Card not present transactions – the basics

By | 2018-03-22T07:46:13+00:00 October 22nd, 2015|Tags: |

Processing card-present transactions is pretty straightforward when the buyer, the cardholder, walks into the store in person and purchases goods (or services). Things, however, get complicated for transactions completed over the Internet, mail, fax or by phone.

Such a situation is called card (or cardholder) not present (CNP) and represents a problem for merchants because the possibility of fraud is high. The business has to arm itself with fraud detection and prevention tools for validating and authenticating the card, so as not to miss out on this opportunity of increasing sales.

Despite the challenge of fraud, handling cardholder-not-present transactions is beneficial to both parties: businesses are able to sell goods and services without leaving their location; and cardholders can benefit from a convenient method of shopping in the comfort of their own homes while browsing a catalogue or the Internet.

The risk of cardholder not present transactions

Since card-not-present transactions eliminate the situation where both the owner and the card are present, exposure to fraud increases. According to statistics published by the UK Card Association in 2014, fraudulent card-not-present transactions cost a total of £245.8 million annually, up 12% compared to the previous year.


In the UK, card not present transactions represents 64% of the total credit and debit card fraud, and the number has been increasing in the last decade. Ironically, increases in CPN fraud has been observed in almost all countries which have introduced the Chip & PIN technology EMV, which has limited the possibilities for fraud with cardholder present transactions.

Security solutions for CNP

Fortunately for businesses (which can expect a costly chargeback as soon as the fraudulent transaction is discovered by the card owner), there are methods to limit exposure to fraud. You can start by implementing fraud screening tools that will help you identify high-risk transactions or patterns of transactions.

Card issuers such as Visa and MasterCard provide services for authenticating the card in the card-not-present environment: Verified by Visa and MasterCard SecureCode, card security codes, and Address Verification Service.

Verified by Visa and MasterCard SecureCode

verified-by-visaVerified by Visa (VbV) helps card-issuer banks to authenticate the identity of cardholders registered when making a purchase over the Internet.

What this means is that the merchant’s site or payment gateway has software that recognises the card. If the card is registered with the Verified by Visa service, the software will prompt the owner to enter a password known by the owner, as it was created when the card was registered.

MasterCard has developed a similar system called MasterCard SecureCode, while American Express has their own solution known as SafeKey.

When an online merchant identifies the cardholder using one of these authentication methods, liability for fraud generally shifts, passing from the merchant to the card issuer. This means that the merchant is no longer subject to chargebacks in case the cardholder later claims someone else has been using the card.

Card security code

A card security code refers to a three-digit security code printed on the back of the many cards. It aims to help validate that the cardholder is making a transaction with a genuine card linked to a bank account. This number is not a part of the magnetic stripe.

Visa calls the code Card Verification Value 2 (CVV2), MasterCard calls it Card Validation Code (CVC2), Discover has named it Card Identification Number (CID). For American Express cards, this Unique Card Code or CID is four digits long and on the front side of the card.

Address Verification Service (AVS)

The third service to combat fraud provided by card issuers is the Address Verification Service (AVS), which is one of the most common method to attempt to reduce credit card fraud online in the United States. In Europe, AVS is currently limited to the United Kingdom. It helps business owners to determine whether the transaction is valid by checking elements of the cardholder’s billing address and validating it.

Do mPOS providers accept CNP transactions?

Considering the potential risk, there are a limited number of mobile POS systems that accept card-not-present transactions. Actually, it’s easier to say which mobile payment processor accept CNP transactions than those that do not: PaylevenPayPal Here, Square, WorldPay Zinc and Intuit GoPayment do accept such transactions and consider it keyed transactions, although the fees are often higher in such cases.

iZettle accepts manual, keyed transactions, but only with the card and cardholder present.

You may also like: How to take payments over the phone

Best practices to take CNP payments

When processing a cardholder-not-present transaction, businesses are encouraged to obtain important information from the card owner such as an account number, the cardholder name as it appears on the card (if applicable), the expiration date of the card (month, year) as it appears on the card, the billing address, the shipping address, or the CVV2 code (if applicable).

Besides the aforementioned info, for payments processed over Internet, merchants should have information regarding the transaction such as the card owner’s contact information (phone number or email address), the date and time the order was placed, details of the order, or details of the conversation they had with the buyer.

Finally, it does help if merchants keep copies of order forms and obtain proof of delivery to the shipping address provided by the buyer.

Because of the risks of collecting, handling and storing sensitive card information, many online merchants choose to use an external payment gateway to handle card payments on their behalf.