Fact-checked by Grok 2 weeks ago

Card-not-present transaction

A card-not-present (CNP) transaction is a processed using a or where the physical card and cardholder are not present for at the point of , distinguishing it from in-person transactions that involve swiping, inserting, or a card. These transactions commonly occur in remote settings such as purchases, orders, orders, or through cards, where the cardholder manually enters details like the card number, expiration date, and security code (). CNP transactions enable convenient and non-face-to-face commerce but rely on digital transmission of sensitive data, increasing vulnerability to unauthorized access compared to card-present methods. CNP transactions have become a cornerstone of modern , particularly in the , with their volume surging due to the growth of online retail and mobile payments. In the United States, the value of CNP transactions on major payment networks expanded from approximately $360 billion in 2011 to $1.8 trillion in 2021, reflecting their integral role in facilitating remote sales. Nearly 50% of Visa's global transactions now incorporate tokenization—a that replaces details with unique identifiers—to support secure CNP processing. This growth has been accelerated by the shift to chip-based cards ( migration starting in 2015), which reduced in physical transactions but shifted more illicit activity toward CNP channels. Despite their efficiency, CNP transactions carry elevated fraud risks because merchants cannot physically inspect the or verify the cardholder's in , making them susceptible to stolen details, takeovers, and synthetic . As of 2023, the average fraud rate for CNP transactions in the U.S. reached 41.6 basis points (the value of fraudulent transactions divided by total CNP transaction value), up from 26.1 basis points in , with merchants absorbing the majority of losses on certain networks. As of 2024, U.S. CNP losses reached $10.16 billion, comprising 74% of all . Tokenized CNP transactions, however, have demonstrated a 30% reduction in rates compared to those using primary numbers, highlighting the of advanced protections. To mitigate these risks, industry standards emphasize multi-layered measures, including address verification services (AVS), checks, and protocols like for added authentication during online purchases. Tokenization further enhances safety by limiting the exposure of actual card data, improving authorization rates by over 3% in CNP scenarios and contributing to a global 4.6% uplift in approvals. Real-time monitoring, machine learning-based fraud detection, and regulatory frameworks such as Regulation II (on interchange fees and ) also play key roles in balancing with in CNP environments.

Definition and Characteristics

Definition

A card-not-present (CNP) transaction is a type of where the physical or is not presented to the at the point of sale, distinguishing it from traditional in-person purchases that require the card's physical presence. Instead, the cardholder transmits essential card details—such as the account number, , and card verification value ()—remotely to authorize the payment. At its core, a CNP transaction involves an process routed through major payment networks like or , where the merchant's submits the provided card details to the card issuer for validation and approval. This process does not utilize physical interaction mechanisms, such as magnetic stripe readers, chip interfaces, or PIN verification, relying entirely on the digital or verbal exchange of information. Typical scenarios for CNP transactions include a inputting details directly into an website's form or verbally providing them to a over the . In contrast to card-present transactions, which involve the card's physical handling and often additional in-person , CNP methods prioritize remote but depend heavily on the accuracy and of the shared details.

Key Characteristics

Card-not-present (CNP) transactions fundamentally rely on the electronic transmission of key cardholder data, including the primary account number (PAN), , and , without any physical inspection or presentation of the card itself. This data is captured by the through remote channels such as online forms or verbal communication and submitted for , distinguishing CNP from in-person payments that involve , magnetic stripe, or contactless reading. The absence of heightens the transaction's vulnerability, as fraudsters can exploit stolen credentials alone to initiate unauthorized purchases. Due to this elevated profile from lacking direct , CNP transactions incur higher interchange fees compared to card-present equivalents, reflecting the increased potential for and chargebacks. For instance, Visa's standard CNP rates for cards often range from 1.65% plus $0.10 to 2.60% plus $0.10 as of October 2025, adjusted for factors like specifics or incentives for secure practices. These fees compensate issuers for bearing greater liability in approving transactions without tangible evidence. The operational processing flow for CNP transactions begins with the merchant capturing the requisite card details and initiating an authorization request. This request is forwarded to the merchant's acquirer, which routes it through the payment network (such as Visa or Mastercard) to the card issuer for approval or decline based on available funds, fraud checks, and account status. Upon issuer response, the acquirer notifies the merchant, enabling completion of the sale if approved; subsequent steps like clearing and settlement follow standard network protocols. Specific data elements, including indicators for cardholder absence (e.g., DE 61 subfield 4 set to 4 or 5 in Mastercard messaging), ensure the network recognizes the transaction as CNP.

Comparison to Card-Present Transactions

Card-present transactions occur when the physical payment card is presented to the at the point of sale, typically involving the use of an chip for secure data transmission, along with verification methods such as a (PIN) or to authenticate the cardholder's identity. This process generates a unique transaction code for each purchase, significantly reducing the risk of card skimming and counterfeiting compared to older magnetic stripe methods. The physical presence of the card and cardholder allows for real-time interaction via payment terminals, enabling immediate verification and lowering the overall fraud potential. In contrast, card-not-present transactions do not involve the physical card or direct cardholder presence, relying instead on remotely provided card details such as the number, , and card verification value (), without access to chip, PIN, or signature verification. This absence of physical safeguards heightens fraud exposure, as malicious actors can more easily exploit stolen card information through methods like or data breaches, leading to elevated rates and financial losses for merchants. However, CNP transactions provide substantial by enabling remote purchases, such as or phone orders, which support the growth of without requiring in-person interactions. Due to the increased profile of CNP transactions, merchants typically face higher fees, with interchange rates often 0.5% to 1% greater than those for card-present transactions to account for elevated and dispute liabilities. For example, while card-present fees might average around 1.5% to 2.5% plus a fixed amount, CNP fees can rise to 2% to 3.5% or more, depending on the and , reflecting the additional costs of enhanced monitoring and prevention tools. This fee differential underscores the trade-off between security in physical settings and the flexibility of digital commerce.

Types of Transactions

Online Transactions

Online transactions represent a primary category of card-not-present (CNP) transactions, where consumers complete purchases over the internet without physically presenting their . These transactions have surged in prevalence alongside the expansion of , becoming a dominant form of card payments. By 2021, CNP transactions accounted for 61% of the value of non-prepaid transactions on major dual-message card networks such as and in the United States, reflecting their integral role in digital commerce. The typical process for online CNP transactions begins with the consumer selecting items on a merchant's or , leading to a secure checkout page compliant with Payment Card Industry Data Security Standard ( DSS) requirements. During checkout, the buyer enters card details, which are then tokenized—a security measure that replaces sensitive information like the primary account number () with a unique, non-sensitive identifier or . This is used for the request sent to the card issuer via the payment network, minimizing exposure of actual card data during transmission and storage. Common examples of online CNP transactions include retail purchases on platforms like Amazon, where users enter card information at checkout for immediate delivery, or ride-sharing services like Uber, where payments are processed in-app for on-demand transportation without card presentation. These scenarios highlight the convenience of online CNP, enabling seamless global e-commerce while relying on digital verification methods.

Mail Order and Telephone Order Transactions

Mail Order and Telephone Order (MOTO) transactions represent a traditional subset of card-not-present (CNP) payments, characterized by the absence of physical card presentation and reliance on non-digital transmission of payment details. In mail order scenarios, customers provide their credit or debit card information—such as the card number, expiration date, and CVV—through postal mail or fax transmission to the merchant. Telephone order transactions, by contrast, involve the customer verbally sharing these details over the phone, often during a sales call or customer service interaction. This verbal or written provision distinguishes MOTO from other CNP methods by emphasizing direct, non-electronic communication. The concept of remote commerce via dates to the mid-19th century, with pioneering examples including 's 1845 , which offered catalog-based sales with mail payments, and Aaron Montgomery Ward's 1872 catalog, which popularized rural purchasing via post. Card-based MOTO transactions emerged in the mid- with the widespread adoption of credit cards. Throughout the , these methods expanded with the growth of and printed catalogs, allowing businesses to conduct sales without requiring customers' physical presence at a store. While the rise of has diminished their dominance, MOTO persists in niche applications, such as charitable donations via phone pledges, subscription renewals for print media, and payments for in-person services like orders placed remotely. In the UK alone, MOTO accounts for over 500 million transactions annually, underscoring its ongoing relevance for businesses lacking robust online infrastructure. Processing MOTO transactions requires merchants or agents to manually key in the provided card details into a virtual terminal or , a step that inherently elevates the potential for errors compared to automated digital entry. Human input errors, such as transposing digits in card numbers or misrecording expiration dates, can result in transaction failures, necessitating re-entry and delaying fulfillment. These inaccuracies contribute to higher operational overheads, including increased decline rates and the need for follow-up customer communications, making MOTO processing more labor-intensive than card-present alternatives.

Recurring and Installment Transactions

Recurring transactions in card-not-present (CNP) contexts involve automated, periodic charges to a cardholder's for ongoing or services, typically under a pre-arranged subscription . These s rely on stored payment credentials, such as the primary number (PAN) and expiration date, which merchants securely retain after an initial authorization. Common examples include fixed monthly subscriptions for streaming services like or gym memberships, where card details are collected during signup via online forms without physical card presentation. The process begins with a cardholder-initiated transaction (CIT) requiring explicit consent and often (SCA), followed by merchant-initiated transactions (MIT) for subsequent billings at fixed intervals, such as monthly or annually. Merchants must disclose billing frequency, amounts, and cancellation terms in a written or electronic , and provide easy revocation options, such as online portals. Under rules, recurring CNP authorizations mandate initial cardholder for future charges, documented via signed contracts or click-to-accept mechanisms, with no storage of sensitive verification codes like CVV2 after the first transaction to comply with DSS standards. Subsequent charges use stored credentials with specific indicators in messages, and issuers cannot decline them solely for lacking an expiration date if previously provided. Limits on amount changes require merchants to notify cardholders at least seven days in advance for any variations, such as price adjustments, ensuring they align with the original scope to avoid disputes. Acquirers must register merchants for services like Automatic Billing Updater to handle credential updates, querying issuers every 180 days for changes in card details. Installment transactions in CNP settings allow cardholders to split a single purchase into a series of fixed payments over a defined period, often facilitated through buy-now-pay-later (BNPL) services. These differ from recurring payments by having a predetermined end date and total amount, typically for one-time purchases like electronics or travel bookings. Examples include BNPL providers like Affirm, where an online shopper selects installment options during checkout, authorizing the full amount initially while the provider handles deferred payments in equal parts, such as four interest-free bi-weekly installments. The authorization process involves an initial CNP transaction with , followed by either a single upfront approval covering all installments or separate authorizations per payment, using stored credentials under a binding agreement. Merchants receive the full purchase price immediately from the BNPL provider, who assumes the repayment risk, while cardholders consent to the schedule without mid-plan alterations unless renegotiated. For both recurring and installment CNP transactions, must be explicit and revocable, with full of terms including total costs, , and any fees, often presented via screens or order forms. No or charges are permitted on the portion in standard setups, and receipts must detail installment numbers or recurring cycles for transparency. with these rules ensures protections, such as unlimited timelines for preauthorized disputes, while prohibiting unauthorized storage of full-track data or verification values post-initial use.

Historical Development

Early Origins

Card-not-present (CNP) transactions originated in the and , primarily through mail-order catalogs that facilitated payments for goods without requiring the physical presentation of the card. As bank-issued s proliferated following the introduction of general-purpose cards in the , mail-order businesses like and integrated them into their operations, allowing customers to submit card details via order forms sent through the postal system. This shift was driven by the centralization of financial accounts via computers, which increased the volume of transactions processed through the , contributing to a surge in overall mail pieces from 27.7 billion in 1940 to 63.7 billion by 1960. A pivotal development occurred in the mid-1970s with the establishment of universal card networks, exemplified by the rebranding of BankAmericard to in 1976. This network, building on earlier electronic systems like Visa's BASE I launched in 1973, enabled merchants to verify remote transactions by phoning central centers, streamlining CNP for mail and orders. Prior to widespread electronic systems, authorizations relied on manual calls or paper-based approvals, which supported the growing demand from catalog retailers but exposed vulnerabilities in verification. From the outset, mail-order CNP transactions faced significant fraud risks, predating computerized detection methods and relying on rudimentary checks like address verification. Fraud losses escalated rapidly, rising from $20 million in 1966 to $100 million in 1969, often involving stolen card details submitted via mail for unauthorized purchases. These early vulnerabilities highlighted the challenges of remote payments in an era of limited real-time oversight, setting the stage for ongoing security concerns in CNP environments.

Growth with Digital Commerce

The surge in card-not-present (CNP) transactions began in the 1990s alongside the explosive growth of , fueled by the widespread adoption of the and the emergence of pioneering online platforms. eBay's launch in introduced a for remote buying and selling, where buyers entered card details without physical presentation, marking a pivotal shift toward digital commerce. This era's innovations, including secure online payment gateways, enabled businesses to reach global audiences, transforming CNP from niche applications like mail orders into a cornerstone of . By the early , platforms like had normalized CNP for everyday purchases, laying the groundwork for exponential expansion. The proliferation of mobile technologies post-2010 further accelerated CNP adoption, integrating seamless remote payment options into smartphones and apps. Apple Pay's introduction in 2014 exemplified this trend, supporting CNP modes for online and in-app transactions through tokenized credentials and biometric authentication, which reduced friction while maintaining security. Similarly, contactless remote features in services like and expanded CNP's reach, allowing users to complete purchases without proximity to merchants. This mobile-driven evolution not only boosted transaction speeds but also broadened accessibility, with digital wallets facilitating over $10 trillion in transactions annually by 2024. Globally, CNP transactions have seen remarkable growth, particularly in emerging markets where mobile apps have democratized access to commerce. From $1.9 trillion in business-to-consumer sales in 2014—predominantly CNP—to an estimated $6.8 trillion by 2025, the sector's expansion reflects surging adoption in regions like and . In , for instance, app-based CNP volumes contributed to overall payment transactions doubling from INR 265 trillion in 2023 to projected INR 593 trillion by 2029, driven by widespread penetration and platforms like UPI-integrated wallets. By 2025, online transactions, a key CNP subset, accounted for about 63% of global merchant volume, underscoring the dominance of channels in modern card payments.

Risks and Vulnerabilities

Common Fraud Techniques

Card-not-present (CNP) fraud relies on the absence of physical verification, enabling criminals to exploit stolen or guessed details for unauthorized , mail-order, or transactions. Common techniques target the acquisition and validation of information without direct access to the physical . involves deceptive emails, websites, or messages that trick users into revealing numbers, expiration dates, and codes, often by mimicking legitimate retailers or banks. This method is particularly effective for CNP fraud as it allows remote collection of full details without physical interaction. skimming, an variant of traditional skimming, uses malicious code injected into sites or checkout pages to capture entered data in during legitimate transactions. Account takeover occurs when fraudsters steal login credentials—often through or keyloggers—to access a user's saved methods on sites or digital wallets, enabling unauthorized CNP purchases. This technique leverages existing verified card details stored online, bypassing initial . Friendly fraud, also known as first-party fraud, involves legitimate cardholders initiating or approving a transaction but later disputing it as unauthorized to obtain refunds, exploiting CNP's lack of immediate verification. This is prevalent in or services where consumers may claim non-receipt or dissatisfaction post-purchase. BIN attacks, or enumeration attacks, use the known Bank Identification Number (the first six to eight digits of a ) to systematically generate and test potential full card numbers via small CNP transactions on low-value merchants. Successful tests confirm valid cards for larger schemes. Card testing complements this by submitting micro-transactions to verify stolen card details without triggering alerts, often automated with bots to probe multiple combinations efficiently.

Economic and Operational Impacts

Card-not-present (CNP) fraud imposes substantial economic burdens on the global economy, with losses estimated at approximately $24 billion in 2023 (70-80% of total card fraud) and projected to reach $28.1 billion by 2026. According to the Nilson Report, total global card fraud losses reached $33.83 billion in 2023, with CNP representing the majority, and forecasts indicate cumulative losses of $404 billion over the next decade (2024-2033). Operationally, merchants bear significant costs associated with CNP fraud, including chargeback fees that can equate to 1-2% of total sales for high-risk businesses, encompassing not only direct but also administrative expenses and lost from disputed transactions. Additionally, processors often require merchants handling CNP transactions to maintain elevated reserves—typically 5-10% of monthly sales volume—to mitigate potential liabilities, tying up and increasing costs. These expenses strain merchant profitability, particularly for small and medium-sized enterprises reliant on online sales, where rates for CNP can range from 0.6% to 1%, far exceeding those for card-present transactions. The broader repercussions of CNP fraud extend to consumer behavior and market dynamics, eroding trust in digital payment systems and prompting merchants to offset losses by raising prices across their offerings. Studies indicate that fraud incidents diminish customer confidence, leading to reduced online purchasing and higher abandonment rates during checkout, which further hampers growth. Ultimately, these costs are often passed onto consumers through surcharges or inflated product prices, amplifying the economic ripple effects beyond direct victims of .

Fraud Prevention Measures

Authentication Technologies

Authentication technologies play a crucial role in verifying the of cardholders during card-not-present (CNP) transactions, where physical cards are not presented, thereby mitigating risks associated with remote payments. These methods enhance security by adding layers of beyond basic card details, ensuring that only authorized users can complete transactions. Key technologies include protocols that introduce additional steps, data substitution techniques for sensitive information, and advanced biometric integrations. EMV 3-D Secure (EMV 3DS) is a standardized developed to authenticate consumers in environments, specifically targeting CNP prevention. It operates across three s: the merchant (acquirer domain), the card (issuer domain), and the interoperability domain managed by networks like and . In practice, when a initiates an online purchase, the merchant's sends details to the via the ; the then assesses risk and may approve frictionless authentication for low-risk cases or challenge the user for high-risk ones. The protocol's challenge authentication step typically requires the cardholder to verify using a password, (OTP) sent via or app, or other methods like questions. For instance, Verified by (now Visa Secure) and Mastercard SecureCode implement as branded versions, where users are redirected to an issuer-hosted page to enter credentials, ensuring the transaction cannot proceed without successful verification. version 2.0 and later versions support numerous data points, including device and behavioral information, to enable more accurate risk-based decisions, reducing unnecessary challenges while maintaining . This has contributed to significant fraud reductions, with studies indicating lower rates for authenticated transactions. Tokenization serves as a foundational measure by replacing sensitive cardholder , such as the primary account number (), with unique, non-sensitive that have no intrinsic value outside the issuing system's . In CNP scenarios, when a processes a , the actual details are never stored or transmitted in full; instead, a token is used, which can only be detokenized by authorized parties to retrieve the original for authorization. This approach aligns with DSS requirements by limiting the scope of cardholder environments, thereby reducing compliance burdens and exposure to breaches. The PCI Security Standards Council outlines guidelines for tokenization products, emphasizing secure token generation, management, and lifecycle to prevent reverse-engineering or correlation attacks. Services like Visa Token Service exemplify this by provisioning domain-specific tokens for , mobile apps, or recurring payments, which enhances security without disrupting . Tokenization has proven effective in curbing CNP , with tokenized transactions showing approximately 30-40% lower rates compared to non-tokenized ones, according to network data. Biometrics and device binding integrate advanced verification into CNP transactions, particularly within mobile apps and browsers, by leveraging inherent user traits and hardware ties for authentication. Biometric methods, such as fingerprint scanning or facial recognition, provide inherence factors under standards like PSD2's Strong Customer Authentication (SCA), where the issuer prompts the user during high-risk 3DS challenges to confirm identity via device sensors. Behavioral biometrics, including typing patterns or swipe gestures, can operate passively in the background to analyze ongoing session legitimacy without user interruption. Device binding complements by cryptographically linking a specific to the payment credential, ensuring that occurs only on trusted . In 3DS, this is achieved through protocols like FIDO2, where binds the during , allowing subsequent authentications to verify both the user (via ) and the device itself. This reduces in app-based CNP payments by preventing credential use on unauthorized devices, with implementations showing improved authorization rates and user convenience.

Risk Assessment and Monitoring

Real-time scoring models powered by are essential for evaluating card-not-present (CNP) transactions during authorization, assigning risk scores based on patterns such as to flag potential instantly. As of 2025, emerging agentic technologies are further enhancing these models by autonomously adapting to new threats, contributing to projected global CNP losses of $28.1 billion by 2026. These models analyze factors like the frequency of from a single card or within a short timeframe, known as checks, to detect unusual spikes that may indicate testing by fraudsters or account takeovers. For instance, Visa's generative solution processes noisy in to identify attacks in CNP scenarios, improving detection accuracy without relying solely on historical patterns. Similarly, Mastercard's market-ready models, trained on global anonymized , provide robust scoring for issuers and merchants to approve legitimate payments while blocking high-risk ones. Machine learning techniques enhance in CNP transactions by identifying deviations from normal behavior, such as IP geolocation mismatches where the transaction origin does not align with the cardholder's known location. These models process vast datasets to spot inconsistencies, including sudden changes in addresses that suggest usage or cross-border fraud attempts. Device fingerprinting complements this by creating identifiers from attributes, operating details, and hardware signals, allowing systems to track repeat suspicious devices across sessions even if other identifiers change. Supervised and algorithms, as applied in detection studies, achieve high precision in flagging such anomalies by learning from labeled historical and adapting to emerging threats. Merchants utilize configurable tools to set risk that trigger manual reviews for high-risk CNP orders, balancing prevention with . scoring systems generate numerical outputs—often on a from 0 to 100—where scores above a predefined , such as 75, prompt to verify details like shipping addresses or contact the cardholder. These can be customized based on merchant risk tolerance, order value, or historical rates, with tools from providers like enabling automated flagging for orders exceeding velocity limits or showing geolocation discrepancies. By routing a small of transactions (often less than 15%) to manual review, merchants reduce false positives while addressing the majority of risks efficiently.

Regulatory Framework

Key Regulations and Standards

The Payment Card Industry Data Security Standard () is a globally recognized set of security standards established by the PCI Security Standards Council to protect cardholder data during storage, processing, and transmission, including in card-not-present (CNP) environments such as online and telephone transactions. The current version, PCI DSS v4.0.1 (June 2024), includes updated requirements effective March 31, 2025, such as enhanced and scripting controls. These standards are mandatory for all entities handling payment card information, including CNP processors, merchants, and service providers, requiring measures like , access controls, and regular vulnerability assessments to mitigate risks of data breaches. Non-compliance can result in fines, increased transaction fees, or loss of payment processing privileges imposed by card brands like and . In the , the Revised (PSD2), formally Directive (EU) 2015/2366 adopted in 2015 and entering into force in 2018, mandates (SCA) for most electronic payments, including CNP transactions, to enhance security and reduce fraud. SCA requires at least two factors of authentication—such as knowledge (e.g., password), (e.g., device), and (e.g., )—for payer-initiated CNP payments exceeding €30, with exemptions for low-value or low-risk transactions subject to regulatory approval. PSD2 also promotes by requiring payment service providers to share customer data securely via , indirectly supporting safer CNP ecosystems while ensuring consumer consent and data protection under GDPR. PSD2 is expected to be replaced by the proposed PSD3 directive, which aims to further enhance security and innovation, with negotiations ongoing as of 2025. In the United States, the Fair Credit Reporting Act (FCRA), enacted as part of the Consumer Credit Protection Act of 1970 and amended by the Fair and Accurate Credit Transactions Act of 2003, governs the use of consumer credit reports in CNP transactions and provides rights to dispute inaccurate information resulting from fraudulent activity. Under FCRA, consumers can request free credit reports and dispute erroneous entries, such as those from unauthorized CNP charges, obligating credit bureaus to investigate and correct inaccuracies within 30 days, which helps mitigate identity theft impacts in remote payment scenarios. Complementing this, the Electronic Fund Transfer Act (EFTA) of 1978, implemented via Regulation E, establishes consumer protections for electronic fund transfers, including debit card CNP transactions, by limiting liability for unauthorized transfers to $50 if reported within 60 days of the statement and requiring financial institutions to investigate and provide provisional credit within 10 business days, with full resolution within 45 calendar days. These U.S. laws ensure timely resolution of CNP-related errors, with consumers protected from full liability for fraudulent electronic transfers reported within 60 days.

Liability and Dispute Resolution

In card-not-present (CNP) transactions, card issuers bear primary liability for unauthorized under zero-liability policies adopted by major networks such as and . These policies protect cardholders from financial responsibility for fraudulent charges made without their knowledge or consent, requiring issuers to reimburse affected accounts promptly, often within five business days. For example, 's Zero Liability Policy explicitly covers unauthorized CNP payments, ensuring no cardholder liability as long as they have not been grossly negligent in safeguarding their card details. Similarly, 's policy extends this protection to debit and cards used in CNP scenarios, with issuers absorbing the loss unless the cardholder contributed to the fraud through negligence. The chargeback process serves as the primary mechanism for resolving CNP disputes, allowing cardholders to contest transactions directly with their issuer. Upon filing a dispute—typically for reasons like unauthorized use or non-delivery—the issuer reviews the claim and, if valid, reverses the transaction by debiting the merchant's account through the acquirer, effectively returning funds to the cardholder. Cardholders generally have 60 to 120 days from the transaction date or problem discovery to initiate a chargeback, with Visa and Mastercard standardizing at 120 days for most fraud-related CNP cases, though extensions up to 540 days apply in specific fraud scenarios. Merchants receive notification from their acquirer and must respond within 20 to 45 days, depending on the network, or risk automatic loss of the dispute. Merchants can mitigate liability in CNP disputes by providing compelling evidence to their acquirer during the representment phase, potentially reversing the chargeback and shifting responsibility back to the . Key protections include documentation of (AVS) matches, where a full "Y" response (exact billing address alignment) combined with to the verified address strengthens the merchant's case against fraud claims. (CVV) confirmations and logs matching the cardholder's location also serve as critical evidence, as outlined in Visa's dispute guidelines, helping merchants avoid liability when authentication tools were properly employed. Failure to submit such evidence within the response window typically results in the merchant absorbing the loss.

References

  1. [1]
    Card-Not-Present Fraud Rates in the United States After the ...
    May 21, 2025 · I define the card-not-present fraud rate as the value of card-not-present fraud divided by the value of card-not-present transactions ( ...
  2. [2]
    Card-present vs. card-not-present transactions - Stripe
    Feb 25, 2025 · Increased risk of fraud. Since the cardholder is not present during the transaction, it's more difficult for the business to verify the ...
  3. [3]
    A Deep Dive into Tokenized Transactions | Visa
    Card not Present (CNP) is when the card number is inputted by a means other than F2F. ... Visa credit and debit global card-not-present transactions for tokenized ...<|control11|><|separator|>
  4. [4]
    [PDF] US Payments Security Evolution and Strategic Road Map | Mastercard
    Dec 11, 2014 · Card-not-present transaction—A transaction that does not require a physical card to be present at the time of purchase, such as for ...
  5. [5]
    [PDF] First Data Merchant Services LLC: Stipulated Order for Permanent ...
    May 20, 2020 · C. "Card-Not-Present Transaction" means a debit or credit card transaction whereby the. Person's debit or credit card is not physically swiped ...
  6. [6]
    [PDF] Glossary of Payment and Information Security Terms
    ... card and is used as an additional check to ensure that the card is in possession of the legitimate cardholder, typically during a card-not-present transaction.
  7. [7]
    [PDF] Transaction Processing Rules | Mastercard
    Jun 10, 2025 · Card-Not-Present Transaction Declines ... definition file (IDF) input documents no later than five business days prior to the requested.
  8. [8]
    [PDF] Authorization and Reversal Processing Requirements for Merchants
    Important: The first estimated authorization determines the final transaction characteristics (i.e., whether a transaction took place in a card-present or a ...
  9. [9]
    [PDF] PCI DSS Applicability in an EMV Environment
    Oct 5, 2010 · globally adopted robust authentication process for card-not-present (CNP) transactions, the need to keep the PAN and other sensitive ...
  10. [10]
    Glossary - PCI Security Standards Council
    Methods used by merchants to accept payments from customers. Common payment channels include card present (in person) and card not present (e-commerce and MO/TO) ...
  11. [11]
    [PDF] PCI Data Storage Do's and Don'ts
    Never store the card-validation code or value (three- or four-digit number printed on the front or back of a payment card used to validate card-not-present ...
  12. [12]
    Card-not-present (CNP) transactions explained - Stripe
    Jan 22, 2025 · A card-not-present (CNP) transaction is a purchase made remotely, without processing a physical card via a card reader or terminal (and without ...
  13. [13]
    Card-Not-Present Transactions: Risks and Best Practices - Rapyd
    Apr 22, 2025 · This article breaks down why these transactions carry higher risk, what types of fraud to watch for and how you can protect your business with the right tools ...
  14. [14]
    [PDF] Visa USA Interchange Reimbursement Fees
    Oct 18, 2025 · Card Not Present Incentives require CPS qualification and are subject to change. EMV Token transactions qualify for Card Not Present Incentive ...
  15. [15]
    Card-Not-Present Transactions - Cybersource Developer Center
    Typical card-not-present transactions are internet and phone transactions. Card-not-present transactions pose an additional level of risk to your business ...
  16. [16]
    Chip-and-PIN vs. Chip-and-Signature Cards: Secure Credit Card ...
    The use of an EMV chip, which creates a unique transaction code for each purchase, greatly reduces the risk of skimming and card counterfeiting compared to the ...
  17. [17]
    What are EMV chip cards? How EMV works - Stripe
    Feb 2, 2023 · To allow the purchase to proceed, the customer must provide either their PIN or their signature, depending on whether the card is a chip-and-PIN ...
  18. [18]
    EMV Chip Cards: What You Need To Know About PIN Or Signature
    Chip and PIN cards use a PIN for authorization, while chip and signature cards use a signature matched to the card or on file.
  19. [19]
    Card-Present vs Card-Not-Present in Payments - Clearly Payments
    May 19, 2023 · Card-not-present transactions occur when the payment card is not physically presented during the transaction. Instead, the cardholder's payment ...<|separator|>
  20. [20]
    Card Present Vs. Card Not Present - National Processing
    Dec 2, 2024 · Card-present transactions generally have lower interchange fees compared to card-not-present purchases, due to their lower risk of fraud.Missing: comparison | Show results with:comparison
  21. [21]
    What Are Transaction Fees? Small Business Examples & Tips
    Jul 23, 2025 · Card-present transactions (in-store swipes or chip insertions) typically cost 0.5-1% less than card-not-present transactions (online, phone, or ...<|control11|><|separator|>
  22. [22]
    Interchange fees: what they are and how they work - Adyen
    Nov 2, 2023 · For card-not-present transactions, the fee caps are 1.15% for debit transactions and 1.50% for credit transactions. Guides and reportsUnderstand ...
  23. [23]
    Understanding card-present and card-not-present transactions
    Aug 29, 2024 · Because card-present transactions are more secure, payment processors usually charge less in credit card processing fees, leaving more of your ...
  24. [24]
    What is tokenization? A primer on card tokenization - Mastercard
    Mar 19, 2024 · Tokenization is when the number on your payment card is replaced with a ”stand-in” number that is saved in your phone or watch or the ...
  25. [25]
    What are MOTO payments? - Stripe
    Dec 21, 2023 · MOTO payments happen when a business processes credit or debit card transactions without the physical presence of the card. This is how the ...<|control11|><|separator|>
  26. [26]
    Mail Order Telephone Order Moto | Payments Glossary - Nexio
    These transactions are classified as card-not-present (CNP) because the merchant does not physically handle the customer's card. Key Features of MOTO Payments.Missing: history | Show results with:history
  27. [27]
    MOTO Fraud and Chargebacks: Risks and Prevention Strategies
    MOTO transactions have existed in the US since the 19th century. Way back in 1845, Tiffany's Blue Book offered a service that mimicked MOTO. In 1872, Aaron ...
  28. [28]
    What is a MOTO Payment? Everything You Need to Know
    Oct 30, 2025 · MOTO (Mail Order / Telephone Order) payments are still widely used in the UK, with over 500 million transactions annually. They are ...
  29. [29]
    https://payguard.co/what-is-a-moto-payment-everything-you-need-to-know/
  30. [30]
    What is MOTO in Payment Processing? - Credit Card Processing ...
    Aug 7, 2023 · Because the merchant manually enters the customer's credit card information, there is a higher risk of human error, such as entering the wrong ...
  31. [31]
    MOTO Credit Card Risks & Security Tips
    Sep 19, 2025 · Manual Entry Errors. Human error is a common occurrence in MOTO setups. Incorrect card numbers, expiration dates, or typos in billing ...
  32. [32]
    [PDF] Transaction Processing Rules | Mastercard
    Jun 10, 2025 · The Transaction Processing Rules (TPR) manual includes an overview, applicability, and a chapter on connecting to the interchange system and ...
  33. [33]
    [PDF] Visa Core Rules and Visa Product and Service Rules
    Apr 12, 2025 · The Visa Core Rules and Visa Product and Service Rules govern financial institution clients in the Visa system, covering governance, local  ...
  34. [34]
    Can card verification codes be stored for card-on-file or recurring ...
    No. It is not permitted to retain card verification codes once the specific purchase or transaction for which it was collected has been authorized.Missing: rules | Show results with:rules
  35. [35]
    Buy Now, Pay Later (BNPL): What It Is, How It Works, Pros and Cons
    Buy Now, Pay Later (BNPL) is a type of short-term loan that lets shoppers pay for products in small installments spread over a set period of time.
  36. [36]
    1960s: Reaching out to Industry to Level Mountains of Mail
    ### Summary of Credit Cards and Mail Order in the 1960s
  37. [37]
    Electronic Point-of-Sale Payments | Federal Reserve History
    Sep 25, 2024 · Several debit card pilot experiments occurred in the 1960s and 1970s but did not result in much adoption. Debit card payments began to ...Missing: mail- catalogs
  38. [38]
    [PDF] VisaNet - The technology behind Visa
    In the early 1970s, Visa created one of the world's first electronic credit card authorization systems. Since then, Visa has been continually improving ...Missing: 1976 remote
  39. [39]
    United States v. Maze | 414 U.S. 395 (1974)
    It was also estimated that, in 1969, 1.5 million cards were lost or stolen, and that losses due to fraud had risen from $20 million in 1966 to $100 million in ...
  40. [40]
    History of eCommerce: birth and evolution of the selling method that ...
    Dec 9, 2024 · The 1990s were a crucial period for electronic commerce, characterized by rapid growth and numerous launches. In 1994, the first secure online ...
  41. [41]
    History of e-commerce: The World Wide Web and e-commerce boom
    Dec 21, 2023 · The 1990s brought forth the internet as we know it today, and along with it, long-standing e-commerce platforms like eBay and Amazon.Missing: present | Show results with:present
  42. [42]
    Apple celebrates 10 years of Apple Pay
    Oct 17, 2024 · Apple's Jennifer Bailey reflects on the ways Apple Pay enriches users' lives, and shares new ways to pay with Apple Pay.
  43. [43]
    Apple Pay's 10-Year Journey and Its Next Decade of Decisions
    Oct 22, 2024 · From 2022 to 2024, the share of consumers who use mobile wallets for in-store transactions rose 33%, indicating mobile wallet use in-store is ...
  44. [44]
    [PDF] Global B2C E-commerce Report 2015 - Ecommerce Europe
    Online retail has been booming over the last few years. At $1.9 trillion, global B2C e-commerce sales of goods and services nearly doubled in 2014 in comparison ...
  45. [45]
    51 ECommerce Statistics In 2025 (Global And U.S. Data)
    Jun 19, 2025 · Ecommerce sales will surpass $6.8 trillion in 2025. There are over 28 million eCommerce stores globally. 52% of online shoppers look for ...
  46. [46]
    [PDF] The Indian payments handbook – 2024 – 2029 - PwC India
    In terms of value of payment transactions, the market is expected to grow double, from INR 265 trillion to INR 593 trillion over the same period. During FY 2023 ...
  47. [47]
    The Ultimate Chargeback Statistics 2025: Trends, Costs, and Solutions
    Jun 24, 2025 · Global card-not-present (CNP) fraud losses are estimated to reach $28.1 billion by 2026, a 40% increase from 2023. Consumers disputed up to 105 ...
  48. [48]
    Fraud against payment systems | Europol - European Union
    Card-not-present fraud involves the unauthorised use of credit or debit data (the card number, billing address, security code and expiry date) to purchase ...Missing: techniques | Show results with:techniques
  49. [49]
    [PDF] Advancing fraud protection with global network intelligence
    There are many ways a fraudster can gain access to payment card credentials. These include card skimming, phishing, blunt-based bot attacks and account ...
  50. [50]
    How card testing and digital skimming are evolving - Mastercard
    Oct 8, 2025 · With digital skimming, crooks insert some malicious code into vulnerable areas like online checkouts and come away with all the data they need ...Missing: phishing present
  51. [51]
    Payment card fraud - Interpol
    Card-Present and Card-Not-Present fraud​​ In addition to actual card theft, criminals use various methods to capture data including card skimming at ATMs or ...
  52. [52]
    What every merchant needs to know about friendly fraud
    Jun 16, 2022 · What every merchant needs to know about friendly fraud. As card-not-present transactions rise, Visa is addressing the impacts of first party ...
  53. [53]
    [PDF] 8 Steps to Efficient Transaction Fraud Monitoring | Mastercard
    Card-not-present fraud occurs when a fraudster uses a person's card information, instead of the physical credit card, to make an unauthorised transaction online ...
  54. [54]
    What is a BIN Attack? - Experian Insights
    the first six to eight digits of a credit or debit ...
  55. [55]
    [PDF] Visa Guidance to Guard Against Enumeration Attacks and Account ...
    Aug 12, 2021 · Overview: Visa is reminding clients to maintain adequate controls to swiftly detect and block enumeration attacks and account testing schemes.<|control11|><|separator|>
  56. [56]
    Card Fraud Losses Worldwide in 2023 - Nilson Report
    Card fraud losses worldwide in 2023 were $33.83 billion, with a rate of 6.58¢ per $100 in total volume. US losses were $14.32 billion.Missing: CNP | Show results with:CNP
  57. [57]
    Card-Not-Present Fraud Remains a Leading Concern as Payment ...
    Aug 5, 2024 · Card payment fraud is driven substantially by CNP fraud. By 2030, CNP fraud is projected to reach an unbelievable $49 billion globally.
  58. [58]
    The 2025 Playbook for Preventing Card-Not-Present Fraud
    Jan 2, 2025 · The number of CNP crimes has been rising over the years. Nilson also reported that CNP fraud accounted for almost 7 in 10 fraud losses to ...<|control11|><|separator|>
  59. [59]
    23+ Chargeback Statistics Every Merchant Should Know for 2025
    Feb 25, 2025 · A 2018 study suggests that sellers lose 1.8% of their total revenue from fraud. And Shopify suggests that chargebacks cost merchants 0.47% of ...
  60. [60]
    Understanding Merchant Account Reserves for 2025 - PaymentCloud
    Jul 7, 2025 · On average, most banks require a reserve of 5-10% of the merchant's expected monthly sales volume. What Merchants Are Required to Have a Reserve ...
  61. [61]
    What is card-not-present fraud? What businesses need to know
    Mar 14, 2024 · Card-not-present (CNP) fraud is credit card fraud in which the physical card isn't needed to complete a transaction.Missing: takeover friendly BIN
  62. [62]
    Fighting Friendly Fraud & Chargeback Fraud in Financial… | Alloy
    Apr 9, 2025 · Ultimately, the collective cost of chargeback fraud gets passed on to all consumers through higher prices for goods and services.Missing: pass | Show results with:pass
  63. [63]
    Average Credit Card Processing Fees and Costs in 2025
    Sep 25, 2025 · Fee variability: Credit card processing fees range from 1.10% to 3.15% per transaction, influenced by card type, merchant category, and payment ...
  64. [64]
    EMV® 3-D Secure - EMVCo
    EMV 3-D Secure (EMV 3DS) is an e-commerce fraud prevention protocol that helps authenticate consumers and prevent card-not-present fraud.
  65. [65]
    3D Secure Authentication: The Complete Guide - ACI Worldwide
    The merchant's payments gateway automatically sends transaction details and a 3D Secure verification request to the cardholder's issuing bank. The issuer ...How Do 3ds And 3ds 2.0... · Other Sca Exemptions That... · What Else Should You Know...
  66. [66]
    Visa Secure EMV 3-D Secure for Merchants | Visa
    Visa Secure is our EMV 3-D Secure program that makes authentication simple, reduces customer friction and helps prevent card-not-present fraud.
  67. [67]
    [PDF] Information Supplement • PCI DSS Tokenization Guidelines
    The purpose of this Information Supplement is to provide guidance for payment industry stakeholders when developing, evaluating, or implementing a tokenization ...
  68. [68]
    Tokenization offers more seamless and secure payments | Visa
    Tokenization helps secure digital payments by turning sensitive payment details into unique values called tokens, which can potentially reduce fraud risk.
  69. [69]
    [PDF] Tokenization Product Security Guidelines –
    With a rising demand for tokenization products, the PCI Security Standards Council (PCI SSC) believes it is imperative to build, test, and deploy products ...
  70. [70]
    Visa Token Service
    By substituting Visa card numbers with tokens, VTS enables richer, more secure digital payment experiences for millions of customers every day.Value-Added Services · Wallets And Wearables · Tools And Resources
  71. [71]
    How EMVCo, FIDO, and W3C Technologies Relate
    Dec 13, 2022 · EMV® 3-D Secure enables issuing banks to assess an eCommerce payment transaction and authenticate the cardholder if required. The protocol ...<|control11|><|separator|>
  72. [72]
    EMVCo and FIDO Alliance Provide Essential Guidance on Use of ...
    Feb 26, 2024 · The FIDO Alliance and EMVCo collaborate to provide guidance on how FIDO authentication can be incorporated in payment use-cases.
  73. [73]
    What is New with EMV® 3DS v2.3? - EMVCo
    Nov 12, 2021 · EMVCo has updated the EMV 3-D Secure (EMV 3DS) Specifications to support more secure and convenient e-commerce authentication.
  74. [74]
    Visa Announces Generative AI-Powered Fraud Solution to Combat ...
    May 7, 2024 · Visa's approach uses noisy data to train the highly accurate real time AI model. By evaluating each CNP transaction against enumeration patterns ...
  75. [75]
    What is a velocity check in payments? What businesses should know
    Aug 30, 2024 · Velocity checks are a fraud prevention method used in payment processing. They work by monitoring the frequency and pattern of transactions ...
  76. [76]
    [PDF] The power of today's market‐ready AI to reduce transaction fraud
    Market‑ready AI models built for transaction fraud and trained on global anonymized and aggregated data are more robust and experienced than any legacy AI ...
  77. [77]
    [PDF] Card-Not-Present (CNP) Fraud Mitigation Techniques
    The white paper is intended for payments industry stakeholders who need to understand and make business decisions about implementing technologies that are ...
  78. [78]
    Fraud Detection Machine Learning: a “Smart” Move for Retail
    Jul 7, 2025 · Machine learning-based fraud detection analyzes data points including transaction details, behavioral indicators, device and network information ...
  79. [79]
    Card Not Present Fraud: Prevention & Detection Strategies - FOCAL
    Aug 21, 2025 · Learn about the risks of Card Not Present fraud. Explore its types, mechanisms, and 9 detection and prevention strategies for secure online ...
  80. [80]
    An intelligent payment card fraud detection system - PubMed Central
    Jun 8, 2021 · In this paper, we apply a total of 13 statistical and machine learning models for payment card fraud detection using both publicly available and real ...
  81. [81]
    E-Commerce Fraud Prevention: Best Practices for Using Fraud Scores
    Feb 28, 2019 · If a merchant manually reviews every order, fraud scores are essential for guiding their team throughout the review and decision process.
  82. [82]
    [PDF] Fraud Scoring | U.S. Payments Forum
    Fraud scoring is used by merchants, issuers, and/or their processors to assess the level of risk in taking a. CNP order. A fraud score indicates whether an ...Missing: thresholds | Show results with:thresholds
  83. [83]
    [PDF] Webinar: Preventing Card-Not-Present Fraud - Visa
    Dec 8, 2016 · Studies show that merchants who include CVV2 validation in their authorization procedures for card-absent transactions can reduce their fraud- ...
  84. [84]
    How to protect your business from CNP fraud in 2023 - Trulioo
    Oct 20, 2022 · Many merchants are adopting measures to detect and prevent CNP fraud to protect their business and bottom line. When a payment becomes a charge- ...Missing: prices | Show results with:prices<|control11|><|separator|>
  85. [85]
    Fair Credit Reporting Act - Federal Trade Commission
    The Act (Title VI of the Consumer Credit Protection Act) protects information collected by consumer reporting agencies such as credit bureaus, medical ...
  86. [86]
    [PDF] A Summary of Your Rights Under the Fair Credit Reporting Act
    Inaccurate, incomplete, or unverifiable information must be removed or corrected, usually within 30 days. However, a consumer reporting agency may continue to ...
  87. [87]
    Electronic Fund Transfers FAQs
    An unauthorized EFT is an EFT from a consumer's account initiated by a person other than the consumer without actual authority to initiate the transfer.
  88. [88]
    Zero Liability - Visa
    With Visa's Zero Liability Policy, you won't be held responsible for unauthorized transactions made with your Visa card.
  89. [89]
    Mastercard Zero Liability Protection for Unauthorized Transactions
    Mastercard's Zero Liability policy ensures that you won't be held responsible for any fraudulent or unauthorized transactions made with your credit or debit
  90. [90]
    Visa Chargeback Time Limits: The 2025 Guide
    Oct 21, 2024 · Cardholders have 120 days to file a dispute. Merchants must respond within 30 days of day one for each phase of the process.
  91. [91]
    A Merchant's Guide to Chargeback Time Limits
    Feb 19, 2024 · Cardholders have 120 days to file a chargeback for issues related to: Fraud; Late presentment; An incorrect transaction code, currency, account ...
  92. [92]
    MasterCard Chargeback Guide: Rules and Time Limits - Justt
    30 days to pursue arbitration but not more than 75 days after the second presentment. Note: with VISA, both parties have ten days to pursue arbitration. Their ...
  93. [93]
    [PDF] Dispute Management Guidelines for Visa Merchants June 2024
    The purpose of this guide is to provide merchants and their back- office sales staff with accurate, up-to-date information to help merchants minimizing the risk ...Missing: CNP | Show results with:CNP
  94. [94]
    Visa Chargeback Dispute: Everything You Need to Know in 2025
    Aug 25, 2025 · Cardholder: 120 days from the transaction date to file most disputes (exceptions exist, e.g., up to 540 days for certain fraud cases). Merchants ...