Accepting credit cards remotely is nearly as old as accepting credit cards in person, and this flexibility is generally one of the great benefits of credit cards. Unfortunately, fraudulent transactions, whether card-present (CNP) fraud or online payment fraud, can be costly to business owners and their customers, with fraud being one of the leading causes of lost revenue for small businesses every year.
What is a card-not-present transaction?
So, what exactly constitutes a "card-not-present" transaction? Any time you manually key in a credit card for a customer in a physical terminal or virtual terminal, have your customer submit an online transaction through your eCommerce store or electronic invoice, complete a telephone order, process a recurring payment, or use a credit card that is stored on file with your business, then you would be processing a card-not-present transaction. Any transaction that you process where you are not processing a physical card in a terminal or reader is considered a card-not-present transaction.
Card-present fraud vs. not-present fraud
Card-present fraud occurs when a customer uses a stolen credit card as is often the case with identity theft, a business processes stolen credit card information, or uses stored credit card information and makes unauthorized transactions.
Card-not-present fraud, or CNP fraud occurs when the fraudster doesn't use a physical card. Instead, credit card information obtained by fraudsters like the card number, expiration, and CVV is used to authorize transactions. This is why it is so important to keep this information secure — As a business, this is part of abiding by PCI compliance which dictates how sensitive data and credit card information can be stored.
How can credit card information be obtained for not-present fraud?
The main reason payment fraud happens is the victim is not aware they have been targeted, and their credit card details have been compromised. Unlike the theft of a physical credit card, fraud simply demands that the perpetrator has the card details and not the physical card. So a victim keeps his/her personal card and does not know anything has been stolen.
Ordinarily, they could cancel their card once they noticed they lost it or realized it was stolen. However, they usually don't know that their compromised card details are being used until they see unauthorized transactions on their credit card statement. Data breaches can occur anywhere credit card information is stored, but fraudsters will often target a small business with lower security checks to run hundreds of numbers and transactions through their online store and see which ones are approved so they can use them elsewhere for larger purchases.
Card-not-present transaction fees
If your business needs to process transactions without a physical credit card, then you will likely pay slightly higher card not present transaction fees. That is because card-not-present transactions have a higher likelihood of fraud compared to card-present transactions, and therefore, are mandated a slightly higher interchange fee by the card brands to offset the increased risk.
Even with a slightly higher interchange rate and a higher chance of fraud, processing card-not-present transactions often prove to be more beneficial than risky, especially if you follow the best practices for confirming the cardholder identity and protecting sensitive information. In fact, many businesses today rely completely on card-not-present transactions to get paid. For example, online-only stores, subscription services, and companies that exclusively use invoices are all examples where card-not-present transactions will make up the majority of the transactions that the business processes.
Plus, there are certain interchange rates that businesses can qualify for. For example, some credit card companies will cut you a break if you use tokenization, card vaults, and recurring billing since these will aid in fraud prevention.
What you should do to avoid processing a fraudulent transaction
There are a few best practices you can follow to help protect your business to avoid online payment fraud and to help protect your business along with your customers' personal information.
Always ask for a CVV for keyed-in and online payments
First, always require your customers to provide the card's CVV or security code. Whether you're taking a credit card number over the phone or selling products through your online store, requiring the CVV is a step you should take without exception. The CVV is the three-digit code located on the back of their card and is used to verify that the person claiming to own the card during a transaction actually has the card in their possession. At Helcim, we have always recommended asking for the customer's CVV for all online or card-not-present transactions, and in October 2018, Visa made it mandatory to be able to authorize a manually keyed transaction, so there really is no excuse to ignore this security precaution.
Implement Address Verification Service for online purchases
AVS or Address Verification Service is a great tool to confirm that the cardholder's address matches the shipping or billing address that they are entering online and avoid processing card fraud. This is also a great way to protect yourself from card attacks, and new higher interchange fees for multiple decline transactions.
Verify and collect the person's payment information
In addition to confirming the cardholder's address, ensure that the information the cardholder is providing is accurate. It's important to collect all of the relevant information from cardholders in case the transaction gets flagged for fraud by the payment processor, or if you need to provide additional information in the event of a chargeback at a later date. It's smart to be collecting important cardholder information including their billing and shipping information, the payment date, the payment total, and any other information that you deem worthy of collection. Being able to accurately and quickly provide this information in the event you need it is important if you have to deal with fighting a potential chargeback and chargeback fees.
Stay up-to-date on PCI and credit card company best practices
Ensuring your business is PCI compliant and following the PCI compliance requirements is another way to protect your business from fraud and ensure that the information you are collecting is handled safely and securely.
Some PCI best practices include storing sensitive data like credit card details as tokens in a secure card vault. Doing so can help prevent comprised card details from being stolen and processed in the event of data theft or data skimming devices and scams like this recent small Canadian company. The business says their bottom line and their reputation took a hit after falling victim to this type of fraud, which led to their customers' information being processed in many fraudulent transactions elsewhere.
PCI compliance can also protect your business from fines in the case of a data breach or data theft. While PCI can be daunting at first glance, your payment processor can assist you through the process.
The card brands, like Visa and Mastercard, have also put together best practices for merchants who are new to credit card processing and are looking for additional guidance on how to best handle card-not-present transactions. The Visa card-not-present merchant guide has outlined helpful tips, including why you should use Verified by Visa, maintain a history of the cardholder's previous purchases, maintain records of customer purchase history, and note shipping addresses that have caused issues in the past so you can flag irregularities in purchase behavior.
What you should not do when processing card not present transactions
If you're accepting card-not-present transactions, there are still guidelines for how you should be collecting the payment information from customers. While it is okay to ask for credit card information over the phone, you should not ask customers to send information over email or through text messages. Email and text communications are not secure, and the information may accidentally end up in the wrong hands.
You should also be careful to never write down or improperly store your customers' payment information. If your business offers products or services that require recurring payments, then you should store the information securely using your payment processor's card vault, and by providing a secure online payment page for customers to enter their information on. The PCI-DSS mandates that the CVV can never be written down - this goes for merchants as well as processors.
Finally, if you notice a particular transaction raises red flags that may indicate it's fraudulent, then the best practice is not to process it, refund the transaction, and forfeit the sale. Going against your better judgment and processing a transaction that may be fraudulent is not worth the cost of potential chargeback fees if it does turn out to be fraudulent.
If you have the option to process a transaction as card-present instead of card-not-present if the customer is physically present, then it is best to run the transactions in a manner that is considered to be card-present through a terminal or piece of equipment. However, if it is not possible, then by following these guidelines you can help protect your business and your customers' payment information.
Your best defense against payment fraud
As more and more customers complete transactions online and on their mobile devices, card-not-present transactions will continue to increase, and it is important to make sure you're abiding by the best practices so you can avoid payment fraud and chargebacks. By following the best practices outlined in this blog post, you can protect your business and your customers from data breaches, chargebacks, and other financial crimes.