What is a Card-Present Transaction?

A card-present transaction is a card payment where the card is physically handed over (or tapped, or inserted) at a point-of-sale terminal. The terminal reads the chip, the contactless antenna, or the magnetic stripe; the cardholder usually confirms the payment with a PIN, a tap, or a biometric. Card-present is the opposite end of the risk spectrum from card-not-present — fraud rates are an order of magnitude lower, interchange is cheaper, and when EMV chip-and-PIN is used correctly the chargeback liability sits with the issuing bank rather than the merchant.

Card-present is the original way to take a card payment, and despite the rise of e-commerce it's still the majority of in-person retail volume. Every supermarket till, restaurant card machine, taxi terminal, and contactless reader on the Tube is processing card-present transactions. The technology has shifted underneath — from carbon-paper impressions in the 1970s to EMV chip-and-PIN in the 2000s to contactless tap in the 2010s — but the regulatory shape has stayed the same: card present, cardholder verified, liability with the issuer.

What Counts as Card-Present

The card networks treat any of the following as card-present:

• EMV chip-and-PIN. The customer inserts their card, the chip generates a one-time cryptogram, and the customer keys their PIN to authorise. This is the gold standard for fraud protection — a stolen card is useless without the PIN, and the cryptogram makes the transaction non-replayable.
• Contactless / NFC tap. Below the contactless limit (£100 in the UK at time of writing), the customer taps and goes. The card or device still produces an EMV cryptogram in the background, so the transaction is fully authenticated even though no PIN is entered.
• Mobile wallet tap. Apple Pay, Google Pay, and similar wallets use the same NFC protocol as a contactless card. The wallet provides device-level biometric authentication (Face ID, Touch ID, fingerprint), so the transaction is treated as card-present with strong authentication — there's no contactless limit on most wallet-based payments.
• Magstripe swipe. Still possible on most terminals as a fallback, but vanishingly rare in the UK since the 2005 chip-and-PIN rollout. Magstripe transactions don't produce a cryptogram, so they fall back to a signature or are declined.

EMV and the Liability Shift

The single most important thing about card-present is the EMV liability shift. EMV (named after Europay, Mastercard, and Visa, who wrote the spec) defines the chip-and-PIN protocol that's been the default in Europe since the mid-2000s and the US since 2015. When an EMV-certified terminal reads a chip card and authorises with PIN, the issuing bank takes on chargeback liability for that transaction.

What that means in practice: if the customer later says "that wasn't me, I didn't make that purchase," the issuing bank can't claim the merchant should have done more. The chip cryptogram is cryptographic proof that the physical card was present. The bank either eats the fraud loss or chases the cardholder; either way, the merchant keeps the money.

That liability shift is why card-present fraud is so much lower than CNP fraud. It's not that criminals don't try — they just can't make it work without the physical chip, and cloning a chip card is essentially impossible. Magstripe was clonable; chip isn't, at any scale.

Where the shift breaks down: a terminal that wasn't EMV-certified, a transaction that fell back to magstripe because the chip read failed, or a contactless payment over the limit that wasn't followed by a PIN check. Then the liability comes back to the merchant. Acquirers monitor these patterns and will sometimes flag a merchant whose chip-fallback rate is suspiciously high.

Interchange: Why Card-Present Is Cheaper to Take

Card-present interchange is the cheapest interchange there is. Visa and Mastercard publish their UK interchange tables openly; the gap between card-present and card-not-present is typically 0.3-0.8 percentage points, which compounds into real money at any volume. A retailer doing £5m a year card-present pays maybe £45,000-£60,000 in interchange. The same retailer doing the same volume CNP would pay £60,000-£100,000. The card schemes price in the fraud risk, and the fraud risk on card-present is materially lower.

One caveat: interchange caps in the UK and EU under the Interchange Fee Regulation (IFR) compress this gap for consumer debit and consumer credit cards. The 0.2% / 0.3% caps apply across both card-present and card-not-present. Commercial cards, premium credit cards, and non-EU-issued cards aren't capped, and that's where the gap is widest.

PCI DSS Scope for Card-Present Merchants

Card-present merchants have a much easier ride on PCI DSS than phone or e-commerce merchants, but it depends on how the terminal connects to the rest of the world. The relevant SAQs:

• SAQ B (~40 controls). The classic dial-up terminal with no network connection. Card data goes straight from the terminal over the phone line to the acquirer. Almost no IT scope at all. Very rare in 2026 — most terminals are IP now.
• SAQ B-IP (~80 controls). IP-connected terminal, with the payment application running on the terminal itself rather than a back-office system. The terminal is a PCI-validated standalone device; your network just carries the traffic. The most common SAQ for modern card-present retailers.
• SAQ P2PE-HW (~22 controls). Point-to-point encryption hardware. The terminal encrypts the card data inside its tamper-evident enclosure before anything leaves the device. Your network never sees a decryptable card number. This is the lightest possible card-present scope — functionally similar to SAQ A for e-commerce.
• SAQ C (~160 controls). Card-present with a payment application on your own network (the terminal isn't standalone). Heavier.

The pattern is the same as for CNP: the more your own kit can see the card number, the wider your scope. P2PE-validated terminals are the path of least resistance for most card-present setups, because the card data never enters the merchant's environment in a form they could decrypt even if they wanted to. Our PCI DSS glossary entry walks through the SAQ ladder in detail.

Card-Present vs Card-Not-Present: The Practical Difference

For most businesses the choice isn't either/or — you take card-present from walk-in customers and card-not-present from phone orders, online orders, or pay-by-link follow-ups. The thing to remember is that they're treated as different products by the card schemes, by your acquirer, and by PCI DSS:

• Different interchange rates (card-present cheaper).
• Different fraud-monitoring thresholds (CNP gets watched harder).
• Different chargeback rules (card-present with EMV gets the liability shift; CNP needs 3D Secure or compelling evidence).
• Different PCI scope (card-present with a P2PE-HW terminal can be lighter than the easiest CNP path).

If you're a hybrid business — say, a hotel with both reception walk-ins and phone bookings — your acquirer settlement statement will show both transaction types separately. Worth checking the split if you suspect you're being charged the wrong rate, because misclassification (a card-present payment getting routed through the CNP MID) is a common reason for inflated processing fees.

The Future of Card-Present

Two trends are reshaping card-present. The first is the steady move from chip-and-PIN to contactless, accelerated by COVID and the £100 UK contactless limit. The contactless share of card-present is well over 60% in the UK as of 2026, and rising. The second is SoftPOS — turning a standard smartphone into a contactless card reader using its existing NFC chip. SoftPOS dramatically lowers the cost of accepting card-present payments for small merchants who used to rely on a dedicated terminal.

Both trends push the same way: more card-present volume, with more of it happening on commodity hardware, with stronger device-level authentication (biometrics on the customer's wallet, biometrics on the merchant's phone). It's a quietly good story — fraud rates are still falling, scope is still shrinking, and the customer experience keeps getting smoother.