Best practices for card-not-present transactions
A card-not-present (CNP) transaction occurs anytime the physical card isn’t presented to the merchant, such as a purchase that takes place over the Internet, via phone, or by mail. Given the additional fraud risks inherent with CNP transactions, it’s important to arm your business with best practices to keep your customers (and your business) safe.
It's simple, really. Just follow these ABCs:
- Address verification service
- Billing descriptors
- CVV, CVC, CID
Address Verification Service
An address verification service (AVS) enables merchants to identify suspicious credit card transactions and limit fraud by verifying that a customer’s billing address matches the one associated with the credit card account. Merchants receive single-letter AVS response codes from their processing platform during authorization that help them determine next steps—be it transaction approval, exception, or decline. You can maximize fraud detection during CNP activity by employing AVS in conjunction with other fraud detection methods.
Ensuring that CNP patrons’ identification is valid indicates that your organization takes the necessary steps to protect cardholders against potential misuse. In the event of disputed charges, providing proof to a card issuer that you followed CNP best practices reduces the likelihood of costly chargebacks.
The need for comprehensive identification is a two-way street: It’s imperative that you share your organization’s name in a way that cardholders will recognize on their statements. This information, called a billing descriptor, is a statement line item that show cardholders who received a payment on a particular transaction. Billing descriptors are typically static and read the same for all of an organization’s transactions.
Similarly, adding your organization’s email address and phone number on mail, email, and invoice correspondence allows cardholders to quickly contact you in the event of an incorrect or unrecognized charge on their statement. Make sure that payment processors handling your transactions fully display billing descriptors and that critical identification and contact methods are not unintentionally cropped when viewed on smaller devices. It’s a good idea to periodically run test transactions and adjust your text and graphic dimensions as needed.
Requiring both the credit card number as well as the card security value number on its reverse (or front, in the case of American Express) is vital to further ensure that a purchase is authentic. Ascertaining not only the name as it appears on a card, account number, card type, and expiration date but also the CVV/CVC/CID better confirms a customer’s physical possession of the card. This means that even if thieves hack into a merchant's system and steal or access credit card numbers, they may not be able to use a card for online or phone purchases without the CVV/CVC/CID. In addition, it's against PCI compliance standards for merchants to store CVV/CVC/CID numbers in their systems to begin with; therefore, seeing a valid CVV/CVC/CID match with a card number is a positive indicator that the card is likely being used for authentic purposes.
More basic elements
Because CNP transactions aren’t subject to the same physical verification checkpoints as traditional cards, it’s important to underpin CNP security measures with Payment Card Industry (PCI) compliance, credit card encryption, and stringent data storage processes.
- PCI compliance demonstrates your adherence to technical and operational standards that secure cardholders’ data transmitted across public networks. To be PCI compliant, your organization must fulfill firewall, password, virus, software, and other requirements. While not required by law at this time, PCI compliance is considered mandatory through court precedent.
- Scrambling data through encryption reduces the likelihood of credit card information theft. Once encoded from plaintext to ciphertext, data decryption can only be performed with an encryption key, hindering would-be interceptors. It encompasses not only card security when it’s accepted, but also security of the card’s information between that point and associated computer systems as well. This safeguard is especially important for CNP purchases, where magnetic strips, PINs, and EMV chips aren’t accessible.
- Firewalls and encryption protect internally stored cardholder information, as does PCI certification of both your company and your payment processor. Strengthen those precautions by restricting data access to a “need to know” basis that’s used only by those departments and personnel directly involved. Store hard-copy cardholder data generated by paper reports, chargeback mail, and facsimiles in a locked location. Likewise, ensure that your partners, such as fulfillment houses, call centers, and marketing affiliates, employ adequate protection methods.
Build your own online strategy
As you expand and customize your CNP procedures, start with basics from which you can establish effective strategies that are right for your business. This safeguards not only protect cardholders’ personal information, but your organization’s assets and brand as well.