Online and eCommerce have been expanding at a rapid pace. Over the past decades, the proliferation of smartphones and tablets has shifted spending habits that have been accelerated over the past few years. Life is generally better as a result, where you quickly and seamlessly conduct more and more of your daily routines on a mobile device. It used to be that cash was outdated. Increasingly, cards are becoming just as out of favor as cash, in favor of digital wallets and NFC touchless payments.
What’s not to love
The downside of these demographic shifts is that at some point, those payments still have to be made by a credit or debit card, whether that transaction is over the internet, via a mobile device, or even by mail or telephone. These types of transactions are known as a card not present (CNP) transaction. CNP transactions are classified as a much higher-risk transaction due to the potential for fraud since the card being used isn’t swiped through a card reader isn’t available at the location at the time of the sale.
Although CNP transactions are fast becoming the standard rather than the exception, there are a few best practices for handling card not present transactions that we have outlined that are crucial for merchants to adhere to.
First and foremost, merchants should ensure that they are PCI compliant. Furthermore, they should make sure their payment processor is also PCI compliant. These are the bare minimum for data security mandates that can protect businesses against CNP fraud. PCI is Payment Card Industry Data Security Standards, aka PCI DSS. Business processing credit card and debit cards are subject to a set of rules outlined by this standard for consumer data protection.
Luckily, merchants can adhere to PCI compliance effortlessly as your payment processors, point of sale terminal vendor, or payment gateway provider all need to pass a stringent PCI certification process, ensuring compliance.
There are some transaction-level security precautions that merchants can implement to process CNP transactions securely.
Address verification system (AVS)
The address verification system (or AVS) is an automated central database service merchants can use to detect and prevent CNP fraud. The database is a repository of all cardholders’ billing addresses that can be cross-referenced in real-time during a transaction by having the customer verify their billing information.
There are many benefits of using AVS. In the event that a CNP transaction has a positive AVS check, subsequent chargeback claims for Nonreceipt of Merchandise of Unauthorized use are quickly resolved. Furthermore, Visa offers a lower interchange rate on CNP transactions that include AVS checks.
Card security checks
A card security check is asking the customer to verify they’ve seen the credit/debit card. This is confirmed when the cardholder is required to enter the 3-4-digit security code usually found on the card’s back. Below is a list of how major credit card networks refer to the card security checks.
- American Express – Card Identification Number (CID)
- Discover – Card Member ID (CMID)
- Mastercard – Card Verification Code (CVC)
- Visa – Card Verification Value (CVV)
One important rule to note about card security details is that merchants cannot save them in their databases. This information has to be entered every time a customer transactions with the merchant.
Transaction Authentication Pin
An additional layer of security for merchants in a CNP transaction is the use of a transaction authentication pin. All the major credit card networks have their version of it; Mastercard calls it SecureCode.
Transaction authentication is an added layer to a CNP transaction. The cardholder must enter a pin into an inline window on their transaction screen that is sent to the customer as a message to the email or phone number on file. This additional sequence serves as an actual authentication step that enhances the security of the CNP transaction.
Soft billing descriptors
Soft billing descriptors can be very useful for recurring or installment payments. Soft billing descriptors are the information that appears on a cardholder’s monthly statement every time a merchant charges that cardholder. This allows merchants to include more enhanced labeling of transactions, result in more details in the line item appearing on the statement.
The soft billing descriptor comprises a three-letter acronym of the company name and more details of the product or service purchased, often limited to 25 characters. It ends with the company’s customer support number.
For example, the benefits of soft billing descriptors for customers being charged installments may be that they can see the progress of their payments over time. Soft billing descriptors also provide more details of the item purchased for merchants who sell numerous products or services. In the case of financial recordkeeping, your customers are likely to thank you for the additional detail.
Overall, merchants should understand that securely completing CNP transactions is going to be a multi-pronged approach. Cash and even cards as payment methods are increasingly becoming a relic of the past. And life is more convenient that way. Nonetheless, cards are still the underlying financial technology that powers any current payment method and needs to be protected. In every transaction where the card is not present carries significant risk.
Merchants need to adhere to a particular set of best practices and train their customer-facing staff on such types of transactions and the precautions they need to take. Yes, eCommerce, and now mCommerce is fast becoming the standard of doing business, rendering CNP transaction risks that much more severe and carrying out certain best practices for handling CNP transactions that much more necessary. With the appropriate staff training and sufficient and appropriate security protocols in place by the merchant, it may be the risk of CNP transactions becoming a relic of the past.