Guide to card-not-present (CNP) transactions and fees

What is a CNP transaction?

CNP payments are remote transactions that enable customers to pay for goods and services online, over the phone, or by mail order. The purchase is completed without the customer physically inserting, tapping, or swiping their card on a payment terminal. This can also include a merchant entering card details into a payment gateway manually (e.g. using an online virtual terminal or card machine).

The payment gateway transfers the payment details to the merchant’s acquiring bank, the acquirer sends the details to the credit card association such as Visa or Mastercard for verification, and then the card issuer authenticates the card data. If the payment passes these verification checks, it is approved and the merchant receives the payment.

There are several different ways merchants can receive CNP payments from customers:

• Online shopping
• “Buy” buttons on websites
• Payment link by email
• Recurring payments or subscriptions
• Electronic invoicing
• Phone orders where details are manually entered
• Payment apps on smartphones or tablets without a card reader
• Card-on-file payments

Note: Even if the customer has the card with them at the point of sale, if the electronic data on the card’s magnetic strip or in the chip is not provided to process the payment, it is still considered a CNP transaction and will incur higher fees.

By contrast, card present transactions include:

• Contactless/near-field communication (NFC)
• Chip and PIN
• Swipe and signature
• Chip and signature
• Contactless mobile wallet payments

During the checkout process for CNP transactions, merchants need to collect the customer’s card details for verification:

• Cardholder name (as it appears on the card)
• Card number
• Card expiration date
• Card security code (CSC)/card verification value (CVV)
• Billing address
• Shipping address
• Phone number and/or email address

Payment processing providers can integrate CNP payments with POS systems for a seamless checkout process and automatic reconciliation of transactions.

It is important to store the details of the transaction, including the time and date and messages sent to the customer, in case there are problems down the line such as chargeback or refund requests. It is also useful to store copies of order forms and proof that the item has been delivered to the customer’s shipping address.

Merchant vs customer CNP payments

There is a difference between CNP transactions where the merchant enters the payment card information into the system and remote payments completed by the customer.

CNP transactions by the merchant include:

• Mail and phone payments entered into a virtual terminal
• Card-on-file payments where the merchant manages card details
• Card pre-authorisation to check or reserve cardholder funds

In these transactions, the merchant is responsible for handling the customer’s card details. This often requires compliance with the Payment Card Industry Data Security Standard (PCI DSS).

If customers make a remote payment themselves, the merchant is subject to fewer PCI DSS requirements. CNP transactions by the customer include:

• Payment links
• Online payments
• Email invoices

Why do CNP transactions incur higher fees?

As with CP transactions, businesses have to pay to receive CNP payments. But CNP transactions carry higher costs to cover processing, chargeback liability, and the increased risk of fraudulent activity.

CNP fraud

CNP fraud in the UK amounted to £412.5 million in 2021, accounting for a growing proportion of card fraud losses at 79% up from 63% in 2012, according to the trade association UK Finance.

Approximately 86% of all reported card fraud cases used stolen payment card details to make purchases on the internet, over the phone, or by mail order, as criminals took advantage of the rise in online shopping during the Covid-19 pandemic and data theft from security breaches.

Banks and card companies intercepted a total of £966.6 million of card fraud in 2021.

Processing costs

There are three main types of card processing fees: interchange fees, assessment fees charged by networks like Visa and Mastercard, and the payment provider’s mark-up.

Interchange fees are typically higher for CNP transactions because the lack of a physical card for the merchant to verify increases the chances of fraud or chargebacks. These higher processing costs are passed on to the merchant as they collect the card data from the customer.

CNP processing costs vary depending on the pricing model the merchant has agreed with the payment processor.

With interchange plus pricing, merchants are charged the actual interchange cost for a transaction as well as a separate mark-up fee. The payment processor’s mark-up fee is the same as a card present transaction but the transaction is placed in a higher interchange rate category, increasing the total cost.

On other pricing models, such as tiered pricing, the payment processor can choose to add charges to transactions. These can include higher interchange fees for CNP transactions.

If your payment processor charges CNP interchange fees because you enter card details manually even though a customer has their card physically present, you could reduce those costs by using a card reader.

There are different options for card devices, such as countertop card machines, full POS systems, portable card readers that connect to tablets or smartphones through wires or Bluetooth, or a USB card reader that can connect to a computer for use with a virtual card terminal.

Chargeback liability

In addition to fraud considerations, payment processors consider CP transactions to be less risky as the chances of chargeback liability can be higher with CNP transactions.

In October 2015, the card associations declared a shift in liability for card payment fraud — the Europay, Mastercard, and Visa (EMV) liability shift. The term EMV has extended beyond the card companies to refer to any card that contains an electronic chip.

Under the liability shift, if a business that has an EMV card reader takes a chip card payment using the magnetic strip instead of the chip, it is held responsible for any fraud that results from the transaction. This is because EMV technology generates new data to secure each transaction, while magnetic strips contain coded data that does not change making it easier to steal and use.

How can you avoid taking fraudulent payments that may cost your business money in stolen goods and lost customer trust?

Fraud prevention tools

Criminals conduct CNP fraud by stealing payment card details, whether through obtaining physical cards, phishing, card skimming, or other methods. There are several ways to reduce the chances of accepting a fraudulent CNP or chargeback transaction:

• Use a secure payment gateway. Secure gateways verify payment information, flag risky transactions, and transmit data safely to prevent interception.
• Ensure PCI compliance. PCI DSS sets out requirements for the safe handling of card data, including network security and monitoring, protecting cardholder information, and maintaining an up-to-date security policy.
• Use an address verification service (AVS). AVS checks the billing address entered at checkout against the account information the credit card issuer holds to identify unauthorised users.
• Verify card security codes. Stolen card data often does not include the CSC or CVV codes on the back of cards, so requiring the customer to provide the code for their card to check against the card issuer’s data ensures they are the authorised cardholder.
• Avoid storing card data. Do not store card numbers or security codes to prevent the data from being stolen by hackers.
• Set up a customer billing statement. Adding identifying information to the description that appears on customers’ card statements reduces the likelihood of customers requesting chargebacks for legitimate purchases they don’t recognise, as well as making it easier to identify fraudulent transactions.
• Use smart reporting. Smart reports and notifications identify red flags and suspicious activity such as recurrent returns and chargebacks.
• Create a culture of security. Providing frequent security training to employees helps reduce data breaches and other forms of fraud.