What is a Card Not-Present (CNP) Transaction?
As a retailer, watching out for fishy customers and potentially fraudulent transactions is part of the job. But these days, it can feel like a full-time job.
Turning down a card not-present (CNP) transaction used to feel like a no-brainer. Pre-internet, CNP transactions were risky for merchants because they couldn’t verify the card holder’s identity as easily as they can online today. Now, thanks to eCommerce, CNP transactions are secure and processed by merchants around the world.
But what exactly is a CNP transaction? Even with built-in security features from payment providers, are CNP transactions risky?
Let’s clear the air about CNP transactions, fraud and what retail merchants can do to protect themselves.
In this article you’ll learn:
- What a CNP transaction is
- What CNP transaction fraud is
- The different types of CNP fraud
- How to handle CNP fraud
Lightspeed POS now comes with integrated payments
Introducing Lightspeed Payments: Simple pricing, no hidden fees, and a secure checkout experience.
What is a card-not-present transaction?
A Card-Not-Present (CNP) transaction is any transaction using a credit card where the cardholder is not or cannot physically present their card for payment.
Card-not-present transaction examples:
- Online sales
- Telephone orders/MOTO
- Transactions where the card number is keyed in (even if the cardholder is present)
CNP transactions are considered riskier Card Present (CP) transactions. Merchants have a harder time verifying a shopper’s identity and can’t count on the usual fraud detection methods for most transactions since a card’s EMV chip is what powers fraud detection. As a result, banks charge higher processing fees and they’re more expensive for merchants to process.
What is a card-present transaction?
A Card Present (CP) transaction is any transaction where the customer physically interacts with a payment terminal using their card.
Card-present transaction examples:
- Swiping a card with a magnetic strip
- Inserting a card with an EMV chip
- Mobile payments (Apple Pay, Google Pay, etc.)
Any transaction manually keyed into a credit card machine does not count as a card present transaction, even when the card is physically present. In order to qualify as a CP transaction, the merchant must capture electronic data stored on the card.
CP transactions are considered more secure thanks to electronic security data transmitted when the card is used. EMV cards, or chip cards, help keep CP transactions safe and encrypted.
Why should merchants accept card-not-present transactions?
Merchants can always choose not to accept CNP transactions, but that would mean they couldn’t open an online store.
Considering retail eCommerce sales in the U.S. were $146.2 billion the second quarter of 2019, not opening an online store can significantly reduce a retailer’s overall sales and revenue.
Risk-averse merchants can always set up a “reserve online and pay in-store” online order fulfillment process, but that adds friction to your customer’s shopping experience and increases the probability of abandoned carts.
Here’s an example to illustrate why this isn’t the best alternative:
If you decide to accept CNP transactions, be sure to acquaint yourself with your payment processor’s fraud protection and prevention options.
What is card-not-present fraud?
Card-not-present fraud is a type of credit card scam where the customer doesn’t physically present a card to the merchant during the fraudulent transaction. Card-not-present fraud typically occurs with transactions online or over the phone. Since the merchant can’t physically inspect the credit card for signs of fraud (like altered account numbers or a missing hologram), card-not-present fraud is considered harder to prevent than card-present fraud.
How does card-not-present transaction fraud occur?
CNP transaction fraud happens when someone either physically steals a credit card or copies a card’s information manually or using skimmers. Fraudsters then use that stolen information to purchase goods or services without the cardholder’s consent. Increasingly, fraudsters make illegitimate purchases online where they can easily fake their identity.
If a cardholder discovers their card or personal information was stolen and that unauthorized purchases were made, the merchant’s bank revokes the funds received from the fraudulent transaction and returns them to the cardholder’s account.
Example of card-not-present fraud:
Let’s revisit the Sophie example above, but this time your site accepts CNP transactions.
Who is liable for card-not-present transaction fraud?
Fraud liability lies with the merchant for any CNP transaction until the chargeback case proves otherwise.
This is generally not the case with CP transactions.
As of October 2015, if a merchant uses EMV protection, they aren’t held liable for CP fraud. If, however, a merchant takes CP transactions without EMV protection for chip cards, the liability for fraud falls on them.
The different types of card-not-present fraud
There are two types of card-not-present fraud:
- True fraud
- Friendly fraud
What is true fraud?
True fraud occurs when a credit card is used without the true cardholder’s knowledge or consent.
What is friendly fraud?
Friendly fraud occurs when a legitimate customer requests an illegitimate chargeback.
What is chargeback fraud?
Chargeback fraud occurs when the true cardholder makes a legitimate purchase and receives the goods or services they bought but still requests a chargeback from their bank.
If the merchant has the documentation to prove that the real cardholder authorized the transaction, they can win these chargeback cases, so make sure you’re keeping accurate transaction records.
When you receive a chargeback, the issuing bank will assign to it a reason code. That reason code has specific compelling evidence requirements to overturn the bank’s decision and close the case in the merchant’s favor.
In any case of chargeback fraud, the merchant needs to prove that the customer who made the purchase is the true owner of the card and benefitted from the sale. In cases where the customer claims they are dissatisfied with the merchant’s product or service, the merchant needs to prove the goods or services were delivered exactly as advertised and the customer agreed to your refund policy prior to the transaction.
Examples of compelling evidence for fighting CNP chargebacks:
- Customer identifying information (name, address, email, phone number)
- Refund/cancellation policies (publicly visible on your website or on the invoice/receipt)
- Shipping policies
- Delivery confirmation (tracking number and confirmation of delivery)
- A signed contract or invoice (typically used for custom orders)
- Photos of items shipped or services rendered
- Email communications (save these in case you need to refer back to build a timeline or confirm details)
How to handle card-not-present fraud with Lightspeed
Your first step in accepting CNP transactions is to choose a payment processor that puts compliance and security first. It doesn’t hurt to also keep up with the best practices from credit card providers and security companies.
With Lightspeed Payments, we take security seriously—and we help you deal with any chargebacks that occur.
Say you’re notified of a chargeback request. In this case, Address Verification Service (AVS) is one of the most secure tools you have to defend yourself. When a CNP transaction is performed, AVS checks the numeric information (such as a ZIP or postal code) and authenticates it with the providing bank. If there’s a full AVS match, the transaction will go through; if there isn’t a match, the transaction is declined to prevent fraud.
In some cases, AVS may return a partial match result. If that happens, the transaction may still be approved by your processor if other information matches. The information they look for matches for includes:
- Email address data
- IP address data
- The Card Verification Value/Code (CVV/CVC)
In order to dispute the chargeback, the merchant needs to prove that they or their payment processor made attempts to verify a transaction’s validity.
This is where AVS comes in. While a full AVS match doesn’t guarantee that merchants can stop the chargeback, it does greatly strengthen their case.
Ready to see how Lightspeed Payments can help you accept CNP transactions securely in-store and online? Contact our team of experts today.