What Is a Card Not Present (CNP) Transaction?

Key Takeaways

• A card-not-present transaction occurs when a payment is made without physically presenting the card.
• CNP transactions carry higher fraud risks and require strong authentication tools.
• Merchants can reduce risk through PCI compliance, AVS, CVV checks, and fraud monitoring systems.
• CNP transactions have higher processing fees due to increased fraud exposure.
• Credit card companies and processors enforce strict rules to safeguard online payments.

Card-not-present transactions are now a normal part of everyday life. Many people make online purchases, pay bills through apps, or place orders over the phone. In each of these situations, the physical card is not used during the payment. Instead, the transaction relies on typed or stored card information. This type of payment is known as a card-not-present transaction.

Card-not-present transactions allow customers to buy what they need without being physically present at a store. At the same time, they come with unique risks, rules, and security requirements. Understanding how they work helps merchants, customers, and financial institutions keep payments safer and reduce fraud.

This article explains what a card-not-present transaction is, explores common examples, details the security challenges, and shows how authentication and risk-reduction methods work. It also compares card-not-present and card-present transactions, explains the impacts of fraud prevention, reviews regulations, and answers common questions.

Definition of Card Not Present (CNP) Transactions

A card-not-present transaction occurs when a customer makes a payment with a credit or debit card without physically presenting the card to the merchant. In a card-not-present transaction, neither the cardholder nor the physical card is present during the payment.

The merchant does not use a card reader to swipe, dip, or tap the card. Instead, the merchant receives the card details through an online form, a mobile device, a phone call, a mail order, or a stored card on file. Because the physical credit card is not involved in the transaction, the payment processor and issuing bank must rely on digital authentication tools to confirm that the customer is the true cardholder.

A standard card-not-present (CNP) transaction typically requires:

• Card number
• Expiration date
• Card security code
• Cardholder name
• Customer's billing address

These details are used for verification through tools such as the address verification system, card security code check, or other authentication methods.

Card-not-present payments can be either one-time or recurring. They are used across many industries because they offer convenience, speed, and accessibility. At the same time, they increase the risk of fraudulent transactions, which is why payment processors and credit card companies have specific rules for how merchants must handle them.

Common Examples of CNP Transactions

Card-not-present transactions occur more often than many people realize. Any time a customer pays without physically presenting the card, the payment is considered card-not-present.

1. Online Transactions

Online shopping is one of the most common forms of card-not-present transactions. Customers enter their credit card details on a website or app to place an order. Examples include:

• Buying products from an online retailer
• Paying utility bills online
• Subscribing to streaming services
• Making online payments through a merchant account

The customer types payment details into an online payment system, and the payment processor verifies the information before sending the transaction to the issuing bank.

2. Mobile App Purchases

Mobile apps frequently use digital wallets or saved payment details. When purchasing through a mobile app, the card is not physically present at the point of sale, making it a CNP transaction.

3. Phone Orders

A phone order occurs when a customer reads the credit card number, expiration date, security code, and billing address to a merchant over the phone. This process is classified as a CNP transaction because the physical card is not seen or swiped.

4. Mail Order Payments

Mail-order and telephone-order payments are among the oldest forms of CNP transactions. Customers write or speak their payment card information instead of physically handing over the card.

5. Recurring and Card on File Payments

Many services use stored card information. For example:

• Gym membership fees
• Monthly subscription boxes
• Cloud storage services
• Food delivery accounts

With recurring card-on-file payments, the customer pays without re-entering card information. These transactions use stored digital card data instead of a physical card.

6. In-app or Wallet-Based Payments Without Physical Presence

Digital wallets like Apple Pay or Google Pay can process both card-present and card-not-present transactions, depending on how they are used. When used online or in an app, the payment counts as card-not-present because the customer is not physically present at a checkout terminal.

What Is a Card Not Present (CNP) Transaction?

Card-not-present transactions allow customers to pay without using a physical card, but also increase fraud risk and impose additional security requirements. Understanding how CNP payments work helps merchants and consumers stay protected.

Security Challenges in CNP Transactions

Card-not-present transactions come with higher security risks than card-present transactions. When the card is physically present, merchants can use chip technology and in-person verification. With CNP payments, merchants must rely entirely on digital information, which makes them more vulnerable to credit card fraud.

1. Higher Fraud Rates

Card-not-present fraud is more common than card-present fraud. Cybercriminals often use stolen credit card details to make online purchases because there is no face-to-face interaction. Fraudsters only need card numbers, expiration dates, and security codes, which can be obtained through:

• Phishing
• Data breaches
• Malware
• Dark web purchases
• Skimming from earlier compromised card use

Because merchants cannot inspect the physical card, fraudulent activity is harder to detect.

2. Increased Chargebacks

Chargebacks occur when cardholders dispute unauthorized charges. Since CNP transactions carry a higher risk of fraud, merchants see more chargebacks on these payments. Excessive chargebacks can lead to penalties from acquiring banks or card brands and can increase processing fees.

3. Limited Verification Options

During card-present transactions, security features like EMV chips help authenticate the card. In card-not-present payments, merchants cannot rely on these features. They must instead use digital security tools, which are not always foolproof.

4. Data Exposure Risks

Since payment data must be entered manually or stored digitally, it can be intercepted or exposed. Protecting cardholder data requires strict controls and compliance with security rules.

Authentication Methods in CNP Transactions

To reduce risk, merchants and payment processors use multiple authentication methods during a card-not-present transaction.

1. Address Verification Service (AVS)

The address verification service is one of the most common tools for CNP security. It compares the street address and ZIP code provided by the customer with the information on file at the issuing bank. If the billing address matches, the transaction is more likely to be approved.

2. Card Security Code (CVV or CVC)

The three or four-digit card security code on the back or front of a card is required for most online payments. This code cannot be stored after authorization, so its use helps prevent fraudulent transactions made with compromised stored card numbers.

3. 3D Secure Authentication

3D Secure adds an extra layer of authentication by requiring the cardholder to verify their identity through:

• SMS codes
• Banking app confirmations
• One-time passcodes

This method reduces fraud because the criminal would need both the card details and access to the customer’s device.

4. Tokenization

Tokenization replaces actual card numbers with randomized tokens. These tokens are useless if intercepted. Many card-on-file systems, mobile wallets, and online payment processors use tokenization to protect stored card information.

5. Multi-Factor Authentication

Some merchants require customers to verify their identities via email codes, app confirmations, or biometrics. Multi-factor authentication makes it harder for fraudsters to complete transactions.

6. Device Recognition and Fraud Scoring

Payment processors often use machine learning to analyze device behavior, IP addresses, geolocation, and transaction patterns. Suspicious activity may trigger additional verification.

Risk Mitigation Strategies for CNP Transactions

Merchants that accept CNP payments must take steps to reduce fraud and protect cardholder data.

1. Use Secure Payment Gateways

A secure online payment gateway encrypts payment data before it travels across the internet. This reduces the risk of interception or unauthorized access.

2. Apply PCI Compliance Standards

PCI compliance is required for any business handling card data. It includes rules for:

• Storing card information
• Maintaining secure systems
• Restricting access to sensitive data
• Monitoring network security

Following PCI standards helps prevent data breaches and ensures safer payment processing.

3. Monitor Transactions in Real Time

Real-time monitoring tools help identify fraudulent transaction attempts before authorization is completed. Many systems flag unusual patterns, such as:

• High-value orders
• Multiple attempts with different cards
• Mismatched billing and shipping address details

4. Require Strong Customer Verification

Using AVS, CVV checks, and 3D Secure significantly reduces the risk of fraud. Merchants often combine these checks for higher accuracy.

5. Validate Order Details

Merchants can manually review suspicious orders. They may look at:

• Customer contact information
• IP address location
• Shipping address patterns
• Email domain quality

Small inconsistencies can signal potential fraud.

6. Limit High Risk Transactions

Some merchants refuse to ship high-value products to addresses with a history of disputed claims. Others block purchases from regions known for higher rates of fraud.

7. Provide Clear Customer Communication

Sending order confirmations, shipping notices, and account alerts helps customers detect unauthorized transactions early.

CNP Transactions vs. Card Present Transactions

Understanding the difference between card-not-present and card-present transactions helps clarify why security standards vary.

Card Present Transactions

A card-present transaction occurs in a brick-and-mortar store where:

• The customer is physically present.
• The physical card is in hand.
• A card reader is used to swipe, dip, or tap
• EMV chip or NFC technology authenticates the card

Card-present transactions typically have lower fraud rates and lower processing fees. Since the card issuer trusts chip technology, the risk is reduced.

Card Not Present Transactions

A card-not-present transaction involves:

• No physical presence
• No physical card
• Typed or stored card information
• Greater fraud risk
• Higher processing costs or interchange fees

Because authentication relies on digital data rather than the chip, card-not-present transactions typically incur higher interchange fees and stricter risk requirements.

Key Differences at a Glance

Impact of CNP Transactions on Fraud Prevention

Card-not-present payments have changed the fraud landscape. Fraud used to occur more often at physical stores, but EMV chip technology made card-present fraud much harder. As a result, criminals shifted to online payments.

1. Shift of Fraud to Online Payments

After EMV chips became standard, card-present fraud dropped. Criminals moved to online transactions where they only needed stolen card details rather than physical cards.

2. Higher Merchant Liability

In many card-not-present transactions, merchants are responsible for verifying that the customer is legitimate. If fraud occurs, merchants often pay the chargeback costs, which increases their operational risk.

3. New Fraud Prevention Tools

Because of the increased threat, credit card companies, acquiring banks, and payment processors invested in new tools to protect online payments. These tools include 3D Secure, enhanced fraud scoring, and tokenization.

4. Greater Consumer Awareness

Consumers are now more aware of the risks of credit card fraud when shopping online. Many monitor accounts more closely, use secure websites, and rely on virtual card numbers when available.

Regulations and Compliance in CNP Transactions

There are several rules and standards that govern card-not-present transactions. These rules ensure security and protect both merchants and cardholders.

1. PCI DSS Compliance

The Payment Card Industry Data Security Standard sets rules for:

• Secure storage of card data
• Encryption of information during transmission
• Building and maintaining secure networks
• Monitoring and testing systems

All businesses that accept CNP payments must comply with PCI DSS requirements.

2. Card Brand Requirements

Visa, Mastercard, American Express, and Discover each have specific CNP rules. These include fraud monitoring requirements, chargeback thresholds, and authentication standards.

3. 3D Secure Regulation

Some regions require 3-D Secure for CNP transactions. For example, in Europe, strong customer authentication regulations mandate two-factor verification. While not legally required in the United States, many U.S. merchants adopt similar methods to reduce fraud.

4. Data Privacy Rules

Laws such as the California Consumer Privacy Act require companies to safeguard customer data and explain how personal information is used. State and federal data privacy laws may also apply, depending on where customers are located.

5. Bank and Processor Compliance

Acquiring banks and payment processors use internal rules to assess risk. Merchants must meet these standards to keep their accounts active and avoid penalties.