CNP Transactions: Performing Secure Card Transactions

ByHubert Hell

CNP Transactions: Performing Secure Card Transactions

How you, as a merchant, can prevent fraud in card not present transactions (CNP Transactions) conducted via the Internet or (mobile) phone.

With CNP – or “card not present” – transactions, the seller neither comes face-to-face with the customer nor physically handles the credit or debit card. This is the case, of course, anytime a payment transaction doesn’t take place onsite at your shop.

CNP transactions encompass all online purchases in online shops as well as online bookings paid for with a credit or debit card. This includes payments made over the telephone (yes that still exists for teleshopping or booking a trip, for instance), e-mail, fax and postal orders from a catalog.

Credit cards are the preferred means of purchase here since they make possible fast and uncomplicated payments anywhere in the world.

The advantages are readily apparent: As a merchant, credit cards enable you to reach significantly more (international) customers at comparatively low cost. Customers stand to benefit from a vast array of products and the convenience of being able to make purchases anywhere at any time.

CNP transactions related risks

CNP transactions, however, involve greater risk than onsite payments, where you can easily verify the identity of the buyer and thus prevent a fraudulent purchase.  This is more difficult – though not impossible – with card-not-present payments.

This article will walk you through best practices as a merchant to maximize security for CNP transactions, to help you detect scams, and to minimize fraud.

For more information on the topic of card payments: The article Online Skimming offers additional advice on how to boost security for online payments with credit and debit cards. For general tips on protecting card data, read this article.

PCI DSS certification for card payments

As a merchant who accepts credit card payments, it is your responsibility to provide a secure payment environment for your customers and their data.

With Visa, MasterCard & other schemes, as soon as you accept a credit card you, as a merchant, must be PCI DSS certified to prove that you have taken precautions to avoid fraud involving credit card data.

If you are not PCI DSS certified and a case of damage occurs (credit card data fraud), the consequences can be prohibitively expensive for you.

This article doesn’t cover the expansive topic of PCI DSS; it merely deals with the sub-area of CNP transactions. So let’s get started.

Is all the necessary data and information known?

With CNP transactions, it is neither possible to directly verify the identity of the person ordering, nor whether this individual is actually in possession of the card. The first thing you need to do, thus, is make sure that certain information about the card and the cardholder is known.

If information is either missing or inconsistent, it is advisable to abort the transaction. This step already reduces the risk of fraud considerably.

The relevant data you need to know is as follows:

  • Credit card number
  • Expiry date of the card
  • Name of cardholder (same as buyer’s?)
  • Billing address of the cardholder
  • In case physical items are to be sent: Shipping address (identical to billing address?)
  • Credit card verification code (CVV, CVC, CID) *
  • Cardholder contact information (e-mail address and/or phone number)
  • Time and date of the order
  • For telephone orders: Details of the conversation, preferably as a recording (incl. prior consent to recording)
  • For written orders: Manual signature on order form

* This is a code found on the back of all the standard credit cards (3 or 4 digits depending on the credit card company).

To be on the safe side always store this information, along with the shipping confirmation, in a secure environment.

Credit card authorization

Credit card authorization (aka “credit card authorization hold” or “pre-authorization”) is triggered during online ordering. An automated request is submitted to the card-issuing credit institution. If the inquiry is successful, the card-issuing institution confirms that the card is

  • active,
  • currently not expired
  • has not been reported as lost or stolen, and
  • the card’s limit or balance is sufficient to cover the value of the goods at the time of ordering.

Whether a merchant is obligated to put an authorization hold on a credit card depends on two factors:

1. Transaction type: Certain types of transaction always require credit card authorization; these include e-commerce and recurring payments for subscriptions (the latter usually requires pre-authorization only before the first payment, recurrent payments are not held up).

2. Floor limit: This refers to the maximum amount up to which no pre-authorization is required. Once the floor limit is exceeded, credit card authorization becomes mandatory. The floor limit varies by industry and is defined either individually for each merchant or by the credit card company involved, as the case may be.

Regardless of the floor limit, it is advisable to always perform a credit card authorization for CNP transactions, even where this is not mandatory. This protects you as a merchant in cases of doubt. Indeed, a missing authorization carries the risk of not getting paid in the end.

For this very reason, you should ensure that transactions are automatically aborted in the event of rejected or failed credit card authorization requests.

Getting to the root of a failed authorization is recommended as it may be to your benefit. Contact the cardholder. Perhaps a wrong number was entered by mistake. Perhaps the cardholder’s data was stolen and someone is trying to make a fraudulent purchase at the cardholder’s expense.

Authentication & verification of the cardholder’s identity

The objective here is to verify the identity of the buyer and whether the buyer is the same person as the cardholder and in possession of the card. The following procedures are used:

  • Card number plus the three- or four-digit card verification number (see above)
  • an Address Verification Service (AVS)
  • Strong Customer Authentication (SCA), which was introduced as part of PSD2 and has been mandatory since early 2021.

Card number plus card verification code

Having been in use for years, you are undoubtedly familiar with it. In addition to your card’s number and expiration date, you also have to provide a code that is imprinted on the front or back of your card.

Known as CVV, CVC or CID, depending on the scheme, this short numeric code is not encoded on the magnetic strip or chip but simply flat-printed on the card.

Address Verification Service

The Address Verification Service compares the billing address with the address that the cardholder has registered with the card issuer. Any mismatches are flagged for verification and must be confirmed.

It is up to the merchant to decide what degree of address matching will be required before accepting the credit card transaction.

Currently this service is offered by major credit card processors for only a few countries. In Europe this applies to the UK only at the moment.

Strong Customer Authentication (SCA)

Since early 2021 (first successively and fully from Q2/2021), strong customer authentication has been mandatory. Two of three forms of verification must be fulfilled:

  • Knowledge (for example, passwords, PINs, security questions, etc.)
  • Possession (for example, card, Smartphone or confirmed app, wearables, etc.)
  • Inherence (for example, fingerprint scan, iris scan, facial recognition, etc.).

In other words:

  • Something I know
  • Something I have
  • Something I am.

Don’t make the mistake of underestimating the importance of proper authentication and verification to safeguard transaction processes. Fraud can be reduced by up to 60% with SCA in place, since this facilitates fraud detection before a transaction can even be made.

Risk management: Spotting potentially suspicious orders

Minimize your risks by being aware of them. Let this mindset guide you with regard to non face-to-face transactions.

If you bear in mind the previous points made, you will already have significantly reduced the risk of being defrauded.

Lower your risk of non-payment or fraud even further by paying attention to additional risk factors.

But keep in mind that a suspicious activity doesn’t automatically point to a fraud attempt. The transaction in question may still be legitimate. When, however, several risk factors converge, the likelihood of fraud is increased.

In this case, what you need to do is implement safeguards before you confirm – or ship – any goods.

When it comes to customers, please be vigilant of the following scenarios:

  • New customers versus existing customers: The risk of fraud is potentially higher with new customers
  • A customer is urgently looking for the fastest possible delivery.
  • A customer places an above-average number of orders in a short space of time, always – or frequently – using different card data; and/or orders are to be shipped to different shipping addresses.
  • A customer provides incomplete or incorrect data and/or is reluctant to disclose necessary data.

With regard to the type and volume of the order, please be vigilant of the following situations:

  • the value of goods is significantly above average
  • an article / product is ordered in a high and unusual quantity
  • the shipping address is different from the billing address or the address of the cardholder
  • different shipping addresses in different countries are registered for the customer within a short period of time
  • the shipping address is in a different country than where the card was issued
  • shipping addresses with increased risk of fraud include P.O. boxes, packing stations and warehouses.

Now you know what types of orders and transactions you should or could classify as suspicious. But how can you follow-up on this in practice?

Checking each and every transaction by hand would be way too time-consuming, especially if you experience high throughput.

Use automated processes and screening tools

Implement a screening tool

This tool automatically monitors your transactions in the background and spots potentially malicious and fraudulent activities. This automated assistance is essential if you handle a high volume of transactions.

Set maximum totals per order and customer

The sum can take its cue from the products you sell and from average purchase totals. You can, for example, set two thresholds at which you will be alerted:

  • Threshold 1 as a warning only; the transaction will nonetheless be processed.
  • Threshold 2 as a “hard stop”; the transaction will be refused.

Send a separate order confirmation to the billing address

This might not seem to make sense considering the speed that customers have come to expect in the age of online shopping.

Nevertheless, since CNP transactions may include booking a trip over the phone, sending a separate confirmation to the billing address can be a good way to prevent fraud.

Keep a record of all current customers, including any orders they have placed

Similar to tracking the order total amounts, you can use your merchandise management system to ascertain whether customers have significantly changed their order placement behavior compared to before. Changes don’t necessary indicate fraud – but they can.

Document you customers’ shipping addresses

A customer shows five different shipping addresses? Perhaps even in several different countries? And these shipping addresses keep changing?

This is a clear red flag and you should contact the customer.

Keep a record of chargebacks and watch for inconsistencies with shipping addresses

So, six orders were returned out of a total of seven? Perhaps the parcels came back labeled “recipient unknown”? Problems tend to be recurring so be careful.

Choose a reputable parcel service to ship your goods

Even if this incurs additional costs, be sure to choose a reliable and proven shipping service provider who offers insurance and tracking, especially for high-priced products.

Dealing with suspicious transaction attempts and conflict prevention

Abort the transaction if

  • credit card authorization, verification or authentication fails
  • you are uncertain that everything is above board based on any of the above-mentioned verification criteria.

Since you may still be dealing with a legitimate order, you should contact the customer by e-mail or phone. Request additional information to verify their identity

  • for example, which bank issued the card
  • personal data such as name, address, phone number, etc.

Hopefully this information can help you spot someone who is trying to misuse card data.

Exercise vigilance for CNP transactions – how you benefit

Successfully detected and thwarted fraud attempts benefit you and your company by combating chargeback fraud.

As a merchant, you hold the full burden of proof. If you can’t successfully dispute a chargeback you bear the associated fees (for example, 25 Euro per chargeback), the payment is charged back to you and you may incur additional losses from goods that have already been shipped.

To put it drastically: The goods are gone, no money was received plus you face a penalty charge!

By the way: Card schemes control how high your chargeback rate is. If it exceeds a certain value (% share of number of units and/or volume), this can entail a warning, or you may even be blocked.

Use the proper safeguards for CNP transactions

Admittedly, this topic is somewhat complex. Nevertheless, it is enormously important. E-commerce will continue to grow and open up many opportunities for you.

Face the risks head-on and familiarize yourself with them. This way, you can find suitable solutions in advance.

Supplementary topics: If you offer customers the option of paying with a credit or debit card, our articles on the subject of PCI (Payment Card Industry) might be of interest to you.

Do you have any questions concerning the use of credit cards in your business?

We would be happy to help. Feel free to contact us here.

About the author

Hubert Hell author