Definitive Guide to Card Not Present (CNP) Transactions

Table of Contents

1. What is a card-not-present (CNP) transaction?
2. What is card-not-present fraud?
3. Who commits card-not-present fraud?
4. Who’s liable for the cost of card-not-present fraud?
5. What are the most common methods for CNP fraud?
6. What should you do if you suspect CNP fraud?
7. How to prevent card-not-present fraud
8. Manage chargebacks from CNP fraud
9. What are card-present transactions?
10. How much do card-not-present-transactions cost?
11. Is CVV required for card-not-present transactions?
12. Is Apple Pay considered card-not-present?

While the internet has certainly done wonders for small businesses, allowing them to reach customers all over the world, it also exposes business owners and merchants to additional risks. One such risk is fraudulent credit card transactions.

Doing business in a card-not-present environment massively increases the risk of receiving fraudulent payments. While physical credit cards can only be stolen one at a time, and at great personal risk, credit card numbers can be stolen by the thousands through the use of malware.

The EMV chips now included in credit cards make it difficult to use a stolen credit card number in a card-present environment, but eCommerce merchants are a far easier target. The proliferation of EMV chips and the rise in eCommerce overall has led to an accompanying rise in card-not-present fraud.

Any business that accepts credit card transactions over the internet should understand what CNP fraud is, how to spot it, and what to do when you encounter it.

The most common form of CNP transaction is an online purchase. Almost all customers make purchases online from time to time, and these days even physical retailers may process transactions online, allowing their customers to pick up their purchases in one quick stop. Transactions where the customer gives their credit card information over the phone also qualify, but these are becoming rarer with the rise of eCommerce.

If a fraudster has access to a credit card number, its expiration date, and its security code, they could potentially make CNP transactions through online stores.

In most cases, the victim still has their actual credit card and is totally unaware of the fraud until they notice the unauthorized transaction in their account.

While CVV matching, AVS, and PCI compliance limit the ease and usefulness of hacking a merchant's customer database, fraudsters and hackers can still gain access to hundreds or even thousands of credit cards with little effort through eSkimmers, malware, and phishing. Unlike a compromised database, these methods provide fraudsters with all the card information they need, including CVV numbers and billing addresses.

CNP fraud accounted for up to 54% of all fraud losses worldwide as of 2018, making its prevention a key issue for banks, card networks, and merchants alike.

Who commits card-not-present fraud?

While independent criminals do occasionally steal card numbers, it’s typically the work of a larger criminal enterprise. These enterprises may then use the stolen card information themselves or sell it on the dark web. From a merchant's perspective, therefore, a fraudulent transaction could be coming from an international criminal organization or just a teenager with a special browser and a few dollars in bitcoin.

In some cases, these enterprises gain access to corporations through employment. After infiltrating the company, they can then access customer information and relay it to third-party sources that commit the fraud.

Who’s liable for the cost of card-not-present fraud?

In the United States, federal law clearly limits a cardholder’s credit card fraud liability to $50, although most issuing banks these days go beyond that with a zero-liability policy. The issuer or the merchant then bears the risk for the remaining amount. Which is responsible depends on the type of transaction.

In card-present transactions, the liability is with the issuing bank and not the merchant, unless the merchant doesn't have payment terminals compatible with EMV chips. In card-not-present transactions, the liability is with the merchant. In other words, the merchant is required to reimburse the cardholder for the full amount. Especially for merchants that rely on selling expensive products with small margins, too much CNP fraud can ultimately result in the company's demise.

It's important for merchants to understand how criminals get their hands on the stolen information they use in CNP fraud in order to protect themselves and their customers, so here's how each of these methods works:

Phishing takes place when criminals attempt to acquire sensitive information by posing as trustworthy companies or organizations. This often involves emails with links to websites designed to look like the website of a specific bank or business.In other cases, cardholders are contacted by phone and asked to verify their account or payment information.

eSkimming occurs when hackers target an eCommerce website with malware that records the payment details entered by each customer and relays that information to the culprit.

As a merchant, you always have to be on the lookout for signs of CNP fraud. It can be difficult to spot, but you can’t afford to turn a blind eye. In most cases, the responsibility will fall on you.

What should you do if you suspect CNP fraud?

As the United States begins to adopt new chip-based cards, experts say card-not-present fraud is due to continue increasing. “There’s going to be nowhere else for fraudsters to go but online," says Sean Curran, an industry expert. “That’s where they’ll go. Online retailers have to be ready.”

It’s important for every merchant to recognize the warning signs of CNP fraud and to have an established plan in place for how they’ll handle fraudulent charges.

If you wait until you suspect fraud, it may be too late to avoid losing money and wasting time.

As a merchant, you should keep careful and meticulous records of all transactions. You need the cardholder's name exactly as it appears on the card, the expiration date of the card, the billing and shipping addresses, and confirmation of a CVV and AVS match.

You should also record the cardholder’s contact information, the date of the order, and details regarding any conversations you’ve had with the buyer. It’s a good idea to keep copies of order forms and proof of delivery, too. The more information you have, the better protected you’ll be in the long run.

How to prevent card-not-present fraud

Preventing card-not-present fraud is a proactive operation. You must take every precaution for security and verification for any CNP transactions. 

The most basic step is to be compliant with all relevant processing and security guidelines.

The next step is to make sure that you are verifying cardholders in CNP situations. Address verification services can weed out potential CNP fraud because fraudsters with stolen card information may not have the current billing address.

Likewise, working with alert providers and chargeback management can help you proactively determine your weak spots to get ahead of online CNP fraud.

Manage chargebacks from CNP fraud

The unfortunate reality of the current financial landscape is that credit card companies look out for their customers first and foremost. As such, customers rarely have to take the blame or accept responsibility for CNP fraud. That means it comes down to you or the credit card company – and they’ll try their hardest to place the blame on your shoulders.

At Chargeback Gurus, we fight for your business and help you recover lost revenue. You simply send us the information and we’ll serve as your liaison to the credit card companies. After helping you recover your lost revenue, we’ll also work closely with your team to identify weaknesses and optimize your review process to reduce the risk of CNP fraud and minimize chargebacks. 

FAQ

Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to: win@chargebackgurus.com