A card not present (CNP) transaction is one where the cardholder and the card are not present at the point-of-sale (compared to a card present transaction, where both the cardholder and card are present). A CNP transaction can be for:
- Mail order
- Telephone order (together these can be referred to as MOTO transactions)
- A sale made over the internet
There has been a phenomenal growth in CNP transactions in the UK as consumers have moved an increasing proportion of their shopping to this remote sales channel. In particular, according to APACS’ figures, there has been an increase of more than 850% in sales made over the internet from £3.5bn in 2000 to £30.2bn in 2006.
When accepting a CNP transaction (and assuming a merchant is not using MasterCard SecureCode or Verified by Visa to authenticate an internet transaction), a merchant is responsible for ensuring that it is not fraudulent and, where it is, they are liable for the loss incurred. A merchant will need to consider the risks that if a payment is disputed or charged back they may find it difficult to prove the real cardholder was involved in the transaction.
Please note: even though a merchant may have received an authorisation for a CNP transaction, it does not guarantee payment or confirm that the genuine cardholder provided the card details to them.
To assist merchants who are accepting CNP transactions there are number of tools available that can help in preventing fraud:
- For sales made over the internet there is MasterCard SecureCode and Verified by Visa.
- For general CNP sales, there is AVS / CSC.
- There is also a range of third-party fraud prevention solution providers that may be of interest depending on the type of business a merchant is operating.
There are specific card scheme rules on how a CNP transaction has to be processed and which card types can be used for a particular type of transaction or where certain measures are required to be taken. An acquiring bank can advise their merchant on the steps to be taken when accepting a CNP transaction, how to process mail order and telephone order transactions using a terminal, and also provide help and guidance on the fraud tools a merchant could use to help reduce any potential fraud and chargebacks.
A merchant may also need a separate agreement with their acquiring bank to accept CNP transactions where they already have an agreement in place for card present transactions.
See below for more details on the three CNP transaction types which can be accepted via these remote sales channel. An acquiring bank can provide details on how each of these transaction types should be processed and the card schemes’ rules that need to be followed.
Please note: mail order or telephone order transactions are also often referred to as MOTO transactions.
Mail Order
This is a transaction where a merchant receives written instructions from its customer to make a purchase, in the post or by fax, and it includes their card details (except for their PIN) and signature. An acquiring bank can help a merchant to identify the correct card details to be captured and explain how these can be processed as a card transaction through the terminal.
Telephone Order
Telephone orders are similar to mail order, except that a merchant is taking the cardholder’s order by telephone and will not have their signature to confirm their agreement to the transaction. However, the merchant will have an opportunity to ask supplementary questions, such as asking for the card’s Card Security Code which is on the back of the card, to help guard against a potential fraudulent transaction.
Internet
To accept transactions over the internet, a special agreement is needed with an acquiring bank, and a separate internet merchant number to the number the merchant may have to process card present, mail order, or telephone order transactions.
A website or ‘virtual shop’ window is needed for a merchant’s customers to visit, and a payment service provider (PSP) who will provide a ‘till’ or 'payment gateway' to securely take their card details on a payment page and pass these onto the merchant’s acquiring bank for processing. An acquiring bank may have their own payment gateway product or can advise which PSPs they can accept card details from.
An acquiring bank can provide further details about trading on the internet, what a merchant’s website needs to do to conform to card scheme regulations, how to use the standard tool set of AVS / CSC, MasterCard SecureCode and Verified by Visa, and how a merchant can integrate these into their website and business operations.
An acquiring bank can also provide assistance on what fraud screening tools they would recommend to help a business guard against potential fraud transactions.
