merchant seeing the card as it is stored in a digital wallet. With mail-order and telephone payments, the card details are respectively sent through the post or dictated over the phone.

If you want to dig deeper into all things MOTO and discover the key benefits of accepting such payments for your business and customers, watch our video below.

Since the growth of eCommerce, MOTO payments have decreased in popularity as more consumers have switched to placing orders over the internet.

Card not present transaction process

The card not present transaction process operates in much the same way as a transaction made in person. A virtual terminal replaces the POS in the transaction flow and the card details are then processed by the payment gateway. From here they are passed onto the acquirer, verified by the credit card companies (e.g. Visa and Mastercard) and are then authenticated by the card issuer. If the transaction is successful at all stages of the process, then the merchant will receive confirmation that the payment has gone through.

What is card not present fraud?

A fraudulent transaction placed via the internet, telephone or mail is classified as card not present fraud. The fraudsters can obtain debit or credit card information through a number of means, including card skimming, phishing scams or if the card is physically stolen. More information about credit card fraud can be found here.

Research by UK Finance shows that from 2017 to 2018 there was a 24 per cent increase in remote purchase fraud, valued at up to £506.4 million. Although this increase is significant, it is also proportionate to the higher number of total card not present transactions. We will delve further into statistics relating to CNP fraud below.

Card not present fraud statistics

In the same report by UK Finance, they indicate that CNP transactions had the highest volume of fraud in 2018, with 78% of remote purchase fraud happening online. So is CNP fraud destined to continue increasing?

Statista does reveal that since 2002, despite a few anomalous years, card not present fraud is on an upward trajectory. There were dips just after the Financial Crisis and in 2017.

These numbers may be alarming for consumers who frequently make purchases over the phone or on the internet, but as discussed above the fraud volume is proportionate to the increase in this transaction type and shouldn’t be cause for worry. However, vigilance is always recommended when making any type of transaction and consumers should be sure to only shop with merchants that they trust.

For merchants, it is important to ensure that both your business and your customers are protected. Read on for our steps to safeguard against CNP fraud.

Protecting your business against card not present fraud

PCI compliance

Payment Card Industry Data Security Standard (PCI DSS) was a protocol created by the card schemes to manage the storing, transmitting and processing of cardholder data. All merchants who are accepting card payments should ensure that they are PCI compliant and doing their utmost to prevent data breaches. Depending on card transaction volume, merchants will be assigned one of four levels of PCI compliance, with Level 1 having the strictest requirements. Most Payment Service Providers (PSPs) are Level 1 PCI DSS compliant and will help alleviate your compliance burden. Our guide covers everything you need to know about becoming PCI compliant.

Prevent chargebacks

When a customer disputes a charge made to their account, they can contact their issuing bank and request a chargeback. If you choose to enter into the representment process and cannot adequately prove that the customer received your goods or services, you will likely have to reimburse them and pay chargeback fees which are determined by the card scheme and your acquirer. There are several different reasons why chargebacks may occur, including recurring transactions that the customer believed were cancelled, lack of clarity on their billing statement or genuine cases of fraud. Chargebacks are an inconvenience for merchants and actively working to prevent them can save time and money in the long run. It is beneficial to provide a recognisable company name when billing customers, clearly display information about return and cancellation policies and introduce security measures like the ones listed below.

Address Verification System

Having an Address Verification System (AVS) can further reduce fraudulent transactions and is worth investing in. If a card is stolen the fraudster will only have immediate access to the information displayed on the card, but they will not be privy to other information about the cardholder. This is where the AVS kicks in and adds an extra layer of protection. When a fraudster attempts to enter the card details on an eCommerce site, they will not be able to proceed any further if they do not have accurate information about the billing address. Various AVS response codes will be triggered and will prompt the merchant to take further action. It may seem like you are adding extra steps to the customer journey by verifying their address but it is worth it to give peace of mind to you and your consumers. Furthermore, using an AVS can be beneficial when disputing chargebacks.

Card security codes

As discussed above, the security numbers associated with an individual’s card offer another valuable barrier against fraud. Depending on the card company, there will be a different term for these security digits and they also appear at different points on the card. Visa and Mastercard feature their codes (CVV/CVC) on the back of the card in the signature strip, whereas American Express (CID) has four digits above the long number on the front of the card. If you process card payments, it is advisable to always ask for the security code to check that the card is present with the cardholder. Verified by Visa and Mastercard SecureCode are services which add further layers of security to the online purchase process.

Work with a trusted payment partner

The best way to protect your business against card not present fraud is to work with an experienced PSP who has a selection of sophisticated risk management tools. They should be able to advise you on the best way of handling your customers’ payment data and alleviate the burden of PCI compliance. Additional protective measures like AVS and security codes should also be implemented with the aid of your payment partner.

At emerchantpay, we do all of this and more; we are dedicated to the monitoring and prevention of fraud. We go above and beyond with our data analytics to spot suspicious patterns of activity and stop fraud in its tracks. Working to improve merchant acceptance rates across all payment methods is a priority for us and we are constantly striving to get the best results for our customers.

Contact a member of our team today to find out how emerchantpay can help you securely accept card not present transactions and drive more revenue for your business.

Related articles

What is payment acceptance and how to improve your payment acceptance rate

Payment acceptance rate is crucial in today's business landscape. Merchants must focus on more than just selling their products or [Read more]

27 August 2024

What’s the difference between push vs pull payments?

The payments landscape encompasses a myriad of purchase methods, each offering unique and distinct ways for businesses to process [Read more]

04 July 2024

What is Visa RDR (Rapid Dispute Resolution)?

Visa’s Rapid Dispute Resolution (Visa RDR) service is a key step in assisting merchants in managing and monitoring chargebacks more [Read more]

26 June 2022

We are using cookies to give you the best experience on our site. By continuing to use our website without changing the settings, you are agreeing to our use of cookies. For more information, check out our Cookie policy.
Change settings