What is a Card Not Present Transaction?

How CNP Transactions Work

In a traditional card-present transaction, the customer physically inserts, taps, or swipes their card at a terminal. The terminal reads the chip or magnetic stripe, and the cardholder may enter a PIN or provide a signature. These physical checks create a strong link between the card, the cardholder, and the transaction.

In a card not present transaction, none of those physical verification methods are available. Instead, the merchant collects card details -- typically the card number, expiry date, and the three-digit security code on the back -- through an alternative channel. That might be a website checkout form, a phone call, a postal order form, or a mobile app.

Because the merchant cannot physically verify the card or confirm the person using it is the legitimate cardholder, CNP transactions rely on other forms of verification to establish trust.

Common Types of CNP Transactions

• Telephone payments (MOTO): The customer provides card details by speaking them to an agent or by entering them on their phone keypad during a call. This is one of the oldest and most widespread forms of CNP payment.
• E-commerce: The customer types their card details into an online checkout form, often with additional authentication through 3D Secure.
• Mail order: Card details are written on an order form and sent by post -- still used by some catalogue retailers and subscription services.
• Recurring payments: Card details stored securely on file are used for ongoing subscriptions, memberships, or repeat billing without the customer needing to re-enter them each time.
• In-app payments: Card details saved within a mobile application are used to pay for goods or services with a single tap.

Why CNP Fraud Is So Common

CNP transactions account for the vast majority of card payment fraud in the UK and globally. The reason is simple: a criminal does not need the physical card. All they need are the card details -- the number, expiry date, and security code -- which can be obtained through data breaches, phishing attacks, social engineering, or dark web marketplaces.

According to UK Finance, CNP fraud consistently represents the largest single category of card fraud losses in the United Kingdom, running into hundreds of millions of pounds every year. Online and telephone channels are the primary targets because they lack the physical verification that makes in-person fraud more difficult.

To put it in everyday terms: if someone steals your wallet, they can only use your card until you notice and cancel it. But if they steal your card details from a database, they can make purchases from anywhere in the world without you realising until the charges appear on your statement.

Security Measures for CNP Payments

Several technologies and processes have been developed to reduce CNP fraud and protect both merchants and cardholders.

Card Security Codes

The three-digit CVV, CVC, or CV2 code printed on the back of the card provides an additional verification layer. Because this code is not stored on the magnetic stripe or chip, it cannot be captured through card skimming at physical terminals. Merchants are prohibited from storing security codes after a transaction is authorised.

3D Secure Authentication

For online transactions, 3D Secure (marketed as Visa Secure, Mastercard Identity Check, or similar) adds a step where the cardholder verifies their identity through their issuing bank. This usually involves a one-time passcode sent by text message, approval through a banking app, or biometric confirmation. It shifts fraud liability from the merchant to the card issuer when used correctly.

DTMF Masking for Phone Payments

Telephone payments have historically been one of the hardest CNP channels to secure. When a customer reads their card number to an agent, that data passes through the call audio, gets captured in call recordings, and is visible on the agent's screen. DTMF masking technology solves this by intercepting keypad tones before they reach the agent, routing the card data directly to the payment processor without it ever entering the merchant's environment.

Address Verification Service (AVS)

AVS checks the billing address provided by the customer against the address registered with the card issuer. A mismatch does not necessarily mean fraud, but it raises a flag that the merchant can investigate before completing the transaction.

Velocity Checks and Risk Scoring

Payment processors monitor transaction patterns for signs of fraud. Multiple rapid transactions on the same card, transactions from unusual locations, or purchases that do not match the cardholder's typical behaviour can all trigger additional checks or automatic declines.

CNP and PCI DSS Compliance

Because CNP transactions involve capturing and transmitting card data without physical verification, they fall squarely within the scope of PCI DSS. Any system that touches card data during a CNP transaction -- whether that is a website, a phone system, a call recording platform, or an agent workstation -- must meet the relevant PCI DSS requirements.

For businesses that take payments over the phone, this can mean a significant compliance burden. Every system in the payment chain needs to be assessed, secured, and regularly tested. This is where descoping technologies like DTMF masking become particularly valuable -- by preventing card data from entering the merchant's environment, they dramatically reduce the number of systems that need to comply with PCI DSS.

The Merchant's Perspective

For businesses, CNP transactions are essential. They open up revenue channels that would not exist if every customer had to present their card in person. Phone payments, online sales, subscription billing, and remote services all depend on the ability to process CNP transactions securely.

The challenge is balancing convenience against risk. Too many security checks and customers abandon their purchase. Too few, and fraud losses mount up alongside the chargebacks and reputational damage that come with them. Getting this balance right requires the right combination of technology, processes, and partner selection.