What Is a Card Not Present Transaction?
Explore the essentials of card not present transactions, from their definition and operation to robust security protocols in modern digital commerce.
Card-not-present (CNP) transactions are a fundamental shift in modern commerce. These transactions are now common, enabling purchases without the physical exchange of a payment card. Understanding CNP transactions is relevant in today’s digital economy, where convenience and remote access shape consumer behavior. This method facilitates a wide range of activities, from routine online shopping to managing recurring services.
Defining Card Not Present Transactions
A card-not-present (CNP) transaction occurs when the physical payment card is not presented to the merchant at the point of sale. Instead, the transaction relies on the customer providing their payment card details remotely.
Common scenarios for CNP transactions include online purchases made through e-commerce websites. Customers enter their card number, expiration date, and security code directly into a web form. Another frequent instance is mail order/telephone order (MOTO) transactions, where card details are conveyed verbally or in writing.
Recurring billing for subscriptions or services, such as streaming platforms or software, also falls under the CNP umbrella. Here, card details are stored securely by the merchant for automated future payments. Similarly, invoice payments made remotely, often by entering card information into a secure online portal, are also classified as CNP transactions.
How Card Not Present Transactions Function
A card-not-present transaction begins when a customer provides their payment card details to a merchant, typically via a website or over the phone. These details include the card number, expiration date, and the security code. Once the customer submits this information, it is securely transmitted to the merchant’s payment gateway.
The payment gateway acts as a secure intermediary, encrypting the card data and routing it to the acquiring bank, which is the financial institution that processes payments for the merchant. The acquiring bank then forwards the encrypted transaction details to the relevant card network, such as Visa or Mastercard.
The card network identifies the issuing bank, which is the customer’s bank, and sends the authorization request. The issuing bank verifies the card details, checks for sufficient funds or credit, and assesses for potential fraud indicators. It then sends an authorization or decline response back through the card network to the acquiring bank. Finally, the acquiring bank communicates the transaction’s approval or rejection to the payment gateway, which then relays the status to the merchant and the customer.
Safeguarding Card Not Present Transactions
Protecting card-not-present transactions involves multiple layers of security measures designed to mitigate fraud risks inherent in the absence of a physical card. Encryption is a fundamental defense, transforming sensitive card data into an unreadable format as it travels across networks. This scrambling prevents unauthorized parties from intercepting and using the information, making it gibberish without the correct decryption key.
Tokenization further enhances security by replacing actual sensitive card data, like the primary account number (PAN), with a unique, non-sensitive identifier called a token. This token holds no intrinsic value and cannot be reverse-engineered to reveal the original card details, even if a data breach occurs. Merchants can store these tokens for recurring payments, reducing their exposure to sensitive data.
The Card Verification Value (CVV), also known as CVC2 or CID, is a three or four-digit security code printed on the physical card that is not stored in the magnetic stripe. Providing this code for a CNP transaction helps verify the cardholder has the physical card, adding an extra layer of authentication. Merchants are generally prohibited from storing these codes after a transaction is completed.
The Address Verification Service (AVS) is another fraud prevention tool used in CNP transactions. AVS compares the billing address provided by the customer during checkout with the billing address on file with the card’s issuing bank. The issuing bank returns a code indicating the address match, helping merchants decide whether to proceed, especially when only numeric portions are verified.
3D Secure, encompassing programs like Visa Secure and Mastercard Identity Check, adds an additional authentication step for online payments. This protocol redirects the customer to their card issuer’s page, where they may be prompted for a one-time password, a PIN, or biometric verification to confirm their identity. This extra layer of authentication shifts liability for fraudulent chargebacks from the merchant to the issuing bank in many cases.
Finally, compliance with the Payment Card Industry Data Security Standard (PCI DSS) is a requirement for merchants handling cardholder data. PCI DSS outlines a set of security standards designed to protect payment card information, including requirements for encrypting data, using firewalls, and restricting access to cardholder data. Adhering to these standards helps merchants maintain a secure environment for processing CNP transactions.