What Is a CNP Transaction in Banking?
Demystify Card-Not-Present (CNP) transactions in banking. Understand how these prevalent remote payments operate, their security, and the roles involved.
A Card-Not-Present (CNP) transaction is a common payment method where the physical card is not presented to the merchant. It contrasts with traditional in-person payments, where a card is physically swiped, inserted, or tapped at a point-of-sale terminal.
Defining Card-Not-Present Transactions
A Card-Not-Present (CNP) transaction occurs when a payment card, such as a credit or debit card, is used without its physical presence at the point of sale. This means the card does not physically interact with a terminal, differentiating it from a card-present transaction. The transaction relies solely on the payment card’s credentials, which are provided remotely.
Common scenarios for CNP transactions include:
Online purchases, where customers enter card details on a website or through a payment link.
Mail Order/Telephone Order (MOTO), where customers provide card information over the phone or via mail.
Recurring billing and subscription services, where card details are stored and used for automated payments.
Mobile app payments.
Online invoice payments.
The fundamental difference from card-present transactions lies in the absence of physical card verification. For instance, even if a customer is physically present but their card information is manually typed into a terminal, it is still considered a CNP transaction. This distinction affects security measures and the allocation of liability in case of fraud.
The Mechanics of CNP Payments
A CNP transaction involves a flow of communication among several parties. The process begins when a customer provides card details (card number, expiration date, and security code) to the merchant online or over the phone. The merchant sends these encrypted details to a payment gateway, which transmits the data to the payment processor.
The payment processor forwards the transaction request to the acquiring bank (the merchant’s bank). The acquiring bank routes the request through the card network (like Visa or Mastercard) to the issuing bank (the customer’s bank). The issuing bank verifies the card’s validity, checks for sufficient funds or credit, and performs security checks, including matching the billing address with the Address Verification Service (AVS).
Upon approval, the issuing bank sends an authorization code back through the card network, acquiring bank, payment processor, and payment gateway to the merchant. Funds are settled later, typically within a few business days, with the acquiring bank collecting funds from the issuing bank and depositing them into the merchant’s account.
Security Protocols and Fraud Prevention
CNP transactions carry a higher risk of fraud due to the absence of a physical card, requiring robust security protocols. Encryption, such as SSL/TLS, scrambles cardholder data during transmission, making it unreadable to unauthorized parties and preventing interception.
Tokenization enhances security by replacing sensitive card details with a unique, randomly generated token. This token has no value if intercepted, protecting stored data from breaches. The Payment Card Industry Data Security Standard (PCI DSS) sets security requirements for entities that handle cardholder data. Compliance involves requirements such as building and maintaining secure networks, protecting stored cardholder data, maintaining a vulnerability management program, and implementing strong access control measures.
Additional authentication measures include the Address Verification Service (AVS) and Card Verification Value (CVV/CVC). AVS compares the billing address with the address on file with the issuing bank to confirm identity. The CVV/CVC is a three or four-digit security code on the card, verifying physical possession. 3D Secure (e.g., Verified by Visa, Mastercard SecureCode) adds an extra layer of authentication for online transactions, often through a password or one-time code. This protocol can shift liability for fraudulent transactions from the merchant to the card issuer.
Stakeholder Roles and Responsibilities in CNP
Each party in a CNP transaction has distinct roles and responsibilities. Customers are responsible for protecting their card details and reporting unauthorized activity. While consumer protection laws limit cardholder liability for fraudulent transactions, customers should still monitor statements for suspicious charges.
Merchants bear significant responsibility in CNP transactions, often being liable for fraud losses due to the inability to physically verify the card or cardholder. They must implement security measures like PCI DSS compliance, secure payment gateways, and fraud detection systems. Fraudulent CNP transactions can lead to chargebacks, where the issuing bank reverses the transaction, requiring the merchant to reimburse the cardholder and often incurring additional fees.
The acquiring bank provides infrastructure for merchants to accept card payments and assumes some financial risk. They manage fund settlement and dispute resolution. Issuing banks, which provide payment cards to consumers, approve or decline transactions and investigate fraud claims. When a customer disputes a charge, the issuing bank initiates the chargeback process, which can lead to the merchant being held liable.