Card-not-present transactions are becoming more and more common in the modern business landscape. With the advent of ecommerce, more purchases are being made online, which means they need to be processed without merchants having the physical payment card in hand.
Card-not-present transactions are also common for orders placed over the phone. Whether it’s over the phone or online, these types of transactions come with special concerns because they open up new opportunities for criminals to defraud your business by stealing cardholder data. Ecommerce CNP transactions are even more common than over-the-phone transactions, and come with their own set of security concerns for preventing ecommerce fraud.
Thankfully, by adopting some card-not-present best practices, the whole process of dealing with card-not-present transactions can become safer and smoother. That means fewer postponed payments, lost customers and chargebacks, It also lessens the risk of all kinds of CNP fraud.
This guide discusses the biggest risks and pitfalls associated with CPN transactions, and shows you how to avoid them so you don’t put your business at risk with one costly mistake.
Card-Not-Present Best Practices
1. Gather Card Information
To process card-not-present transaction, you must first obtain the credit or debit card information needed to process the transaction. This includes the payer’s name, the billing zip code and other billing address information, the payment card number, card expiration date and security code.
As a very important fraud prevention measure, NEVER write this information on a piece of paper. This is the easiest way for CNP fraud to occur, as it makes it very easy for someone to obtain your customer’s payment information. Instead, always have employees or, when possible, the customer themselves, input their payment card information directly into your payment gateway.
2. Get Delivery Confirmation
Before finalizing the payment, make sure to double-check the billing and shipping zip codes to ensure they match. Use fraud protection services during this process to reduce the chance of data breaches where cardholder data becomes compromised. We’ll discuss fraud protection services in more detail later.
3. Authorize the Transaction with the Payment Processor
As the merchant, you are expected to process transactions in a timely fashion to avoid a backlog and prevent delays for customers. Therefore, an important card-not-present best practice is to settle all transactions daily, and to perform a manual review of the order books to ensure nothing was missed or appears suspicious. Look over transaction amounts, account numbers, and other customer info, searching for anything that stands out as inconsistent.
If anything looks off, contact your bank and fraud prevention partners immediately. However, when it comes to data breaches and CNP fraud, prevention is always the best policy. The next section will go into preventing CNP fraud like theft of cardholder data, as well as managing the other risks associated with card-not-present transactions.
Typical Risks for Card-Not-Present Merchants
Card-not-present transactions always carry additional risks. These risks generally fall into one of two categories: fraudulent activity and customer disputes and chargebacks. Fraud can be committed by everyone from hackers to dishonest employees to, in special cases, customers themselves. Customer disputes and chargebacks add additional potential issues for CNP transactions, including e-commerce fraud and duplicate orders.
In the next section, we’ll outline these special risks and show you how to avoid them using card-not-present best practices.
1. CNP Fraud
Different types of CNP fraud are one of the biggest risks when processing card-not-present transactions. Hacking, physical theft of computers or account numbers, and the use of fraudulent or stolen payment information for ecommerce sales are some of the main concerns for CNP merchants.
Thankfully, there are ways for you to reduce your risk for different types of CNP fraud. While the ecommerce world has brought about levels of identity theft never before seen, you can follow some practices to ensure your business, and your customers, don’t fall prey to scams.
End-to-end encryption is one measure you can take to protect your business and your customers. While not a solution for all types of fraud and theft of cardholder data, end-to-end encryption helps to protect card data held in computer systems. Essentially, encryption separates the storage and transmission of data from your system, which removes a major attack vector for malicious hackers.
Account Information Theft
Account information theft can happen in ways that end-to-end encryption can’t protect from. For example, ignoring card-not-present best practices by writing payment information on physical paper can result in the theft of account numbers and other cardholder data. Account information theft can also happen due to unscrupulous employees, who have legitimate access to your customer’s accounts and use that access to steal cardholder data for personal gain.
To avoid account information theft, always input payment information directly into your payment gateway, as described in the first section. Another important fraud prevention measure is to limit the number of employees who have access to customer payment information. With a manual review of daily transactions as part of the accounting routine, if there is suspicious activity that must have come from someone working at your company, it will be easier to zero in on the source.
Information theft can also occur when hackers break into public networks your customers are logged on to while entering their payment info. Customers should be strongly discouraged from entering payment information while logged into these networks.
Data breaches from computer hackers are becoming more and more common. Digital thieves are always looking to develop new ways to infiltrate your systems and steal information. Phishing scams are some of the most commonplace. In these schemes, hackers send an email to one of your company’s accounts containing a link, with some kind of trustworthy-looking presentation meant to trick the employee to open the link.
For example, the email might be disguised as coming from your payment processor, asking the employee to click a link to confirm the username and password associated with your account. Upon clicking the link, the employee will be directed to an official-looking page, mimicking the branding of your payment gateway, to entice them to enter the username and password. This sends the info to hackers, who can then use it to commit data breaches and obtain customer credit cards.
Fraud prevention measures such as limiting who is allowed to open email links and educating on what kinds of links should and shouldn’t be opened, can help prevent data breaches associated with phishing.
Data breaches from employees are also possible, where employees give access to unauthorized parties on purpose, either to commit fraud or because they have been tricked into doing so. Limiting employee access and devising specific rules as to who is allowed to access systems and why is critical for reducing this risk.
Fraud Screening Tools
The use of fraud screening tools goes a long way toward preventing fraud and catching it early when it happens. Some of the most popular and advanced CNP fraud tools include address verification services, IP address analysis and geo-location tools.
An address verification service, or AVS, automatically compares addresses provided during the transaction to ensure that they match during the authorization process. This helps validate that the person using the payment card is the legitimate account holder.
IP address analysis tools screen for inconsistencies between the location of the person logging in and the shipping and billing addresses. For example, if a customer’s IP address shows that they are logged in from a device in Baghdad, but the billing address is in Delaware and the shipping address is in Oregon, you may have an illegitimate order.
Geo-location works in a similar way. By screening for disparities in the billing, shipping, and login locations, you have a way of analyzing orders and determining whether or not they are suspicious.
2. Customer Disputes and Chargebacks
For every merchant that operates online or in other card-not-present settings, some degree of customer disputes and chargebacks are inevitable. Chargebacks are a type of fraud where the customer pays and then receives the item they ordered, only to call their bank and claim that it never arrived. From there, the bank refunds the customer and charges you, the merchant, for the loss. As a result, you have lost the product, the shipping fees, revenue from the sale, and even a little extra due to a fee your bank charges for the chargeback itself.
Enough of these chargebacks can destroy an ecommerce business. To prevent them, use delivery confirmation so that you have proof a shipped item was received by the customer. Keeping good records will also help you have the evidence you need to win a chargeback dispute. Training employees thoroughly on processes and policies, and resolving customer service issues as quickly as possible, can also reduce chargebacks and help you win disputes when they do occur.
Customer disputes are another inevitability of doing business. Disputes happen when a customer believes, either rightly or wrongly, that they have been charged for an item they did not order or receive.
Customer disputes can be greatly reduced by ensuring you have great customer service and transparent payment, shipping, and return policies that all customers are made aware of. Make sure that customers are informed of these policies before any payment can be authorized. In addition, ensure that customers’ credit card statements clearly show your merchant name so that customers aren’t confused by the charge. For example, instead of BGS, LLC, ensure their statement will say “Best Guitar Sales, LLC” to avoid making the customer believe that there was an unauthorized charge.
You should also make it easy for customers to contact you directly, with an email and phone number dedicated to handling payment issues. By doing so, you make it more likely that customers will reach out with questions rather than going directly to disputing the charge with their bank.
Duplicate orders are another issue, often occurring when your system is overloaded. A payment might not be processed, or it might be processed and not register as completed by your system. Duplicate orders can also occur when it isn’t clear to a customer they have already added an item to their cart.
Avoid these with a clear ordering system, preferably one that warns customers if they have placed two of the same item into their shopping cart. For items that come in different sizes, it can be easy to add one size or quantity, then go back to change it, not realizing the first item hasn’t been removed. Be sure your system warns customers in these cases to ensure they don’t dispute a charge or have to return items they didn’t mean to buy.
For all types of ecommerce fraud, strong authentication methods are usually all it takes to keep incidents to a minimum. The more of these methods you can employ smartly within your shopping platform and payment system, the better.
SSL, or Secure Sockets Layer, is a first line of defense against fraud, as it provides a secure gateway between you and your customers. SSL has become an industry standard for CNP fraud prevention. Requiring customers to enter the security code on the back of the credit card will also help prevent fraud by adding an additional piece of information to confirm the cardholder is the one actually making the order. Other techniques mentioned above, like IP address screening and geo-location, add additional layers of ecommerce fraud prevention to protect your business.
CNP Fraud Prevention
With these CNP best practices, you can minimize lost revenue and wasted time arising from CNP fraud, chargebacks, data breaches, and other potentially expensive problems. In the world of CNP transactions, no system is 100% perfect. But by making fraud prevention a priority and using a variety of authentication methods, you can be sure that these issues never become so severe that they sink your business.