Crudely speaking, there are two ways to process card payments: electronically through chip, swipe or contactless, and through keyed entry. The latter is also called card (or cardholder) not present payments, even when the card is physically in front of you.
The keyed options for businesses are mainly virtual terminals, online shops/ecommerce, electronic invoicing, payment links and manual entry on a card machine. Mobile wallets such as Apple Pay, Google Pay and Samsung Pay are considered card-present transactions via contactless card terminals, but card-not-present without contactless processing.
The problem for merchants is that card-not-present (CNP) payments involve a higher risk of fraud. Businesses have to arm themselves with fraud detection and prevention tools for validating and authenticating the card so as not to miss out on those sales.
Despite this challenge, it’s worth the effort. Businesses are able to sell to customers who wouldn’t have come to their location to shop or pay, and cardholders benefit from the convenience of shopping online or paying just the way they want with minimum effort.
Especially ecommerce on mobile devices has become popular with no sign of slowing down. Consumers are now so used to paying remotely, more businesses than ever need a CNP system in place.
Card-not-present fraud in the UK
According to recent statistics published by UK Finance, losses from fraudulent CNP transactions totalled £470.2 million in 2019, 7% down from the year before. £359.3 million of this was from ecommerce, mail- and telephone orders (these numbers are for UK-issued debit and credit cards only).
In the UK, card-not-present transactions represent 68% of the total credit and debit card fraud. Although this proportion is slightly down from the year before, the number had been increasing over the past decade in almost all countries that introduced the chip and PIN technology. Why? Presumably because chip and PIN makes it harder to defraud card-present transactions, so CNP transactions become an easier target.
Electronic card reading through a card machine is a way to prove that the card is present for a legitimate transaction permitted by the cardholder. But when the customer is not present with the card, or card details are manually entered, it opens up for possibilities of fraud.
For one thing, how do payment providers know whether the customer gave you the card details themselves? Those details could have been stolen or obtained without the cardholder’s consent.
Who offers CNP payments in the UK?
Several card reader companies accept card not present transactions on top of their card-present solutions. CNP transactions are often called “keyed” transactions and have higher fees than for electronic processing through a card reader.
Choice of customer not present card payments:
- Zettle: Payment links, invoicing
- PayPal: Virtual terminal, ecommerce, invoicing, payment links
- Square: Virtual terminal, online store, payment links, keyed entry in app, invoicing, card on file
- SumUp: Virtual terminal, online store, payment links
- Worldpay: Virtual terminal, ecommerce, invoicing, keyed entry on terminal
- Barclaycard Business: Virtual terminal
- Paymentsense: Virtual terminal, email payments
Payments entered by the merchant vs. customer
We should be clear about a distinction: there’s a difference between keyed transactions completed by the merchant and remote payments completed by the customer.
A cardholder not present transaction by the merchant includes:
- MOTO (Mail Order and Telephone Order) payments in a virtual terminal
- Card on file payments where the merchant manages card details
Here, the merchant is responsible for handling the customer’s sensitive card details. This often requires PCI-DSS compliance involving annual paperwork and ongoing costs.
Some merchants would enter the customer’s card information to process a preauthorisation, for example when placing a hotel booking over the phone that is due to be paid in full at the end of the service. Preauthorisations are a way to reserve money or check that the cardholder has enough money for a future payment.
If customers pay remotely themselves, the merchant would be alleviated from the burden of PCI-DSS compliance. These are ways the customer can do their own card-not-present transactions:
- Payment links
- Online payments through a website or app
- Email invoices
How do banks know if an online purchase is done by the cardholder? There are ways to verify it.
Tools for preventing fraud
Businesses can expect a costly chargeback from their payment provider if a fraudulent transaction is discovered by the card owner. Fortunately, there are ways to limit exposure to fraud. You can start by implementing fraud screening tools to help you identify high-risk transactions or suspicious activity.
Card issuers like Visa and Mastercard provide the following services for authenticating the card in the CNP environment.
Verified by Visa, Mastercard SecureCode and SafeKey
Because of the risks of collecting, handling and storing sensitive card information, many online merchants choose to use an external payment gateway to handle card payments on their behalf.
One of these is Verified by Visa, a service helping card issuing banks to authenticate the identity of registered cardholders while making a purchase over the internet.
What this means is that the merchant’s site or payment gateway has software that recognises the card. If the card is registered with the Verified by Visa service, the software will prompt the owner to enter a password known by the owner, which was created when the card was registered.
Mastercard has a similar system called Mastercard SecureCode, and American Express has a solution known as SafeKey.
When an online merchant identifies the cardholder through one of these authentication methods, liability for fraud generally shifts from the merchant to the card issuer. This means that the merchant is no longer subject to chargebacks if the cardholder later claims someone else has been using the card.
Address Verification Service
Bank card payment processors also conduct a check called Address Verification Service (AVS). This is one of the most common ways to reduce credit card fraud online in the United States. In Europe, AVS is currently limited to the UK.
The service is usually carried out by the card issuer through telephone authorisation during the card not present transaction, helping you determine if the transaction is valid by checking parts of the cardholder’s billing address and validating it.
Card security code
A card security code refers to a three- or four-digit security code printed on credit and debit cards. The code helps validate that the cardholder is making a transaction with a genuine card linked to a bank account. This number is not a part of the magnetic stripe and is in most cases on the back of the card.
Card issuers have different names for this code, including:
Online stores can require shoppers to respond to security questions during the transaction.
What you can do to prevent chargebacks
In order to protect themselves from losses, payment providers ordinarily request a chargeback fee from merchants for potentially fraudulent transactions. If you follow certain procedures, you can prevent some of these chargebacks.
For example, businesses are encouraged to obtain important information from the card owner during some or all cardholder not present transactions. This could be:
If you have an online store, you could make it compulsory for customers to enter such information at checkout. You should also have a way to store the date and time the order, transaction details or any information about your correspondence with the customer.
Finally, it helps if merchants keep copies of order forms and obtain proof of delivery to the shipping address provided by the buyer.
Because of the risks of collecting, handling and storing sensitive card information, many online merchants choose to use an external payment gateway to handle card payments on their behalf, such as the aforementioned Verified by Visa, Mastercard SecureCode and SafeKey tools.