The Complete Guide To Processing Card-Not-Present Transactions
Our guide explains what card-not-present transactions are, how much they cost, and how they affect your business.
Card-not-present transactions have gone from a rarely used backup method of completing payments to a popular, commonly-used payment method on par with traditional card-present transactions. Unfortunately, this increased popularity has also brought more credit card fraud, which is easier to accomplish if a merchant can’t physically inspect a customer’s card.
If you’re a budding eCommerce entrepreneur looking for the best credit card processor for a small business, it’s critical you understand that the higher risk of fraud for online payments is the primary factor in making credit-card-not-present processing rates during this type of transaction significantly higher than for card-present transactions in a brick-and-mortar setting.
This article will explain card-not-present transactions and why they differ from card-present transactions. We’ll also review how much they typically cost to process and explain how the increased risk of fraud they present drives up that cost. Finally, we’ll offer some practical tips on protecting your business from card-not-present fraud, including some common security features that usually won’t cost you anything extra to implement.
Table of Contents
Card-Present VS Card-Not-Present Transactions
A card-not-present (CNP) transaction is any credit or debit card sale processed without capturing the electronic data of the physical card at the time of the sale. This includes transactions where the merchant manually enters the card information into a terminal, even if the card itself is actually physically present.
The distinction here is that the digital data stored on a magstripe or EMV/NFC chip on a customer’s card must be read by a terminal or card reader to qualify as a card-present transaction. If this requirement is not met, the transaction will be considered card-not-present.
Digital wallets such as Apple Pay or Google Pay can be particularly confusing. Using Apple Pay in-store is treated as a card-present sale, as the customer’s device can electronically send the same digital data as a physical card to the terminal in real time. However, using a digital wallet to make an in-app or online payment will result in a card-not-present transaction.
Common Card-Not-Present Transactions
- Invoicing a client
- eCommerce/online shopping
- Mail order or telephone order (MOTO)
- Recurring payments that are automatically billed (subscriptions)
Common Card-Present Transactions
- Using a mobile card reader in conjunction with a connected smartphone or tablet app (e.g., Square)
- Digital wallets (e.g., Apple Pay or Google Pay) or NFC-enabled credit/debit cards (tap-to-pay)
- Countertop credit card virtual terminal or point of sale (POS) system
How Much Is A Card-Not-Present Transaction?
Card-not-present transactions cost more to process because there are more ways they can fail than card-present transactions. With a higher risk of chargebacks, friendly fraud, and malicious fraud, there is more vulnerability and a higher cost when things go wrong. Issuing banks and credit card processors guard against potential losses by charging higher fees to process these transactions.
Regardless of the type of processing rate plan your provider uses, you will invariably pay more for a card-not-present transaction. Flat-rate or tiered pricing plans charge a higher fixed fee for CNP transactions, including both a higher percentage rate and a higher fixed authorization fee. Interchange-plus or membership pricing plans likewise charge a higher markup on CNP transactions. Note that with these types of plans, the underlying interchange fees will be higher for card-not-present transactions.
Card-Not-Present Processing Rates Among Popular Credit Card Processors
Processor | Online Transactions | Keyed-In Transactions |
---|---|---|
Square | 2.9% + $0.30/transaction | 3.5% + $0.15/transaction |
Stripe | 2.9% + $0.30/transaction | 3.4% + $0.30/transaction |
PayPal |
|
|
Shopify | 2.4%-2.9% + $0.30/transaction (depends on plan) | 2.4%-2.9% + $0.30/transaction (depends on plan) |
Helcim | Interchange + 0.50% + $0.25/transaction (volume discounts available) | Interchange + 0.50% + $0.25/transaction (volume discounts available) |
It’s also important to understand that not all card-not-present transactions pose the same risks. For instance, you are generally going to pay a higher cost for a keyed-in entry than for an online transaction because there are typically some built-in security measures (such as address and CVV verification) for online purchases. In contrast, there are no security measures for keyed transactions.
Want to know more about how credit card processing works? Check out our post on credit card processing fees for an in-depth look.
The Cost Of CNP Credit Card Fraud
Unfortunately, the industry is seeing an increased fraud rate with CNP transactions. The rollout of chip cards and the EMV liability shift in the US for card-present sales actually plays a major role in the increase of card-not-present fraud, which financial experts predicted would happen based on EMV adoption in other parts of the world.
Card-not-present transactions invariably make your business more vulnerable to fraud because the physical card data can’t be verified. Not only can a card data breach turn into an embarrassing public relations issue, but the business owner is also ultimately responsible for absorbing the cost of any fraudulent charges in a card-not-present sale.
Small businesses need to stay on guard just as much as any medium or large business. The unfortunate fact is that fraudsters are looking for vulnerabilities, such as outdated data security practices, and small businesses are very likely to be targeted.
There are some very sobering statistics from UPS Capital:
- Nearly 90% of small and medium-sized businesses in the US don’t use data protection for company and customer information
- Less than half have secure company email processes to prevent phishing scams
- Sixty percent of smaller businesses are out of business within six months of suffering a cyber attack
Knowing the risks and how to best protect yourself from CNP fraud and other online payment security threats is vitally important.
Protecting Your Business From Card-Not-Present Fraud
Taking a proactive approach to detecting credit card fraud is a smart move. In this post, we focus on understanding the risks and costs of card-not-present transactions, but card-present sales are certainly not exempt from fraud. If your business processes both types, check out our post on preventing credit card fraud for a great breakdown of information on how to protect your business from card-present security issues.
Your first defense against CNP fraud — or any fraud — will always be PCI compliance. PCI DSS is an acronym for Payment Card Industry Data Security Standard, which dictates the industry-standard procedures and security measures a business needs to make to protect customer data.
The good news is that unless you are dealing with homegrown software for your payment processing system, you are likely operating with PCI-compliant equipment and software. That’s because all payment processing software and equipment vendors undergo a strict certification process to ensure their products meet industry standards for security.
That said, you still need to take the time to read your contract to find out if there are any steps you need to take to ensure continued compliance. Payment service providers (PSPs), such as Square, are automatically PCI-compliant and do not require you to do anything specific to maintain compliance — at least not as far as the contract is concerned. (As a general rule, you should keep yourself informed on PCI compliance and what constitutes a suspicious transaction that could get your account flagged for fraud.)
With merchant accounts, PCI compliance is much more varied and partially depends on whether you use the provided software or integrate with a third-party platform. Depending on your payment processing setup, you may be obligated to complete a Self-Assessment Questionnaire (SAQ), accomplish quarterly security scans, or more.
The key takeaway is this: PCI compliance is never a one-time event. Assessment, remediation, and reporting are continual processes, with best practices changing each year. Even if your processor doesn’t require you to do anything to maintain compliance, it’s important to make sure you know what security best practices are. This ensures that you’re adequately protecting your customers and yourself from losses owing to card-not-present fraud.
Following best practices and keeping yourself up to date with PCI compliance is one of the most important things you can do to prevent fraud. Another thing to remember is that it is up to you to ensure your team knows what not to do, too. A retail employee who keys in the majority of her transactions may be helping others commit fraud — or she may have trouble getting the credit card terminal to work. But you won’t know until you check up on her.
Once your bases are covered with PCI compliance, you can rest easy knowing that your legal and liability concerns have at least been reasonably mitigated.
Additional layers of security may be worth looking into as well, especially if your livelihood involves online sales. Some major tools to help combat card-not-present fraud include:
How Much Do CNP Transactions Affect My Business?
Fully grasping the nuances of credit card processing can be difficult. However, it’s worth taking a bit of time to understand how and why card-not-present transactions differ from card-present payment processing.
Even merchants who run brick-and-mortar shops have to deal with the cost of CNP payments occasionally. If you have a storefront shop, training your team to understand the difference between the two types of transactions and keeping up with the latest compliant software/EMV readers will go a long way toward keeping your costs down — and your payment security tighter.
If you run an online business, your focus should be on making sure you have the appropriate security measures enabled with a good payment processor — preferably one that does the bulk of the work for you! At the end of the day, you will take the hit from chargebacks and fraud if you don’t have the right protections, especially for CNP transactions, where there is so much potential for fraud.
Shopping around for eCommerce business solutions? Read our post on the best services and features for eCommerce merchants.