What is a card not present (CNP) transaction and why does it cost more?

As life gravitated online during the many COVID-19 pandemic lockdowns, we saw internet retail sales increased by 72.7% in 2020 with no less than 87% of UK consumers making purchases online (up from 62% in 2010). While forecasts on mobile commerce in retailing expect sales values to reach over £100 billion by 2024. Even with high-street shops opening up again in 2021, these trends continue to rise, bolstered by deterrents like long in-store queues and large portions of the population still having to self-isolate.

Plus, thanks to the pandemic, both online and over-the-phone bookings have become the norm for the safe reopening of the industry – with many businesses having to secure card details in advance to cover themselves from no-shows. So, servicing card not present transactions has never been this vital.

What does card not present (CNP) mean? 

Card not present (CNP) means that the cardholder is not physically presenting their credit or debit card at the time of the transaction. This commonly occurs for orders that happen remotely, such as over the internet, with ecommerce, or over the phone.

What is a card not present transaction? 

Think of it this way. A magnetic stripe hasn’t been swiped, an EMV chip hasn’t been inserted, and a mobile wallet hasn’t been tapped. In other words, during a card not present transaction no payment details were captured in person at the time of the sale.

A card present transaction, on the other hand, would most often occur face to face. This includes chip and PIN payments, chip (or swipe) and signature payments, contactless payments, and contactless mobile wallet payments. Basically, every time you find yourself using one of our card machines in your shop or restaurant, you’ll be performing a card present transaction (unless you’re manually typing the details – more on that below). 

Examples of CNP transactions  

Online purchases using ecommerce – When a customer purchases any goods over the internet, those will be card not present transactions.

Telephone purchases – When a customer provides the credit card information over the phone to your business.

Invoices that are paid online

Recurring payments – Any bills that are set up to be paid automatically, such as standing orders, would also be considered CNP. 

Manual entry transactions – When you enter your customer’s card details for them into a terminal or mobile device.

CNP transactions when the card holder is present

If you’re taking a card from a customer and then manually typing in the card information into a card machine, that would also be considered a card not present transaction. Even though the customer was present, their card wasn’t swiped, tapped or inserted. Meaning the card was not present as you, the merchant, entered the card details yourself. This sort of transaction will still incur CNP fees, so it’s best to keep them to a very minimum.

How to do a CNP transaction on your Dojo card machine 

Taking card not present payments manually in person is easy with a Dojo card machine. When a customer needs to use that option, simply enter the sale amount on the screen and tap ‘confirm.’ You’ll then have the option to add a tip if applicable, too. After this, tap the three dots in the left hand corner on the card payment screen and select ‘Card not present.’ After entering the card number and the card expiry date, you’ll be prompted to enter the first line of the customer’s address and their postcode into the terminal. Click ‘Pay’ to process the transaction. That’s it!

Entering the customer’s address details during the transaction is important as this prompts an address check (AVS) – a recommended method in limiting exposure to a card not present fraud. If the address check does fail (it doesn’t match the payment card’s associated billing address), you’ll have the option to proceed with the transaction anyway or to cancel it. However, proceeding after a failed AVS check will expose you to a higher chance of fraudulent activity. 

What is card not present fraud and how can you prevent it?

Card not present fraud refers to a fraudulent payment that happens specifically in situations where a card is not presented to a merchant for a visual check. It typically occurs after a payment card (or the card details) has been stolen. Any transaction that doesn’t have the customer with their payment card present is at a higher risk of being fraudulent. 

According to the UK Finance Fraud Facts report for 2020, overall remote purchase fraud was £470.2 million in 2019, with online fraud against UK retailers totalling an estimated £239.9 million in 2019. As a customer, one of the best precautions to take to avoid falling victim to card not present fraud online is by installing built-in security measures most browsers offer. When using a new retailer, make sure you research them before making your first payment. In fact, most major brands often have a list of authorised sellers you can trust on their official websites.

As a business, it’s incredibly important to limit your exposure to card not present fraud. Not only to avoid the monetary losses associated with it, but also as excessive payment fraud could have a strong impact on customer confidence in using your brand. 

To mitigate the risk of that, ensure that you’re gathering sufficient customer information at the time of payment, such as phone number, email address, billing and shipping address. Plus, all necessary credit or debit card information like the cardholder’s name as it appears on the card, expiration date, card number and security code. 

The best thing to do when taking a manual entry payment in person, on the other hand, is to run an Address Verification Service (AVS) check. The check compares the billing address used at the time of the transaction with the issuing bank’s address information on file for that cardholder. An AVS check is also a recommended method when handling mail and catalog orders.

Here’s what you can do to limit your exposure to card not present fraud as a small business:

3D secure authentication – many merchants offer this to handle authentication of the cardholder’s identity while making a purchase over the internet. Once the customer has entered their payment details, they’re redirected to their debit or credit card provider’s 3D secure website. This will prompt the card owner to enter a previously selected password before completing the transaction. Alternatively, it could also request a one-time code sent to their mobile phone. Such services include Verified by Visa, Mastercard SecureCode, and American Express SafeKey. 

Address Verification Service (AVS) – this service determines if the transaction is valid by verifying the address given by the customer when making the purchase and matching it to the card’s billing address.

Card security code – this is the three or four-digit code printed on debit and credit cards (commonly at the back of the card). This check helps validate that the cardholder is making a transaction with a genuine card linked to a bank account. For instance, for Visa this would be the three-digit Card Verification Value 2 (CVV2) found on the back of the card; for American Express – the four-digit Card Identification Number (CID) on the front side of the card.

Secure Sockets Layer (SSL) – this protocol uses a third party (a Certificate Authority) to identify one end or both ends of the transactions.

Do CNP transactions cost more? 

A card not present transaction does cost slightly more compared to a card present payment. This is due to the greater security risk, making a merchant account more vulnerable to fraud. Plus an increased risk of merchant chargebacks.

All these factors contribute to interchange fees being typically higher for card not present transactions. And these higher processing costs are passed down to the merchant.

What is a merchant chargeback and how to prevent it? 

One of the most common types of card not present fraud is a chargeback fraud. That is, the cardholder receiving the products or services they paid for, and then filing a dispute with their card issuer for a refund claiming that they did not receive the item(s). This too can negatively affect your business as it will essentially result in revenue losses.

The truth is, a merchant chargeback is intended to protect customers when they have legitimately been defrauded. For example, a customer might see a charge appear on their card that they don’t recognise. They will then dispute this with their bank assuming that it’s fraudulent activity. The bank will then take the necessary actions on their customer’s behalf.

To mitigate the risk of merchant chargebacks make sure you follow this simple checklist:

  • Your business name is clearly displayed on bank statements
  • Implement a transparent return, refund and cancellation policy (even better, include a copy of the return policy with any orders you send out to customers – this will also increase customer trust) 
  • Document any conversations with your customers (in case you need to use them as evidence)

No matter what industry you’re in, protecting customer data is paramount. When opting for a Dojo card machine, you’ll also benefit from point-to-point encryption. It protects both customer card data and your income, and the best part? It’s so secure that PCI compliance is easier than ever.