Card-Not-Present (CNP) Transactions are any purchases made remotely using a debit/credit card where the cardholder is not physically present to use their card for payment.
CNP transactions have been made increasingly more secure with eCommerce, identity verification, and common security practices like two-factor authentication, as a retail merchant, you can accept them from anywhere around the world at any time. However, there are still some things you need to look out for to make sure you’re processing CNP transactions safely and securely. Let’s get started
- What is a card-not-present transaction?
- What is a card-present transaction?
- What is card-not-present fraud?
- Different types of card-not-present fraud explained
Improve your payment processing security. With Lightspeed Payments.
Lightspeed Payments comes with PCI DSS validated Level 1 Service compliance, end-to-end encryption for all transactions, in-store and online, and 24/7 server security monitoring. No hidden fees. Competitive rates. Accept payments from all major credit and debit cards, Apple Pay, and Google Pay. Learn how Lightspeed Payments can revolutionise your payments processing today.
What is a card-not-present transaction?
We’ve already covered this bit. But, we’ll go into a bit more detail. Card-Not-Present (CNP) transactions are purchases made remotely, using a debit or credit card, where the cardholder is not physically present to make the purchase.
In other words, whenever you make a purchase, where you are not using a card reader or payment terminal, and you don’t manually enter your PIN number, or make a contactless payment, you are making a CNP transaction. Here are some card-not-present transaction examples:
Online shopping: Whenever a customer buys something online and enters their card details and billing address.
Phone orders: Whenever a customer makes a purchase over the phone by giving their card details and billing address to the person they’re speaking to. The person they’re speaking to will then process the transaction.
Recurring payments: These are payments that are made automatically using a customer’s debit or credit card. You’ll often see this as a result of a subscription service. Customers make an initial payment and then agree for the business in question to use their saved billing information for subsequent payments.
What is a card-present transaction?
A Card Present (CP) transaction is any transaction where the customer physically interacts with a payment terminal using their card. Card-present transaction examples include:
- Swiping a card with a magnetic strip
- Inserting a card with an EMV chip
- Mobile payments (e.g. Apple Pay, Google Pay, or Samsung Pay)
- Contactless payments
Note: Any transaction where the card numbers are manually keyed into a credit card machine does not count as a card-present transaction—even when the card is physically present. In order to qualify as a card-present transaction, the merchant must ‘capture’ the card’s stored electronic data.
Card-present transactions are considered more secure thanks to electronic security data transmitted when the card is used. And, EMV cards, sometimes called ‘chip and pin’ cards, help keep CP transactions safe and encrypted.
What is card-not-present fraud?
Card-not-present fraud is a type of debit/credit card scam where the customer doesn’t physically present a card to the merchant during a fraudulent transaction. This fraud typically occurs with transactions online, or over the phone.
Fraudsters can make fraudulent transactions when they either physically steal a credit card, or copy a card’s information. They can then use that stolen information to purchase goods or services without the cardholder’s consent. Increasingly, fraudsters make illegitimate purchases online where they can easily fake an identity.
Scammers steal your information like your name, card number, address, security code, and more. All of your data can be stolen electronically through phishing schemes. Since a merchant can’t physically inspect a stolen card for signs of fraud (like altered account numbers or a missing hologram), card-not-present fraud is considered harder to prevent than card-present fraud.
A merchant’s bank can revoke the funds received from the fraudulent transaction and return them to the cardholder’s account, if a cardholder discovers their card or personal information was stolen and that unauthorised purchases were made.
Fraud liability lies with the merchant for any card-not-present transaction. Unless, the chargeback case proves otherwise.
As there is an increased risk in accepting these types of payments, a processing bank will not accept liability.
This is generally not the case with CP transactions. As of October 2015, if a merchant uses EMV protection, they aren’t held liable for CP fraud. If, however, a merchant takes CP transactions without EMV protection for chip cards, the liability for fraud falls on them.
If you must manually process a card by keying in the number, you can take steps to mitigate the risk of fraud and to prevent chargebacks. Have your customer fill out a credit card authorisation form in cases where you do not have an existing relationship with the customer. Doing so will help ensure you have a strong case in the event of any disputes, and will often prevent a dispute from happening in the first place.
Click here to download our free credit card authorisation form.
Different types of card-not-present fraud explained
There are many different types of card-not-present fraud. We’ve covered the main types so you know what to look out for when processing transactions:
True fraud: True fraud occurs when a credit card is used without the cardholder’s knowledge or consent. Card not-present transactions are an easy target for fraudulent payments largely because the security checks are less than those of face-to-face payments such as using a chip and pin machine.
Friendly fraud: Friendly fraud occurs when a legitimate customer requests an illegitimate chargeback. Friendly fraud, also known as chargeback fraud, is where the customer raises a chargeback directly with their bank, receiving a refund. A common reason for this is that the goods/services weren’t delivered. It’s then up to the merchant to prove otherwise, subsequently obtaining reimbursement.
If you can document that the real cardholder authorised the transaction, you can win these chargeback cases. So make sure you’re keeping accurate transaction records.
When you receive a chargeback, the issuing bank will assign to it a reason code. That reason code has specific compelling evidence requirements to overturn the bank’s decision and close the case in the merchant’s favour.
In any case of chargeback fraud, the merchant needs to prove that the customer who made the purchase is the true owner of the card and benefitted from the sale. In cases where the customer claims they are dissatisfied with the merchant’s product or service, the merchant needs to prove the goods or services were delivered exactly as advertised and the customer agreed to your refund policy prior to the transaction.
Triangulation fraud: Triangulation fraud is when criminals set up a fake website to get customers to buy cheap goods. This is just a ploy. The goods never arrive and the fraudsters steal customers’ credit card details to use for their own ends.
Clean fraud: Clean fraud is when transactions look legitimate, but are being made using stolen credit card information to impersonate the cardholder. This may happen shortly after the triangulation fraud has happened.
Application and identity fraud: Application, and identity fraud, is where fraudsters steal someone’s private, and financial, details to pretend to be someone else to buy goods.
Seven examples of compelling evidence for fighting CNP chargebacks:
- Customer identifying information (name, address, email, and phone number)
- Refund and cancellation policy (publicly shown on your site, invoices, or receipts)
- Shipping policies
- Delivery confirmation (tracking number and confirmation of delivery)
- A signed contract or invoice (typically used for custom orders)
- Photos of items shipped or services rendered
- Email communications (save these in case you need to refer back to build a timeline or confirm details)
Reminder: Even customers who present their card to you in person may be subject to chargebacks. How? Say the card’s chip reader doesn’t work and you’re forced to key the number in instead. This automatically qualifies the transaction as Card-Not-Present even if both the customer and card are physically present. Keyed-in transactions have a higher chance of chargebacks than average.
Improve your payment processing security. With Lightspeed Payments.
This is your content
News you care about. Tips you can use.
Everything your business needs to grow, delivered straight to your inbox.