What is a card not present (CNP) transaction?

If you’re a new merchant, you may have come across the term ‘card not present transaction’ before and wondered what this means for your approach to growing a business.

With e-commerce businesses having a 38% share of the retail market in the UK, many small businesses are facing a demand for flexible, remote payments.

Various forms of card not present (CNP) transactions now exist for modern consumers to enjoy greater convenience when they shop. In this climate, it’s important for online merchants to familiarise themselves with CNP payment methods and meet the needs of their customers.

In this guide, we’ll take a closer look at what card not present transactions are, the various forms they take, and how you can ensure your CNP transactions are efficient, convenient, and secure.

What is a card not present transaction?

At a basic level, a card not present transaction is any transaction that occurs when a credit or debit card isn’t presented at a physical checkout. 

If money was exchanged using a customer’s car details, but the payment card wasn’t tapped, inserted, or swiped on a card reader at a physical POS system, then this qualifies as a card not present transaction.

There are a number of forms that a card not present transaction can take. One of the most common is through a secure payment gateway, where a customer enters their own card details on a business’s online portal to approve a payment. 

CNP transactions may also happen over the phone with the use of a virtual terminal, using online invoices, or through recurring card-on-file payments.

Although card not present transactions are hugely popular due to their convenience, the fact that the cardholder isn’t physically with the card presents an increased risk of fraud. 

No matter what kind of CNP transactions merchants offer, it’s essential that they become familiar with the associated security risks and take steps to mitigate them.

Though the difference between a customer paying remotely or in person seems fairly simple, it’s important to consider how each type of transaction can play a part in your business and the costs and benefits that come with each category.

Let’s look at what some of the practical differences of CP and CNP transactions will mean for you as a merchant.

Card present (CP) transaction vs CNP transactions

Card present transactions

There are 2 main benefits that card present transactions have over card not present transactions: heightened security and lower transaction fees.

CP transactions make it harder for fraudsters and other cyber criminals to steal a person’s payment information. 

With the countless different merchants the average person shops with by communicating their card information remotely, there are many avenues that cyber criminals can use to steal this information.

Card present transitions tend to carry lower payment provider fees compared to CNP payment methods. Because of the higher security and the reduced risk of chargebacks, payment providers can afford to facilitate card present transactions for lower merchant fees.

The core drawback of card present transactions is that they can only take place when the cardholder is in the same physical space as a merchant’s POS system. 

If a merchant were to facilitate card present payments only, this could be seen as inflexible by customers, and make the brand seem comparatively behind the times when compared to their close competitors.

Card not present transactions

The main benefit of card not present transactions is that it allows you to diversify the ways in which customers can pay for your goods and services.

Since the advent of the internet has allowed businesses to reach a national or even global audience, businesses have had to accommodate for a larger variety of shopper preferences to remain competitive. 

When you invest in facilitating card not present transactions, you’ll be able to accommodate for a wider range of preferences, and enable customers to buy from you in a way that suits them. 

Adding just one particular form of CNP to your business’s available payment options can open you up to a whole new audience segment, helping you to generate new business and gain loyal customers.

Though there are various security layers that payment providers and small business owners can add to their payment systems, credit card fraud is a much bigger risk when transactions are conducted remotely. 

When criminals try to make fraudulent card present transactions, they have to get a hold of the physical payment card or an NFC-enabled mobile device. With card not present fraud, there are many more avenues for fraudsters to get a hold of card information and use it without the cardholder knowing.

8 Types of card not present transactions

Card not present transactions is a broad definition, and there are many different forms that these transactions can take. 

CNP transactions can be facilitated through various different kinds of technology and communication channels, which can lend themselves more naturally to one type of business or another.

Here are 8 real-world business examples of card not present transactions and how the payment process works in each scenario.

1. Online invoices

Online invoices can be applied to a wide range of business models, though they’re particularly popular among service-based merchants like freelancers. Like a regular invoice, online invoices show a breakdown of goods or services and the cost for each one. 

The main difference in these digitised invoices is that they contain a link to your payment portal, allowing customers and clients to quickly review the price breakdown then settle the outstanding cost. 

Online invoices can be a convenient way for you to create and share records of the services you’ve sold, and facilitate payments from their clients or customers in one simple interaction. 

2. Phone orders

Though the rise of online payment gateways has made them decline in popularity, there are many types of business that still take phone orders for goods and services in the UK. One example might be for a self-employed massage therapist, whose clients may want to confirm details about a treatment before they book it in the same phone call.

With this kind of CNP transaction, customers call a business, communicate their order verbally, then give their credit or debit card details over the phone. The business representative then enters these details into a system on their end, such as a virtual terminal, and processes the payment.

3. Automatic billing

Automatic billing is a common CNP business option among businesses that operate on a subscription model or sell their goods on a recurring basis, for example personal trainers or a recipe subscription box businesses. 

In this billing system, a client or customer will enter their payment card information and agree to have a certain amount paid using a credit or debit card at regular intervals, for example monthly. 

This model can make payment processing more convenient for both the customer and the business, as it means they won’t have to manually authorise the payment each month, quarter, etc.

4. E-commerce shopping carts

E-commerce shopping carts are software solutions that often come included with online store builder tools run by payment provider companies.

With this solution, customers can visit an e-commerce store and use the site interface to add items to their cart, then enter their card details on a secure portal and complete their purchase. 

This is a hugely popular form of card not present transaction, offering a simple, easy-to-use interface and a range of convenient features, such as the ability to create wishlists, compare the prices of different items, and track the delivery of their orders.

5. Website payments

Website payments are a type of card not present transaction that’s similar to an e-commerce payment set-up, though in a somewhat simpler, stripped-down form. 

Like with an e-commerce store, a customer will use an online payment gateway to enter their card information and approve the purchase. Unlike with an online store, however, there are usually less features tied to the shopping cart system. 

Website payments are usually associated with smaller transfers like for charitable donations or digital downloads.

6. Virtual terminal

Virtual terminal technology works in more or less the same way as a normal online payment gateway. The key difference is that while online payment gateways are intended for the customer to use themselves, a virtual terminal is operated by you or your staff.

Virtual terminals can be useful for taking payments over the phone, or for businesses where a lot of customers prefer shopping by mail order rather than sharing their card details online. Local, traditional businesses such as home bakeries may also opt to refer customers to virtual terminal payments for simplicity and a closer relationship with customers.

7. Mail order purchases

Though mail order purchases have largely been replaced by online payments, there are still certain businesses, for example catalogue clothing retailers, whose target audience are less tech-savvy, or have reservations about sharing their payment card information on online channels. 

Mail order purchases work by a customer filling out an order form including their payment card details and sending this in to the merchant, who then processes it on their end using a virtual terminal.

8. Card-on-file transactions

Processing card-on-file transactions works in more or less the same way as other card not present transactions. 

The main distinction is that with these payments, the customer consents to the merchant keeping their payment details on file in order to facilitate payments.

Card-on-file transactions are a common feature for business models that use automatic billing for subscription services, for example business coaches who work on retainer. They can also be popular in e-commerce set-ups where a customer can store their payment details on their account and complete their purchases with a few clicks at the checkout page.

How can businesses accept and process CNP transactions

As you can see, there are several different methods you can use to accept and process CNP transactions at your small business. With some of the most popular being online payment gateways, virtual terminals, and automatic billing.

While these payment methods are distinct from one another, the process for accepting a card not present transaction on the merchant’s side always follows a few universal steps:

1. The customer provides their credit or debit card payment information (usually the card number, expiry date, and CVV) remotely. This might be by entering it directly into a secure payment gateway themselves, or communicating it to you through a certain channel, e.g over the phone or via email.

2. The card information is submitted to the gateway or virtual terminal.

3. The payment processing system validates the payment card information and authorises the payment.

4. The funds are transferred to your account.

Merchant rates and card not present transaction fees

Being able to process transactions remotely comes with a range of benefits for small business owners, and can typically be paid for in 2 different forms:

• Merchant rates: Merchant rates or merchant credit card fees are the fees that you, the merchant, will have to pay to payment providers in order to process credit card payments. 

These are usually a percentage of the transaction’s value, and the rates can vary depending on the exact type of CNP transaction.

• CNP transaction fees: CNP transaction fees are fixed fees that you, as the merchant, will have to pay, often in addition to the percentage merchant rates.

These fees tend to be higher than the fees for card present transactions, as they have to cover chargeback liability and an increased risk of fraudulent activity, rather than just the act of processing the payment.

Understanding card not present fraud

Though the majority of CNP transactions happen without issue, it’s essential for you to be aware of the increased risk of fraud tied to card not present payments. 

A single breach tied to your online payment methods can do irreparable damage to your brand’s reputation. The cybersecurity landscape is constantly changing, and staying aware of relevant threats can guarantee the future of your business operations in the long term.

Here’s some of the key considerations for card not present payment security every online business owner should be aware of.

Protecting cardholder information with card security checks

Cyber criminals are always looking for new ways to get around security layers and steal sensitive information. 

A breach in the payment data your customers have entrusted you with will not only cost your business money and hurt your brand reputation, but could also lead to serious financial losses for your customers.

To mitigate the risk of this happening, it’s essential to get familiar with both the scope of cyber crime threats facing your industry, and the security layers you can implement to stop them.

One of the most basic ways you can ensure the safety of your remote customers is by using card verification values on their payment gateways. These are 3 to 4 digit codes printed on payment cards, which are used to confirm that the cardholder is in possession of a card and validate its authenticity.

Some of these verification values include:

• CVVs (Card verification values)

• CVCs (Card verification codes)

• CMID (Card member ID)

• CID (Card Identification Number)

Requiring these kinds of codes will mean that even if a criminal manages to steal one of your customer’s payment card number, they won’t be able to complete a purchase without access to the physical card.

Emerging technologies to enhance payment security

While card verification values can be an effective foil against common forms of card fraud, there are many more technologies you can use to maximise security for your small business and keep one step ahead of cyber criminals.

Some of the most effective emerging technologies for improving your card not present security include:

• PCI DSS (Payment Card Industry Data Security Standard): PCI DSS is an international standard for credit and debit card security. 

Though not strictly a legal requirement in the UK, PCI DSS compliance is widely seen as a minimum standard for any business that handles customer payment card data. The standard covers many different aspects of payment security, such as: 

1. Building a secure network.

2. Vulnerability management.

3. Testing and monitoring your payment network’s security.

4. Access control.

• End-to-End Encryption (E2EE): End-to-end encryption or E2EE is a security technology that keeps sensitive payment data behind a layer of encryption from the moment it’s shared by a customer, only de-encrypting when it reaches its destination.

This technology makes it exceptionally hard for cyber criminals to intercept and decipher, keeping data safe from the vast majority of attacks.

• Tokenisation: Tokenisation is a security practice that replaces payment data with a unique, randomly-generated identification symbols called tokens, which are themselves held in a secure database.

This means that even if a hacker was able to gain access to where the data is stored, they’d have no way of interpreting the tokens without the right decryption keys. 

Ongoing best practices for CNP security

Researching and implementing security technologies that can help you reduce the risk of security breaches is important, though it’s important to remember that the payment security landscape is constantly evolving.

Having a proactive approach to card not present security will help you stay a step ahead of new cyber crime tactics and keep your security layers up to a high standard.

Here are some of the best ongoing best practices you can employ to protect your customers and wider business:

• Implement multi-factor authentication (MFA): Requiring your customers to authenticate their login when accessing an account that contains their payment information adds an extra layer of security to purchases.

MFA works by demanding additional forms of verification, such as a one-time code sent via text to the customer's mobile device, or the use of an authenticator app.

• Regularly update security software: Though payment security software is designed to do a lot of the hard work when it comes to securing card payments, it’s essential to install software providers’ updates as they come out to ensure your software can withstand emerging threats.

Keep your security systems and software up-to-date to protect against known vulnerabilities and exploits.

• Educate employees: Human error is often a cause of serious security breaches. Train your staff on recognising potential fraud indicators and the importance of adhering to security protocols to mitigate this risk.

• Monitor transactions: There are a variety of machine learning tools on the market which can be used to identify and flag unusual or suspicious activities, calling your attention to them in cases where they might require manual intervention. These timely alerts can help you and your staff act quickly to prevent fraud.

• Partner with reputable payment providers: Carry out thorough research when selecting a payment provider and make sure you only partner with established payment processors that have a track record of robust security measures.

3 industries most affected by CNP fraud

Despite the myriad security measures available to organisations that handle payment cards, CNP fraud continues to be a huge problem. 

One study by leading finance industry organisation UK Finance found that more than 80% of card fraud losses in the UK reported in 2022 were from forms of CNP fraud, representing a huge £395.7 million in reported losses.

Though CNP fraud should be a concern for any merchant who offers remote transactions, there are certain industries that tend to run a higher risk compared to others, including:

1. Retail

A huge proportion of all retail shopping now occurs online. The volume of online transactions that happen every day even on a single e-commerce site makes it easy for suspicious activity to blend in with legitimate orders. 

Aside from this, busy retail seasons such as the run-up to Christmas, black friday, etc, can limit small retailers’ resources and make it harder for their staff to run effective fraud checks.

2. Travel

Transactions such as booking flights, hotels, and excursions tend to involve high transaction values. This can make the industry an enticing target for fraudsters, who can steal larger sums of money through less acts of credit card fraud.

Aside from this, the travel industry is characterised by cross-border transactions, where a customer based in one country may pay for a service supplied by a company based in another. With the varying transaction patterns, and that each country has different security standards and legislation regarding fraud, it can make it hard to detect and prevent fraud.

3. Entertainment

Ticket sales for live entertainment events are another magnet for CNP fraud. Like retail, this is partially due to the high volume of transactions that are processed in a small time frame in the run-up to a live event, which can provide effective cover for suspicious activities.

Furthermore, the accounts that people use to purchase entertainment tickets usually have less personalisation compared to something like an e-commerce account. This can make it harder to determine if the user behaviour tied to an account is suspicious, allowing fraudulent activity to occur unnoticed.

Disclaimer: The contents of this page are intended for informational purposes only and should not be construed as professional advice. For matters requiring legal or financial expertise, it’s recommended to seek guidance from qualified professionals.