Accepting credit cards remotely is nearly as old as accepting credit cards in person, and this flexibility is generally one of the great benefits of credit cards.
So, what exactly constitutes a “card-not-present” transaction? Any time you manually key in a credit card for a customer in a physical terminal or virtual terminal, have your customer submit an online transaction through your ecommerce store or electronic invoice, complete a telephone order, process a recurring payment, or use a credit card that is stored on file with your business, then you would be processing a card-not-present transaction. Any transaction that you process where you are not physically processing the card in a terminal or reader is considered a card-not-present transaction.
If your business needs to process transactions without the card present, then you will likely pay a slightly higher processing fee for each of these transactions. That is because card-not-present transactions have a higher likelihood of fraud compared to card-present transactions, and therefore, are mandated a slightly higher interchange fee by the card brands to offset the increased risk.
Even with a slightly higher interchange rate and the higher chance of fraud, processing card-not-present transactions often prove to be more beneficial than risky, especially if you follow the best practices for confirming the cardholder identity and protecting sensitive information. In fact, many businesses today rely completely on card-not-present transactions to get paid. For example, online-only stores, subscription services, and companies that exclusively use invoices are all examples where card-not-present transactions will make up the majority of the transactions that the business processes.
What You Should Do When Processing Card Not Present Transactions
There are a few best practices you can follow to help protect your business from inadvertently processing a fraudulent transaction in a card-not-present environment and to help protect your business along with your customers' personal information.
First, always require your customers to provide the card’s CVV. Whether you’re taking a credit card number over the phone or selling products through your online store, requiring the CVV is a step you should take without exception. The CVV is the three-digit code located on the back of their card and is used to verify that the person claiming to own the card during a transaction actually has the card in their possession. At Helcim, we have always recommended asking for the customer’s CVV for all online or card-not-present transactions, and in October 2018, Visa made it mandatory to be able to authorize a manually keyed transaction, so there really is no excuse to ignore this security precaution.
You can also use the AVS or Address Verification Service to confirm that the cardholder’s address matches the billing or shipping address that they are entering online. In addition to confirming that the information the cardholder is providing is accurate, it’s important to collect all of the relevant information from cardholders in case the transaction gets flagged for fraud by the payment processor, or if you need to provide additional information in the event of a chargeback at a later date. It's smart to be collecting all important cardholder information including their billing and shipping information, the payment date, the payment total, and any other information that you deem worthy of collection. Being able to accurately and quickly provide this information in the event you need it is important if you have to deal with fighting a potential chargeback.
Ensuring your business is PCI compliant and that you’re following the PCI compliance requirements is another way you can protect your business from fraud and ensure that the information you are collecting is handled safely and securely. PCI compliance can also protect your business from fines in the case of a data breach. While PCI can be daunting at first glance, your payment processor should be able to provide some assistance to get you through the process.
The card brands, like Visa and Mastercard, have also put together best practices for merchants who are new to credit card processing and are looking for additional guidance on how to best handle card-not-present transactions. The guides that Visa has created includes helpful tips including why you should use Verified by Visa, maintain a history of the cardholder’s previous purchases, maintain records of customer purchase history, and note shipping addresses that have caused issues in the past so you can flag irregularities in purchase behavior.
What You Should Not Do When Processing Card Not Present Transactions
If you’re accepting card-not-present transactions, there are still guidelines for how you should be collecting the payment information from customers. While it is okay to ask for credit card information over the phone, you should not ask customers to send information over email or through text messages. Email and text communications are not secure, and the information may accidentally end up in the wrong hands.
You should also be careful to never write down or improperly store your customers’ payment information. If your business offers products or services that require recurring payments, then you should store the information securely using your payment processor’s card vault, and by providing a secure online payment page for customers to enter their information on. The PCI-DSS mandates that the CVV can never be written down - this goes for merchants as well as processors.
Finally, if you notice a particular transaction raises red flags that may indicate it’s fraudulent, then the best practice is to refund the transaction and forfeit the sale. Going against your better judgment and processing a transaction that may be fraudulent is not worth the cost of a potential chargeback if it does turn out to be fraudulent.
If you have the option to process a transaction as card-present instead of card-not-present, then it is best to run the transactions in a manner that is considered to be card-present through a terminal or piece of equipment. However, if it is not possible, then by following these guidelines you can help protect your business and your customers’ payment information. As more and more customers complete transactions online and on their mobile devices, card-not-present transactions will continue to increase, and it is important to make you’re abiding by the best practices so you can avoid fraud and chargebacks.