Crudely speaking, there are two ways to process card payments: electronically through chip, swipe or contactless, and through keyed entry. The latter is also called card (or cardholder) not present payments, even when the card is physically in front of you.
The keyed options for businesses are mainly virtual terminals, online shops/e-commerce, electronic invoicing, payment apps and manual entry on a card machine. Mobile wallets such as Apple Pay, Android Pay and Samsung Pay are considered card-present transactions through contactless card machines, but customer-not-present if used without contactless processing.
The problem for merchants is that card-not-present (CNP) payments involve a higher risk of fraud. Businesses have to arm themselves with fraud detection and prevention tools for validating and authenticating the card so as not to miss out on those sales.
Despite this challenge, it’s worth the effort: businesses are able to sell to customers who wouldn’t have come to their location to shop or pay, and cardholders benefit from the convenience of shopping online or paying just the way the want to with minimum effort.
Especially e-commerce on mobile devices has become popular, with no sign of slowing down. Consumers are now so used to paying remotely, more businesses than ever need a CNP system in place.
- Over-the-phone and mail order payments through virtual terminals
- Card on file payments
- Online shopping and “buy” buttons on websites
- Manual card entry in a payment app
- Recurring or subscription billing
- Electronic invoicing
- Mobile wallet payment through internet or within app
- Chip and PIN payments
- Chip and signature payments
- Contactless/NFC payments
- Swipe and signature payments
- Mobile wallet payment through contactless
Card-not-present fraud in the UK
According to recent statistics published by the UK Finance, losses from fraudulent CNP transactions totalled £205.5 million in the first half of 2017, 19.7% up from just two years earlier. £154.5 million of this was from e-commerce, mail- and telephone orders.
In the UK, card-not-present transactions represent 72% of the total credit and debit card fraud, and the number has been increasing over the past decade. Ironically, these increases are observed in almost all countries that have introduced the highly secure chip & PIN technology EMV. Why? Presumably because chip and PIN makes it harder to defraud card-present transactions, so CNP transactions become an easier target.
Electronic card reading through a card machine is a way to prove that the card is present for a legitimate transaction permitted by the cardholder. But when the customer is not present with the card, or card details are manually entered, it opens up for possibilities of fraud.
For one thing, how do payment providers know whether the customer gave you the card details themselves? Those details could have been stolen or obtained without the cardholder’s permission.
How do banks know whether an online purchase is done by the card owner? There are ways to verify it.
Because of this risk, only a few mobile payment providers in the UK accept CNP transactions on top of their card-present solution. Currently, these include: PayPal, Square and SumUp. In all these cases, they are considered keyed transactions, which have higher fees than for electronic processing through a card reader. iZettle accepts keyed transactions, but only if the card and cardholder are present.
If you only need to take cards remotely and not face-to-face, Worldpay also offers a decent virtual terminal and invoicing features.
Tools for preventing fraud
Businesses can expect a costly chargeback from their payment provider if a fraudulent transaction is discovered by the card owner. Fortunately, there are ways to limit exposure to fraud. You can start by implementing fraud screening tools that will help you identify high-risk transactions or suspicious activity.
Card issuers like Visa and Mastercard provide the following services for authenticating the card in the CNP environment.
Verified by Visa, Mastercard SecureCode and SafeKey
Because of the risks of collecting, handling and storing sensitive card information, many online merchants choose to use an external payment gateway to handle card payments on their behalf.
One of these is Verified by Visa, a service that helps card issuer banks to authenticate the identity of registered cardholders when making a purchase over the internet.
What this means is that the merchant’s site or payment gateway has software that recognises the card. If the card is registered with the Verified by Visa service, the software will prompt the owner to enter a password known by the owner, as it was created when the card was registered.
Mastercard has developed a similar system called Mastercard SecureCode, while American Express has their own solution known as SafeKey.
When an online merchant identifies the cardholder using one of these authentication methods, liability for fraud generally shifts from the merchant to the card issuer. This means that the merchant is no longer subject to chargebacks if the cardholder later claims someone else has been using the card.
Address Verification Service
Bank card payment processors also conduct a check called Address Verification Service (AVS). This is one of the most common ways to reduce credit card fraud online in the United States, while in Europe, AVS is currently limited to the UK.
The service is usually carried out by the card issuer through telephone authorisation during the CNP transaction and helps you determine if the transaction is valid by checking elements of the cardholder’s billing address and validating it.
Card security code
A card security code refers to a three- or four-digit security code printed on credit and debit cards. The code helps validate that the cardholder is making a transaction with a genuine card linked to a bank account. This number is not a part of the magnetic stripe and is in most cases on the back of the card.
Card issuers have different names for this code, including:
- Visa: Card Verification Value 2 (CVV2) – last three digits or the signature stripe on the back of the card
- Mastercard: Card Validation Code (CVC2) – last three digits on the signature strip on the back of the card
- Discover: Card Identification Number (CID) – last three digits on the signature strip on the back of the card
- American Express: Unique Card Code or Card Identification Number (CID) – four digits on the front side of the card
Online stores can require shoppers to complete security questions, before the transaction is accepted.
What you can do to prevent chargeback
In order to protect themselves from losses, payment providers commonly request a chargeback fee from merchants for fraudulent transactions. If you follow certain procedures, you can prevent some of these chargebacks.
For example, businesses are encouraged to obtain important information from the card owner during some or all cardholder-not-present transactions. This can include:
- cardholder’s name as it appears on the card
- card expiration date (month, year) as it appears on the card
- billing address
- card security code
- phone number and/or email address
- account number
If you have an online store, you could make it compulsory for customers to enter such information at checkout. You should also have a way to store the date and time the order was placed, order details, or any information about your correspondence with the customer.
Finally, it does help if merchants keep copies of order forms and obtain proof of delivery to the shipping address provided by the buyer.
Because of the risks of collecting, handling and storing sensitive card information, many online merchants choose to use an external payment gateway to handle card payments on their behalf, such as the aforementioned Verified by Visa, Mastercard SecureCode and SafeKey tools.