Watching out for fishy customers and potentially fraudulent transactions is part of every retailer’s job.
Nowadays, though, this can feel like a full-time effort. And much of this is down to card-not-present (CNP) transactions.
Turning them down used to be clear and simple. Pre-internet, CNP transactions were risky for merchants because they couldn’t verify a card holder’s identity as easily as they can online today.
Now, CNP transactions are more secure — thanks to eCommerce, identity verification and common security practices like two-factor authentication. As a merchant, you can accept them from anywhere around the world at any time.
But let’s take a few steps back here. What exactly is a CNP transaction?
And even with built-in security features from payment providers, are CNP transactions still risky?
Let’s take a closer look.
In this article you’ll learn:
- What a card-not-present transaction is
- What Card-not-present transaction fraud is
- The different types of card-not-present fraud
- How to handle card-not-present fraud
What is a card-not-present transaction?
First up, a simple definition. A CNP transaction is any transaction using a credit card where the cardholder is not there and cannot physically present their card for payment.
Card-not-present transaction examples:
- Online mobile and desktop sales
- Postal and telephone transactions (MOTO)
- Transactions where a card number is keyed in (even if the cardholder’s there)
“Card not-present transactions cover any type of card payment where a card payment takes place remotely,” explains Libby James, co-founder of UK-based Merchant Advice Services which helps business-owners understand card payments.
“Basically, that can be any payment without the need for the customer to enter their pin, or verify with face ID, while using a credit or debit card physically or on a mobile phone.”
As a merchant, you have a hard time verifying a shopper’s identity alone. And you can’t count on outdated fraud detection methods for most transactions since a card’s EMV chip is now what powers fraud detection.
This is partly why banks charge higher processing fees for CNP transactions and they’re more expensive for merchants to process.
What is a card-present transaction?
A Card Present (CP) transaction is any transaction where the customer physically interacts with a payment terminal using their card.
Card-present transaction examples:
- Swiping a card with a magnetic strip
- Inserting a card with an EMV chip
- Mobile payments (Think Apple Pay, Google Pay or Samsung Pay)
- Tap-and-go payments
Any transaction where the card numbers are manually keyed into a credit card machine does not count as a card-present transaction—even when the card is physically present. To qualify as a CP transaction, the merchant must ‘capture’ the card’s stored electronic data.
CP transactions are considered more secure thanks to electronic security data transmitted when the card is used. And EMV cards, sometimes called ‘chip and pin’ cards, help keep CP transactions safe and encrypted.
“Card-present transactions are supposed to be safer because a merchant should check the card for any sort of damage or match a signature on the back of the card to the signature on a receipt,” says Ian. “In practice, card-present fraud is also a major problem. If you accidentally drop your credit card in the mall and someone picks it up, no store clerk will ever actually verify the user’s ID.”
Why should merchants accept card-not-present transactions?
As a merchant, you could choose to avoid CNP transactions.
But that would mean you couldn’t open an online store.
By May of this year, Retail eCommerce made up 32% of total retail sales in the UK, almost double that of the year previous. That figure gives you a sense of why sticking to in-store selling can eat into retailers’ sales and revenue potential.
That said, if you’re very risk-averse, you could set up a “reserve online and pay in-store” order fulfilment process. But bear in mind, this will add friction to your customers’ shopping experience. It’s also bound to increase the probability of abandoned carts—a common pain for online sellers.
“For some merchants there is no way not to take CNP transactions,” says Libby. “Lots use telephone booking systems such as interactive voice response (IVR) and for others it isn’t logical for the customer to visit an office or store to complete transactions.”
In 2020, it’s becoming more and more difficult to run a business solely offline. “For these merchants there is no option,” says Libby “CNP transactions are not to be feared as long as you have good security measures in place.”
Here’s an example.
By refusing CNP transactions, the merchant above has added friction to Sophie’s shopping experience. So they lost the sale.
What is card-not-present fraud?
Card-not-present fraud is a type of credit card scam where the customer doesn’t physically present a card to the merchant during a fraudulent transaction. Card-not-present fraud typically occurs with transactions online or over the phone.
“CNP fraud happens in a number of ways,” says Ian Sells, CEO of Rebate Key, an ecommerce discount platform for merchants and shoppers. “Scammers steal your information like your name, card number, address, security code and more. The hackers that get this information are sneaky, and they don’t ever need to see your card to steal this information. All of your data can be stolen electronically through phishing schemes.”
Since a merchant can’t physically inspect a stolen card for signs of fraud (like altered account numbers or a missing hologram), card-not-present fraud is considered harder to prevent than card-present fraud.
“CNP transactions are commonly targeted with stolen or cloned credit and debit cards,” says Libby. “This is something for merchants to be aware of. Adding additional levels of security will ensure these fraudulent payments are kept to a minimum.”
How does card-not-present transaction fraud occur?
CNP transaction fraud happens when someone either physically steals a credit card or copies a card’s information manually or with skimmers. Fraudsters then use that stolen information to purchase goods or services without the cardholder’s consent. Increasingly, fraudsters make illegitimate purchases online where they can easily fake an identity.
A merchant’s bank can revoke the funds received from the fraudulent transaction and return them to the cardholder’s account, if a cardholder discovers their card or personal information was stolen and that unauthorized purchases were made.
Example of card-not-present fraud:
Let’s revisit the Sophie example above, but this time your site accepts CNP transactions.
Who is liable for card-not-present transaction fraud?
Fraud liability lies with the merchant for any CNP transaction until the chargeback case proves otherwise.
Because of the risk of accepting these types of payments, a processing bank will not accept liability—and this is clearly covered in terms and conditions, as Libby explains. “Some banks will hold a rolling reserve when businesses process high amounts of these transactions, this acts as a safety net in the event of chargeback or fraud,” she says.
This is generally not the case with CP transactions.
As of October 2015, if a merchant uses EMV protection, they aren’t held liable for CP fraud. If, however, a merchant takes CP transactions without EMV protection for chip cards, the liability for fraud falls on them.
Five types of card-not-present fraud
Let’s delve even deeper into the kinds of card-not-present fraud you need to know about:
- True fraud
- Friendly fraud
- Triangulation fraud
- Clean fraud
- Application and identity fraud
What is true fraud?
True fraud occurs when a credit card is used without the cardholder’s knowledge or consent.
“Card not-present transactions are an easy target for fraudulent payments largely because the security checks are less than those of face-to-face payments such as using a chip and pin machine,” says Libby, at Merchant Advice Services. “CNP accounted for 68% of fraudulent card payments in 2019. True fraud is using fake details to complete these types of card payments.”
What is friendly fraud?
Friendly fraud occurs when a legitimate customer requests an illegitimate chargeback.
“Friendly fraud” is also known as chargeback fraud,” explains Libby. “This is where the customer raises a chargeback directly with their bank, receiving a refund. A common reason for this is that the goods/services weren’t delivered. It’s then up to the merchant to prove otherwise, subsequently obtaining reimbursement.”
What is triangulation fraud?
This is when criminals set up a fake website to get customers to buy cheap goods. This is just a ploy. The goods never arrive and the fraudsters steal customers’ credit card details to use for their own ends.
What is ‘clean fraud’?
This may happen shortly after the triangulation fraud has happened. Clean fraud is when transactions look legitimate, but are being made using stolen credit card information to impersonate the cardholder.
What is application and identity fraud?
Just as fraudsters can steal anyone’s private and financial details, to pretend to be someone else to buy goods, so too can they use that information to apply for a card.
What is chargeback fraud?
Chargeback fraud occurs when the true cardholder makes a legitimate purchase and receives the goods or services they bought but still requests a chargeback from their bank.
If you can document that the real cardholder authorised the transaction, you can win these chargeback cases. So make sure you’re keeping accurate transaction records.
When you receive a chargeback, the issuing bank will assign to it a reason code. That reason code has specific compelling evidence requirements to overturn the bank’s decision and close the case in the merchant’s favour.
In any case of chargeback fraud, the merchant needs to prove that the customer who made the purchase is the true owner of the card and benefitted from the sale. In cases where the customer claims they are dissatisfied with the merchant’s product or service, the merchant needs to prove the goods or services were delivered exactly as advertised and the customer agreed to your refund policy prior to the transaction.
Seven examples of compelling evidence for fighting CNP chargebacks:
- Customer identifying information (name, address, email, phone number)
- Refund and cancellation policy (publicly shown on your site, invoices or receipts)
- Shipping policies
- Delivery confirmation (tracking number and confirmation of delivery)
- A signed contract or invoice (typically used for custom orders)
- Photos of items shipped or services rendered
- Email communications (save these in case you need to refer back to build a timeline or confirm details)
Accept CNP transactions securely in-store and online
Lightspeed Retail integrate with a range of payment providers can secure accept CNP transaction. For example, iZettle charges a flat rate of 2.5% of CNP transactions. Interested? Talk to an expert today.