Card-Not-Present Transactions: Risks and Best Practices

What Is a Card-Not-Present Transaction?

A card-not-present transaction happens when a customer pays without physically using their card at a terminal. Instead of swiping or tapping, they share their card details another way.

Card-not-present transactions occur when:

• Shopping online
• Placing orders by phone
• Sending mail orders with card info
• Paying for subscription services
• Making purchases through mobile apps

Another common method is using a virtual terminal, which allows merchants to process payments by entering the customer’s card details directly into an online interface.

To really understand card-not-present transactions, let’s contrast them with card-present (CP) transactions:

• Environment: CP transactions happen face-to-face, while card-not-present transactions occur remotely through digital channels, phone or mail.
• Verification methods: CP transactions allow someone to check your physical card and sometimes your ID. Card-not-present transactions rely on digital verification like AVS (Address Verification Service), CVV codes and 3D Secure technology.
• Security risk: CP transactions are generally safer because they require a physical card. Card-not-present transactions face higher fraud risks since stolen card details can be used from anywhere.
• Processing fees: Because of the increased risk, businesses may pay higher fees for card-not-present transactions compared to CP transactions.

Why Are Card-Not-Present Transactions Increasing?

Card-not-present transactions have skyrocketed in recent years due to several key factors:

1. eCommerce explosion: As online shopping has boomed, so have card-not-present transactions.
2. Changing consumer habits: Consumers value convenience and often prefer digital shopping over traditional stores. The ability to shop 24/7 from anywhere has fast-tracked this shift.
3. EMV chip impact: The secure chips in our cards have made in-person fraud much harder. This has pushed scammers toward card-not-present channels where different vulnerabilities exist.
4. Subscription boom: The rise of subscription services for streaming, meal kits and more has created millions of automatic card-not-present transactions.
5. Global reach: Card-not-present transactions let businesses sell worldwide without needing physical stores in those markets.

This growth in card-not-present transactions has unfortunately sparked an increase in fraud, so securing these transactions matters for businesses and consumers alike.

What Are the Risks of Card-Not-Present Transactions?

Card-not-present transactions offer incredible convenience, but they come with serious risks that can hit your bottom line.

Higher Fraud Rates

The biggest risk with card-not-present transactions is fraud vulnerability. Without seeing the actual card and person, verifying legitimate transactions becomes tricky.

In the UK, for example, card-not-present fraud makes up 85.3% of all card fraud.

Financial Exposure and Liability

When card-not-present fraud strikes, merchants typically foot the bill. Unlike in-person transactions, where banks often take responsibility, card-not-present transaction fraud can result in chargebacks that leave the business holding the bag. You lose both your product and the money from the sale.

The losses from card-not-present fraud are set to reach $28 billion globally by 2026, a 40% increase compared to the prior three years.

Operational Challenges

Verifying customers without seeing them requires extra security measures and procedures. This means implementing more complex verification systems, training staff on fraud prevention and dedicating resources to monitor transactions. These challenges increase your costs and can slow down your sales process.

Customer Trust Issues

Fraud incidents can damage your reputation and erode customer confidence. When customers experience fraud through your platform or hear about security issues, they become hesitant to share payment information. This leads to abandoned carts and lost sales, further hurting your revenue.

What Types of Fraud Are Common in Card-Not-Present Transactions?

Understanding the specific fraud tactics targeting card-not-present transactions helps you build better defences and implement fraud prevention strategies. Staying informed about evolving fraud trends also protects your business. Here are the most common threats you should know about:

Phishing Attacks

Scammers create fake emails or websites that look just like legitimate businesses to trick people into sharing card details. These attacks can be remarkably convincing, using similar branding and messaging to real communications. Once they have the card information, fraudsters make unauthorised purchases across various sites, creating headaches for customers and merchants.

Quishing 

Quishing, or QR code phishing, combines QR codes with traditional phishing tactics. Criminals create malicious QR codes to redirect users to fake websites, steal sensitive information such as login credentials, personal details, or financial data, and install malware on devices. Because QR codes often bypass traditional security filters, they’re a blind spot in many companies’ defences.

Account Takeover Fraud

This happens when criminals gain access to legitimate customer accounts through methods like credential stuffing or social engineering. Once inside, they can make purchases, change shipping addresses or steal stored payment information. These transactions look legitimate, making them particularly hard to spot.

Chargeback Fraud

In this scenario, criminals use stolen card details to make purchases, and when the real cardholder discovers the unauthorised charges, they dispute them with their bank. As a merchant, you lose the merchandise and the payment while facing additional chargeback fees and potential damage to your merchant account standing.

Friendly Fraud

Unlike traditional fraud, friendly fraud occurs when actual customers make purchases but later falsely claim they didn’t receive the product or service. This might be intentional or sometimes the result of confusion (like not recognising a charge on their statement). Either way, merchants typically lose these disputes without solid evidence.

Triangulation Fraud

This sophisticated scheme involves fraudsters setting up fake online stores to collect payment information from unsuspecting shoppers. They then use stolen cards to purchase legitimate products from real merchants and ship them to the customer who placed the original order. When the actual cardholder spots the unauthorised charge, the merchant faces a chargeback.

Digital Wallet Exploitation

As digital wallets gain popularity, fraudsters have developed ways to exploit vulnerabilities in these platforms. They might use phishing to access digital wallets or exploit technical weaknesses to bypass security measures. Once compromised, these wallets enable unauthorised transactions.

Card Testing

Before committing major fraud, criminals often “test” stolen card information with small purchases to verify the cards work. These minor transactions might fly under the radar for cardholders but signal an impending larger fraud attempt. For merchants, processing numerous small transactions disrupts operations and increases fees.

How Can You Protect Against Card-Not-Present Fraud?

To shield your business from these threats, you need layers of security that combine basic verification with cutting-edge technology. Implementing these measures protects against fraud and ensures your secure payment processes go beyond basic compliance. 

Here’s how to protect your card-not-present transactions:

Strong Authentication Protocols

Your first defence against card-not-present fraud starts with authentication:

• 3D Secure 2.0: This protocol creates a smooth experience for safe transactions while adding extra security for suspicious ones. Implementing card payments with 3DS shifts fraud liability from you to the card issuer, giving you both protection and better customer experience. For an in-depth look, check out our 3D Secure guide.
• Multi-factor authentication: Ask customers to verify themselves through at least two different methods—something they know (password), something they have (mobile device) or something they are (fingerprint).
• Biometric solutions: Use fingerprint scanning, facial recognition or voice authentication for stronger verification that fraudsters struggle to fake.

Basic Verification Measures

These fundamental checks stop common fraud attempts:

• CVV requirement: Always ask for the Card Verification Value. Since this code isn’t stored in databases or on magnetic stripes, it proves the customer has the actual card.
• Address verification service (AVS): Compare the billing address entered during checkout with the address on file with the card issuer to spot potential fraud.
• IP/Location verification: Watch where transactions come from and flag purchases from high-risk countries or locations that don’t match the customer’s usual patterns.

Advanced Security Technologies

Take your protection further with sophisticated security tools:

• Tokenisation: Replace sensitive payment data with meaningless tokens during transactions—a process known as payment tokenization. Even if intercepted, these tokens are useless to fraudsters without the proper decryption keys.
• Encryption methods: Use end-to-end encryption to protect payment data during transmission.
• Real-time transaction monitoring: Analyse transaction patterns as they happen, allowing immediate action for suspicious activities before fraud can be completed.

AI and Machine Learning Solutions

Modern fraud prevention works best with artificial intelligence:

• Behavioural analytics: Monitor customer purchasing habits to establish normal patterns and flag unusual activities that might indicate fraud.
• Anomaly detection systems: Use machine learning algorithms that constantly learn and adapt to new fraud patterns, catching suspicious transactions that humans might miss.
• Reduced false positives: AI systems distinguish between genuine transactions and fraudulent ones more accurately, preventing the frustration of flagging legitimate sales.

By using layered protection strategies, you can dramatically reduce your vulnerability to card-not-present fraud, improve your credit card acceptance rates and support your business growth.

How Can You Reduce Chargebacks in Card-Not-Present Transactions?

Card-not-present transactions naturally carry higher risks of disputes and fraud. Here are six strategies to minimise chargebacks in these instances:

Use Clear Payment Descriptors

One simple yet powerful way to prevent chargebacks is using clear, recognisable billing descriptors. When customers review their statements, they should instantly recognise your charge. Include your company name and a brief purchase description in your payment descriptor. This prevents “friendly fraud” where customers dispute charges they don’t recognise.

Maintain Transparent Policies

Make your refund, return and cancellation policies crystal clear before checkout completion. Display these policies prominently during checkout and include them in order confirmations. When customers understand your terms upfront, they’re more likely to contact you directly instead of filing disputes with their card issuer.

Implement Proactive Customer Communication

Regular updates throughout the purchase journey significantly cut chargeback rates. Send immediate order confirmations, shipping notifications and delivery updates. For subscriptions, send reminders before billing. This transparency builds trust and gives customers a chance to address concerns before resorting to chargebacks.

Use Pre-Transaction Validation Tools

Address Verification Service (AVS) and Card Verification Value (CVV) checks add crucial security layers to card-not-present transactions. These validation tools confirm that the person making the purchase has physical access to the card or its details. For higher-value transactions, consider 3D Secure authentication to shift liability away from your business.

Engage Customers After Purchase

Post-purchase engagement improves satisfaction and also reduces chargebacks. Follow up with customers to make sure they’re happy with their purchase. Send emails asking for feedback or reviews. When customers feel valued, they’re more likely to contact you directly with issues rather than filing disputes.

Develop Dispute Management Processes

Even with preventive measures, some chargebacks will occur. Create a straightforward process for responding to disputes with compelling evidence. Track chargeback reasons to identify patterns and fix root causes. You can also implement automated pre-dispute resolution tools that also help with reducing chargebacks and controlling risk.

What Compliance Standards Apply to Card-Not-Present Transactions?

When handling card-not-present transactions, you must follow several strict compliance frameworks to protect customer data and fight fraud.

PCI DSS Requirements

The Payment Card Industry Data Security Standard provides the foundation for secure card processing:

• Cardholder data protection: PCI DSS strictly prohibits storing sensitive authentication data such as CVV codes after authorisation, even with customer consent.
• Access control protocols: You must implement strict user access management—only authorised personnel should access cardholder data, with multi-factor authentication required for remote access.
• Vulnerability management: Regular security scans and penetration testing are mandatory to find and fix system vulnerabilities before they can be exploited.
• Tokenisation: Using tokenisation replaces sensitive card data with unique tokens, significantly reducing your compliance scope and minimising data breach risks during transmission and storage.

PSD2 and Strong Customer Authentication (SCA)

The European Union’s Revised Payment Services Directive adds security layers for electronic payments:

• Two-factor authentication: SCA requires customers to authenticate using at least two of three elements: Knowledge (password/PIN), possession (smartphone/device), inherence (fingerprint/facial recognition).
• Transaction exemptions: Low-risk or low-value transactions (under €30) may not need SCA, nor do recurring payments after the initial authentication.
• 3D Secure 2.0: This protocol allows for risk-based authentication, and applies friction only when necessary.

Global Compliance Considerations

For businesses operating internationally, compliance becomes more complex:

• Data protection laws: Beyond payment standards, you must consider how regulations like GDPR affect payment data processing, particularly regarding customer consent and data portability.
• Cross-border challenges: Processing international payments introduces additional verification difficulties, as validation standards vary between countries, complicating fraud detection efforts.

How Can a Global Payments Partner Like Rapyd Help?

Managing card-not-present transactions brings significant challenges, but partnering with a global payments platform like Rapyd provides solutions that address security concerns.

Our platform includes advanced fraud protection like tokenisation, transaction monitoring and support for 3D Secure, CVV and AVS, all accessible through a single API. You can also offer over 900 local payment methods in more than 190 countries, letting customers pay in ways they know and trust. 

Rapyd handles currency conversion and settlement too, so you can accept payments globally while settling in your preferred currency. 

For developers, Rapyd offers hosted checkout options, low-code plugins and robust API documentation to simplify implementation. 

You also get real-time reporting and transaction insights to help improve approval rates. 

Rather than setting up local entities, you can use Rapyd to localise checkout, reduce fraud and give customers a payment experience that works wherever they are.

Protecting Consumers and Merchants During CNP Transactions

Card-not-present transactions have become essential to global digital commerce, though this growth brings security challenges.

The most successful merchants use multi-layered security strategies, combining advanced technologies like tokenisation, 3D Secure authentication and fraud detection with machine learning while keeping checkout processes straightforward. 

Finding this balance is important. Too much friction drives cart abandonment, while inadequate security invites fraud.

Partnering with payment platforms that offer integrated security tools and chargeback management allows you to support card-not-present transactions while keeping fraud risks under control.