What Is A Card-Not-Present Transaction?
It’s safe to say that nothing is ever free in payment processing (and if it claims to be, you should be very suspicious). But trying to understand why some types of transactions cost more than others to process can be a confusing and sometimes overwhelming process. For example, why does Square charge 3.5% + $0.15 for keyed transactions and just 2.75% for swiped, dipped, and tapped transactions, even though they both go through the Point of Sale app? Why do invoices and online orders cost more than payments processed with a POS app and credit card reader? The answer is that it matters whether a transaction is deemed “card-present” or “card-not-present” (CNP) — in fact, it is a critical factor in payment processing costs.
A card-not-present sale is any transaction where the cardholder does not present their card to the merchant. While that general definition may seem pretty cut and dry, the reality is a bit muddier. Here’s what I mean: Even if your customer takes out their physical credit card, the transaction is not considered a “card-present sale” unless they actually swipe, dip, or tap it. Manually entering a card number throws the transaction into card-not-present territory.
And when a customer taps a credit card terminal with their phone at a coffee shop? That transaction is actually considered a card-present sale even though the merchant technically never sees a physical credit card!
Confused? Don’t worry. Keep reading; below, we’ll break down some more examples of card-not-present transactions and help you understand why they cost more to process. We’ll also talk about what — if anything — you need to change in your payment processing setup to protect your business.
The reality is, whether you have a brick-and-mortar store or you run an eCommerce business, you need to understand how CNP transactions affect your business, your customers, and your bottom line. There’s much more than meets the eye when it comes to distinguishing from a card-not-present and a card-present transaction, including how much it costs you and the security risks involved. Let’s dive in!
Table of Contents
Card-Present VS Card-Not-Present Transactions
Let’s start by talking about what a card-not-present sale actually entails. Once we do that, these transactions will be a little easier for you to identify (and help your sales team navigate the whole issue as well.) A card-not-present sale is any sale processed that does not capture the electronic data of the card at the time of the sale.
It’s not always super cut and dry. Sometimes merchants don’t understand that being handed a credit card doesn’t automatically qualify the transaction as a card-present sale. It all depends on how it is processed. For instance, say you are at a festival and decide to buy one-of-a-kind art from a vendor. You hand her your card, and she breaks out a little manual machine and makes a carbon copy. Even though you physically handed the vendor your card, this still counts as a card-not-present transaction. No electronic data was captured.
Another example involves Visa and Apple Pay. You can consider any in-store purchase made with Apple Pay a card-present sale, but any payments made using Apple Pay in-app are considered card-not-present. That’s because when a customer uses a digital wallet by tapping or scanning a QR in the store, the electronic data of the card is captured in real time. In-app purchases do not capture the electronic data at the time of the sale.
For the most part, the main thing to understand is that transaction categorization ultimately boils down to whether electronic data was captured.
Common Card-Not-Present Transactions:
- Invoicing a client
- eCommerce / online shopping
- Phone orders
- Recurring payments that are automatically billed (subscriptions)
Common Card-Present Transactions:
- Countertop credit card terminals
- Tapping or scanning digital wallets
- Swiping via a card reader on a tablet or smartphone (e.g., Square)
If your revenue depends on processing payments with anything other than a POS app and credit card terminal or mobile card reader, it is worth your time to understand how to keep your transactions safe. Processing credit cards costs money whether you process in person or online, but you will face slightly higher fees for processing card-not-present transactions.
Understanding The Cost Of Card-Not-Present Transactions
Why are you charged more for card-not-present transactions? It’s pretty simple, actually. Card-not-present transactions cost more because there are simply more ways for them to fail. From chargebacks, friendly fraud, and malicious fraud, there is more vulnerability and subsequent cost when things go wrong. Granted, all credit card processing poses some risk — that’s why businesses have contracts with processors, and why high-risk merchant accounts exist. It comes down to which methods of payment processing (and sometimes even which businesses) present the most risk.
With a merchant account that offers interchange-plus pricing, you will pay a higher interchange rate for card-not-present transactions because the card networks want a return in exchange for accepting some of the risk. Even third-party processors, which don’t overtly pass interchange costs directly to you, still build the costs in by adding a markup to their base rate.
It’s also important to understand that not all card-not-present transactions pose the same risks. For instance, you are generally going to pay a higher cost for a keyed-in entry than for an online transaction because there are typically some built-in security measures (like address and CVV verification) for online purchases, whereas there are no security measures for keyed transactions.
Want to know more about how credit card processing works? Check out The Complete Guide to Credit Card Processing Rates & Fees for an in-depth look.
Below we talk more about card-not-present fraud and what you can do to protect your business.
The Cost Of Fraud
Unfortunately, when it comes to CNP sales, the industry is currently seeing an increased rate of fraud for online transactions. The rollout of chip cards and the EMV liability shift in the US for card-present sales actually plays a major role in the increase of card-not-present fraud, and it’s something that financial experts predicted would happen based on EMV adoption in other parts of the world.
While we certainly don’t want to strike fear or dread into any of our readers, the fact is that card-not-present transactions make you more vulnerable to fraud because the physical card data can’t be verified. Not only can a card data breach turn into an embarrassing public relations issue, but the business owner is ultimately responsible for absorbing the cost of any fraudulent charges in a card-not-present sale.
A recent press release from LexisNexis demonstrates that the cost of fraud is rising. Last year, every dollar ($1) of fraud cost a merchant $2.77. This year, it’s predicted to cost $2.94 on average. And if you are in the digital space, the cost is even a bit higher.
Small businesses need to stay on guard just as much as any medium or large business. The unfortunate fact is that fraudsters are looking for vulnerabilities like outdated data security practices, and small businesses are very likely to be targeted.
There are some very sobering statistics from UPS Capital:
- Nearly 90% of small and medium-sized businesses in the U.S. don’t use data protection for company and customer information.
- Less than half have secure company email processes to prevent phishing scams.
- 60% of smaller businesses are out of business within six months of suffering a cyber attack.
It is vitally important to be aware of the risks and know how to protect yourself.
Read on to learn more about fraud and what you can do to protect your business if you accept card-not-present transactions.
Protecting Your Business From Fraud
Taking a proactive approach to preventing fraud is a smart move. In this post, we focus on understanding the risks and cost of card-not-present transactions, but card-present sales are certainly not exempt from fraud. If your business processes both types, check out the Merchant’s Guide to Preventing Card-Present Fraud for a great breakdown of information on how to protect your business from card-present security issues.
Your first defense against fraud will always be PCI compliance. PCI DSS is an acronym for Payment Card Industry Data Security Standard, which dictates the industry-standard procedures and security measures a business needs to make to protect customer data.
The good news is that unless you are dealing with homegrown software for your payment processing system, you are likely operating with PCI compliant equipment and software. That’s because all payment processing software and equipment vendors go through a strict certification process to ensure their products meet industry standards for security.
That being said, you still need to take the time to read your contract and understand if there are any steps you need to take to ensure continued compliance. Third-party payment processors such as Square are automatically PCI compliant and do not require you to do anything specific to maintain compliance — at least not as far as the contract is concerned. (As a general rule, you should keep yourself informed on PCI compliance and what constitutes a suspicious transaction that could get your account flagged for fraud.)
With merchant accounts, PCI compliance is a lot more varied and partially depends on whether you use the provided software or integrate with a third-party. You may be obligated to complete a scan or assessments, or potentially much more depending on your payment processing setup.
The key takeaway is this: PCI compliance is never a one-time event. Assessment, remediation, and reporting is a continual process with best-practices changing each year. Even if your processor doesn’t require you to do anything to maintain compliance, it’s important to make sure you know what security best practices are.
According to the PCI DSS Quick Reference Guide, some habits can put you and your customers at risk for fraud. Within the guide, the PCI cites activities that are common across the board in all types of U.S. and European businesses (page 4):
- 81% store payment card numbers
- 73% store payment card expiration dates
- 71% store payment verification codes
- 57% store customer data from the payment card magnetic strip
- 16% store other personal data
Let’s break down that first statistic. The majority of business owners store their customers’ credit card numbers. But where? Unless you’re using PCI compliant software with a secure credit card vault, you could be exposing yourself to risk and liability — big time.
Following best practices and keeping yourself up-to-date with PCI compliance is one of the most important things you can do to prevent fraud. Another thing to remember is that it is up to you to ensure your team knows what not to do, too. A retail employee who keys in the majority of her transactions may be helping others commit fraud — or she may simply have trouble getting the credit card terminal’s card readers to work. But you won’t know until you check up on her.
Once your bases are covered with PCI compliance, you can rest easy knowing that your legal and liability concerns have at least been reasonably mitigated.
Additional layers of security may be worth looking into as well, especially if your livelihood involves online sales
- Address Verification System (AVS): This system checks to see if your customer’s address is the same as the person who owns the credit card. Verifying the billing address or zip code against Visa or Mastercard billing information of the cardholder can prevent misuse and protect your business from fraud.
- CVV Checks: A CVV check requires your customers to enter in the additional three numbers at the back of the card (four digits for American Express). Since this information can be stored (and also stolen), it also makes sense to require customers to re-enter the card code whenever there is an unrecognized device or change to a shipping address.
- 3-D Secure: This provides an extra layer of security for online transactions. If you have heard of Mastercard SecureCode, Verified by Visa, or American Express Safekey, then you are familiar with 3-D Secure. Mastercard SecureCode, for instance, requires a PIN code to be entered into an inline window that is securely hosted by the issuing bank. The code is never shared with you directly. This authentication step is designed to reduce your liability and improve security. Many processors that cater specifically to online businesses, such as Stripe, offer 3D Secure bundled with their services.
Fully grasping the nuances of credit card processing can be difficult. However, it’s definitely worth taking a bit of time to understand how and why card-not-present transactions are different from card-present payment processing.
Even merchants who run brick-and-mortar shops have to deal with the cost of CNP payments. If you have a storefront shop, taking the time to train your team to spot the difference between the two types of transactions and keeping up with the latest compliant software/EMV readers will go a long way towards keeping your costs down —and your payment security tighter.
If you run an online business, your focus should be on making sure you have the appropriate security measures enabled with a good payment processor — preferably one that does the bulk of the work for you! At the end of the day, you will take the hit from chargebacks and fraud if you don’t have the right protections.
Shopping around for eCommerce businesses solutions? Read How To Choose An eCommerce Merchant Account.