Our guide explains what card-not-present transactions are, how much they cost, and how they affect your business.
Frank has been writing about payment processing and business services since 2015. He is a retired Air Force officer and a former practicing attorney. He has a Bachelor of Science degree in Psychology from The Pennsylvania State University and a Juris Doctorate degree from the Ventura College of Law, and currently resides in Paso Robles, California.
WRITTEN & RESEARCHED BY Frank Kehl Frank has been writing about payment processing and business services since 2015. He is a retired Air Force officer and a former practicing attorney. He has a Bachelor of Science degree in Psychology from The Pennsylvania State University and a Juris Doctorate degree from the Ventura College of Law, and currently resides in Paso Robles, California. Expert Contributor
Shannon has been writing for Merchant Maverick about small business software and financing since 2015. She started writing professionally about business topics in 2005. Shannon has been featured in the Washington Post, Reader's Digest, US News, MSN, Yahoo Finance, Business Insider, and other publications. She has a bachelor's degree in English from San Diego State University and currently resides in San Diego, California.
REVIEWED BY Shannon Vissers Shannon has been writing for Merchant Maverick about small business software and financing since 2015. She started writing professionally about business topics in 2005. Shannon has been featured in the Washington Post, Reader's Digest, US News, MSN, Yahoo Finance, Business Insider, and other publications. She has a bachelor's degree in English from San Diego State University and currently resides in San Diego, California. Lead Staff Writer
Our content reflects the editorial opinions of our experts. While our site makes money through referral partnerships, we only partner with companies that meet our standards for quality, as outlined in our independent rating and scoring system.
Card-not-present transactions have gone from a rarely used backup method of completing payments to a popular, commonly used payment method on par with traditional card-present transactions. Unfortunately, this increased popularity has also brought more credit card fraud, which is easier to accomplish if a merchant can’t physically inspect a customer’s card.
This article will explain card-not-present transactions and why they differ from card-present transactions. We’ll also review how much they typically cost to process and explain how the increased risk of fraud they present drives up that cost. Finally, we’ll offer some practical tips on protecting your business from card-not-present fraud, including some common security features that usually won’t cost you anything extra to implement.
Table of Contents
A card-not-present (CNP) transaction is any credit or debit card sale processed without capturing the electronic data of the physical card at the time of the sale. This includes transactions where the merchant manually enters the card information into a terminal, even if the card itself is actually physically present.
The distinction here is that the digital data stored on a magstripe or EMV/NFC chip on a customer’s card must be read by a terminal or card reader to qualify as a card-present transaction. If this requirement is not met, the transaction will be considered card-not-present.
Digital wallets such as Apple Pay or Google Pay can be particularly confusing. Using Apple Pay in-store is treated as a card-present sale, as the customer’s device can electronically send the same digital data as a physical card to the terminal in real time. However, using a digital wallet to make an in-app or online payment will result in a card-not-present transaction.
Card-not-present transactions cost more to process because there are more ways they can fail than card-present transactions. With a higher risk of chargebacks, friendly fraud, and malicious fraud, there is more vulnerability and a higher cost when things go wrong. Issuing banks and credit card processors guard against potential losses by charging higher fees to process these transactions.
Regardless of the type of processing rate plan your provider uses, you will invariably pay more for a card-not-present transaction. Flat-rate or tiered pricing plans charge a higher fixed fee for CNP transactions, including both a higher percentage rate and a higher fixed authorization fee. Interchange-plus or membership pricing plans likewise charge a higher markup on CNP transactions. Note that with these types of plans, the underlying interchange fees will be higher for card-not-present transactions.
It’s important to understand that not all card-not-present transactions pose the same risks. For instance, you are generally going to pay a higher cost for a keyed-in entry than for an online transaction because there are typically some built-in security measures (such as address and CVV verification) for online purchases. In contrast, there are no security measures for keyed transactions.
Some Statistics About Card-Not-Present Fraud
*Sources: Nilson Report, UPS Capital
Not only can a card data breach turn into an embarrassing public relations issue, but the business owner is also ultimately responsible for absorbing the cost of any fraudulent charges in a card-not-present sale.
Unfortunately, the industry is seeing an increased fraud rate with CNP transactions, costing businesses billions globally. The rollout of chip cards and the EMV liability shift in the US for card-present sales in particular has played a major role in the increase of card-not-present fraud, which financial experts predicted would happen based on EMV adoption in other parts of the world.
The cost of CNP credit card fraud includes chargebacks, which can often exceed the original transaction amount, along with the cost of lost merchandise and additional fees.
Taking a proactive approach to detecting credit card fraud is a smart move. In this post, we focus on understanding the risks and costs of card-not-present transactions, but card-present sales are certainly not exempt from fraud. If your business processes both types, check out our post on preventing credit card fraud for a great breakdown of information on how to protect your business from card-present security issues.
Your first defense against CNP fraud — or any fraud — will always be PCI compliance. PCI DSS is an acronym for Payment Card Industry Data Security Standard, which dictates the industry-standard procedures and security measures a business needs to make to protect customer data.
The good news is that unless you are dealing with homegrown software for your payment processing system, you are likely operating with PCI-compliant equipment and software. That’s because all payment processing software and equipment vendors undergo a strict certification process to ensure their products meet industry standards for security.
That said, you still need to take the time to read your contract to find out if there are any steps you need to take to ensure continued compliance. Payment service providers (PSPs), such as Square, are automatically PCI-compliant and do not require you to do anything specific to maintain compliance — at least not as far as the contract is concerned. (As a general rule, you should keep yourself informed on PCI compliance and what constitutes a suspicious transaction that could get your account flagged for fraud.)
The key takeaway is this: PCI compliance is never a one-time event. Assessment, remediation, and reporting are continual processes, with best practices changing each year.
Using the Address Verification System, merchants can check that the customer’s address in a CNP transaction is the same as the person who owns the credit card. Verifying the billing address or zip code against the cardholder’s Visa or Mastercard billing information can prevent misuse and protect your business from fraud.
A CVV check requires your customers to provide the credit card security code — the additional three numbers on the back of the card (four digits for American Express). Credit card verification (CVV) numbers are not meant to be stored because they can verify that the card was in the customer’s hands when they made a purchase. It also makes sense to require customers to re-enter the card code whenever there is an unrecognized device or a change to a shipping address.
This provides an extra layer of security for CNP payments. If you have heard of Mastercard SecureCode, Verified by Visa, or American Express Safekey, then you are familiar with 3D Secure. Mastercard SecureCode, for instance, requires a PIN code to be entered into an inline window securely hosted by the issuing bank. The code is never shared with you directly. This authentication step is designed to reduce your liability and improve security. Many processors that cater specifically to online businesses, such as Stripe, offer 3D Secure bundled with their services.
If you’re a budding eCommerce entrepreneur, it’s critical you understand that the higher risk of fraud for online payments is the primary factor in making credit-card-not-present processing rates higher than that for card-present transactions.
Even merchants who run brick-and-mortar shops have to deal with the cost of CNP payments occasionally. If you have a storefront shop, training your team to understand the difference between the two types of transactions and keeping up with the latest compliant software/EMV readers will help keep your costs down — and your payment security tighter.
The good thing is that if you process with one of the best small business credit card processors, they will actually do the bulk of this security work for you, going a long way to protect your business from CNP fraud and its costs.
Frank has been writing about payment processing and business services since 2015. He is a retired Air Force officer and a former practicing attorney. He has a Bachelor of Science degree in Psychology from The Pennsylvania State University and a Juris Doctorate degree from the Ventura College of Law, and currently resides in Paso Robles, California.