Card Not Present (CNP): Risks and Defences

Last updated: 27 May 2026

A card-not-present (or CNP) transaction is any payment where the customer doesn't physically hand a card to the merchant. Instead of a swipe, chip-and-PIN, or tap, the customer provides their card details from a distance. It's the engine behind US e-commerce, recurring billing, and any sale taken over the phone. For US merchants, CNP also carries a meaningfully higher cost: interchange runs typically 0.1-0.3% above card-present, and the chargeback liability falls squarely on you.

What card-not-present transactions actually are#

Looking for the full pillar guide? Our complete walk-through on take card payments over the phone covers every method (DTMF masking, channel separation, IVR), the SAQ D → SAQ A descope, costs, and a buyer's checklist — read it alongside this post.

Think about the difference between paying at a Target checkout and ordering a pizza by phone. At the register, the cashier sees the card and you verify with chip-and-PIN or contactless. That's a card present (CP) transaction — the physical card and its embedded chip generate a unique cryptogram for each purchase that's very hard to copy.

When you read your card number to the pizza place, they have to take it on faith that you're the real cardholder. There's no physical proof. That's the essence of a CNP transaction. All MOTO, online and recurring payments are CNP.

This distinction isn't a technicality. CNP payments rely only on the data printed on the card — the 16-digit PAN, expiration date, and the three- or four-digit CVV — the very fields that get stolen in breaches and phishing campaigns.

Common CNP channels

Online shopping is the most obvious example, but CNP shows up across several channels, each with its own quirks.

• Online e-commerce — customers type their PAN, expiration and CVV into a checkout page.
• Phone orders (MOTO) — mail order / telephone order, where the customer reads card details to an agent.
• Digital chat and SMS — a fast-growing channel where customers pay via web chat, text, or social DMs, usually through a secure payment link.
• Recurring billing — subscriptions and installments, where the card is stored on file and charged automatically.

Across every channel the underlying problem is the same: the business has to trust the person providing the details without any physical proof. That built-in vulnerability is exactly why CNP fraud makes up the lion's share of US card fraud losses.

Card present vs card not present at a glance

Why CNP fraud is a growing threat to US merchants#

Remote payments are convenient, but they've brought a serious and fast-moving problem to almost every American business. When a transaction is card-not-present, the physical security checks we take for granted — chip, PIN, contactless cryptograms — aren't there. That's a real opening for criminals.

Fraudsters don't need to physically steal a card. They just need the information printed on it, and getting that information is alarmingly easy. Stolen card details sell on dark-web markets for a few dollars, harvested from breaches and phishing kits.

The anatomy of a CNP fraud scheme

Once a fraudster has a PAN, expiration and CVV, they can pose as the genuine cardholder. Since a CNP transaction only needs that basic information for authorization, the criminal can place orders online or by phone with very little stopping them.

A fraudster uses stolen details to buy a few easy-to-resell laptops from your online store. To your payment system, everything looks normal — the transaction approves. Sooner or later the real cardholder sees the charge on their statement and disputes it with their issuer. The bank initiates a chargeback, which pulls the funds straight back out of your merchant account. You've lost the money, lost the goods you shipped, and you're hit with a chargeback fee on top.

This is the part that hurts. Unlike fraud with a physical card, where the issuer often absorbs the loss, liability for fraudulent CNP transactions lands on the merchant. US issuers typically give cardholders a window of 60-120 days to dispute a charge (some run to 540 days under specific reason codes), so the exposure stretches well beyond the original sale.

"In the event of card-not-present fraud, the merchant carries the financial loss. For retailers running on thin margins, that impact compounds quickly."

The financial picture

This isn't a small cost of doing business. The FBI's Internet Crime Complaint Center (IC3) reported around $5.3 billion in CNP-related losses in 2023, and the trend line keeps moving up as e-commerce grows. Visa rolled out the Compelling Evidence 3.0 (CE 3.0) rules in December 2023 to give merchants better tools to fight first-party fraud disputes, but the underlying volume of CNP attacks hasn't slowed. Mastercard's Excessive Chargeback Merchant (ECM) and Chargeback Compliance (CCM) thresholds continue to tighten — once you cross them, your acquirer can put your account on a monitoring program, raise your reserve, or close it.

The Mastercard CCM and ECM thresholds in detail

The two Mastercard chargeback programs that matter most are CCM (Chargeback Compliance Monitoring) and ECM (Excessive Chargeback Merchant). They run on monthly cycles and they bite at different ratios.

• CCM triggers at a 0.65% chargeback ratio (basis = chargeback count divided by previous-month sales count) combined with a minimum of 100 chargebacks in the month. Once inside CCM, you're under acquirer-managed remediation for 12 months. Mastercard assesses a per-chargeback fee on top of your acquirer's normal chargeback fee for every month you exceed the threshold.
• ECM triggers at the harder threshold: 1.0% chargeback ratio with at least 100 chargebacks in the month. ECM merchants face escalating per-chargeback fees that ramp up over 6, 12, 19 and 24-month periods. Once you're 19+ months into ECM the per-chargeback economics make the underlying transactions unprofitable for most categories.
• Visa's VDMP (Visa Dispute Monitoring Program) runs the parallel program for Visa: standard tier at 0.9% chargeback ratio (or 100 chargebacks), excessive tier at higher levels. VFMP (Visa Fraud Monitoring Program) operates on the fraud ratio at 0.65% (dollar-weighted, count-weighted alternative) rather than the chargeback ratio.

The ratios sound small until you do the math. A merchant doing 10,000 transactions a month hits the CCM threshold at 65 chargebacks — roughly two a day. Most US merchants don't realize they're approaching either threshold until their acquirer sends the notification letter. The acquirer-level monitoring (which usually triggers earlier, at internal thresholds the acquirer doesn't publish) is the practical early-warning system.

The US CNP chargeback flow — issuer and acquirer timelines

The US chargeback lifecycle on a CNP transaction follows a defined sequence. Understanding the timeline matters because it dictates how quickly your dispute team has to respond to avoid losing by default.

1. Day 0: Customer disputes the charge with their issuing bank. The issuer applies a provisional credit to the cardholder and creates a chargeback record.
2. Day 1-7: The chargeback flows from the issuer to the card network (Visa or Mastercard) and then to your acquirer. Your acquirer debits your merchant account for the disputed amount plus a chargeback fee ($15-$50 per chargeback is typical).
3. Day 7-30: Your acquirer notifies you of the chargeback and provides the reason code and any supporting evidence the cardholder submitted. You have a defined response window — typically 7 to 30 days depending on the network and reason code.
4. Day 30-45: You submit a representment (your response with evidence) through your acquirer's dispute portal. The acquirer forwards it to the issuer.
5. Day 45-60: The issuer reviews your representment. If they accept it, the funds return to your account. If they reject it, the chargeback stands or escalates to pre-arbitration.
6. Day 60-90: Pre-arbitration. Either party can escalate to formal arbitration by the network, which adds a $400-$500 arbitration filing fee and a binding ruling.

Outer windows depend on reason code: under Visa's reason 13.1 ("Merchandise/Services not received") the dispute window can run to 120 days from the expected delivery date, and under specific reason codes for fraud-related disputes the window can stretch to 540 days. Build your dispute team's process around the worst-case timeline, not the typical one.

CE 3.0 mechanics — what evidence wins

Visa's Compelling Evidence 3.0 rules took effect December 2023 and changed what counts as a winning representment for first-party (so-called "friendly") fraud disputes — disputes where the cardholder claims they didn't authorize the transaction but actually did. Under CE 3.0, a merchant can win the dispute by providing evidence of at least two prior non-disputed transactions on the same card within the previous 365 days, where each prior transaction shared at least two of:

• The same IP address
• The same device fingerprint
• The same shipping address
• The same account login or customer profile
• The same delivery confirmation signature

The evidence has to be presented in a structured format through the acquirer's dispute portal. Several acquirers and dispute-management platforms (Justt, Chargeback Gurus, Verifi/Visa's Order Insight) automate the CE 3.0 evidence assembly and submission. For merchants with meaningful first-party fraud volume, the CE 3.0 win rate on properly-assembled evidence runs in the 60-80% range — a material improvement over the pre-CE 3.0 baseline of about 20-30%.

3DS2 — frictionless, step-up, decline, and the liability shift

3D Secure 2 (3DS2) is the issuer-authentication protocol that sits in front of the authorization for CNP transactions. The merchant's payment page hands off to the issuer's authentication flow before the authorization fires. Three outcomes are possible:

• Frictionless — the issuer evaluates the transaction risk based on the data the merchant passes through (device, behavioral, transaction history) and approves without any customer interaction. The customer doesn't see anything. Typical for low-risk repeat customers; in mature 3DS2 deployments 80-90% of transactions go through frictionless.
• Step-up (challenge) — the issuer wants more confidence and challenges the customer for additional authentication: an SMS code, a biometric prompt in the banking app, a security question. Adds friction and increases abandonment, so issuers reserve step-up for higher-risk transactions.
• Decline — the issuer rejects the authentication outright. The merchant can either re-attempt without 3DS2 (and carry the full liability) or abandon the sale.

The liability shift is the key economic incentive: when a 3DS2-authenticated transaction is later disputed for fraud (reason code 10.4 or equivalent), the chargeback liability shifts from the merchant to the issuer. The shift only attaches when the authentication completes successfully — partial or attempted 3DS2 doesn't qualify. And the shift only covers fraud reason codes; non-fraud disputes ("product not as described," "service not provided") still land on the merchant regardless of 3DS2.

US adoption of 3DS2 is driven by economics rather than regulation. Unlike the EU under PSD2 SCA, US issuers and merchants aren't required to use 3DS2 — they choose when the chargeback economics make sense. For high-AOV merchants in fraud-heavy categories (electronics, luxury goods, digital goods), the liability-shift math usually argues for 3DS2 on most online transactions. For lower-AOV categories with lower fraud rates, the friction cost can outweigh the chargeback savings.

Importantly, 3DS2 only covers your online channel. Phone-payment fraud doesn't benefit from 3DS2 — there's no issuer-authentication step in a phone call. That's why the capture architecture in your phone channel (DTMF masking, channel separation, agent-out-of-the-loop) carries the entire CNP-fraud-reduction burden for telephone payments. The deep dive on US contact-center compliance with PCI DSS v4 is in our PCI DSS v4 for US contact centers guide, and the broader compliance picture on telephone payments lives in PCI compliance for telephone payments.

State-level CNP fraud trends

CNP fraud volume isn't evenly distributed across the US. FBI IC3 data and state-attorney-general reporting show concentration patterns that matter when you're sizing your fraud-reduction program. California, Florida, Texas, New York, and Georgia consistently rank in the top tier for both reported CNP fraud incidents and per-capita losses. Some of that maps to population, but the per-capita signals also reflect organized-crime infrastructure: Miami, Atlanta, Houston, and the Bay Area have consistently been hot spots for card-data resale and synthetic-identity fabrication.

State attorneys general have become much more active on CNP-related breach enforcement since 2022. California's CCPA/CPRA, New York's SHIELD Act, the Texas Data Privacy and Security Act, and the Florida Information Protection Act each impose breach-notification and data-security obligations that can run alongside the PCI DSS obligations on the same incident. A breach that exposes 10,000 US cardholders touches roughly 30 state notification regimes; the patchwork makes proactive scope reduction (keeping the card data out of your environment in the first place) the only economically sensible posture.

The hidden costs beyond chargebacks

The damage from CNP fraud goes well beyond the immediate loss. Every incident chips at something more important: customer trust and your reputation.

• Eroded customer trust — a customer hit by fraud after buying from you will think twice next time.
• Operational drag — your team spends time investigating and disputing chargebacks instead of serving customers.
• Higher processing fees — too many chargebacks gets you flagged high-risk. Your acquirer raises fees or, in the worst case, closes your merchant account.

Ignoring CNP fraud risk isn't an option. It's a direct attack on your revenue, your operations, and the customer relationships you've worked hard to build.

Want to see this working in your setup? Book a working-demo call — we'll wire up your actual phone system and show you a live capture.

PCI DSS in CNP environments#

When your business takes CNP payments, you're inside the scope of the Payment Card Industry Data Security Standard. PCI DSS isn't optional; it's a mandatory set of controls for any organization that stores, processes or transmits cardholder data. The current version is PCI DSS v4.0.1, in force since 31 March 2025.

A common mistake is assuming PCI DSS only applies to your website checkout. In reality it applies everywhere sensitive payment data exists. That includes your contact center where agents take card details by phone, and it covers web chat logs if customers type their card number there.

The cost of an expanded scope

Think of your operation as a building. Any room that holds valuables — in this case, cardholder data — needs a serious security system. The more rooms in scope, the bigger the footprint and the more expensive the program.

Outdated CNP processes push that scope into unmanageable territory. The moment a call center agent hears a customer read out a card number, your entire contact center infrastructure is dragged into PCI scope. Suddenly everything is a potential exposure: call recordings holding sensitive authentication data, agent desktops, the network carrying voice traffic, and the agents themselves, who now require background checks and specialist training.

Expanding your PCI scope is like deciding to store cash in every room of your house. Suddenly you don't just need a safe in the office; you need reinforced doors, barred windows, and cameras everywhere. The cost and complexity of your annual SAQ or QSA assessment just multiplied.

Navigating compliance in 2026

Maintaining compliance in a high-scope environment is a constant headache. It means quarterly ASV scans, annual penetration tests, and detailed documentation proving every touchpoint is secure. Failing means substantial fines, increased acquirer reserves, and in the worst case losing your ability to process card payments. State attorneys general also pursue data-security incidents aggressively under state privacy laws (CCPA/CPRA in California, NY SHIELD Act, BIPA in Illinois, VCDPA in Virginia and the rest). A PCI gap that contributes to a breach lands you in two regulatory regimes at once.

This is why smart US merchants flip the script. Instead of trying to secure a sprawling environment, they shrink their PCI scope from the start. The goal is to stop sensitive CNP data from ever touching their systems. By using technologies that completely isolate the payment process, you remove the valuables from most of your operational rooms.

Key technologies that secure CNP payments#

Understanding CNP risk is one thing. Solving it takes specific tools. There's a set of proven technologies designed to neutralize these risks by stopping sensitive data from ever entering your business operations. Instead of trying to build taller walls around your systems, these solutions prevent the valuable data from ever getting inside.

DTMF masking

When a customer pays by phone, the biggest risk is an agent hearing — and your call recorder capturing — the raw card numbers. DTMF masking solves this. DTMF stands for Dual-Tone Multi-Frequency, the unique sounds each key on a telephone keypad makes.

The customer and agent stay on the line. When it's time for the card details, the customer enters them on their own keypad. The agent hears a flat neutral tone confirming each digit was pressed. Those sensitive tones are intercepted and sent straight to the payment processor, completely bypassing the agent's ears and your call recording system.

This is a genuine turning point for US contact centers. Call recordings stay free of card data, and agents are never exposed to sensitive information. That cuts both internal and external fraud risk in a single move.

Tokenization

The other pillar of CNP security is tokenization. The best analogy is a valet key. You wouldn't hand a valet the master key that opens the trunk and glove compartment; you give them a limited-use key that only starts the ignition.

Tokenization works the same way with payment data. When a customer pays for the first time, their actual PAN is sent to a secure vault. In return the vault sends back a unique, non-sensitive token — a random string that acts as a stand-in. The token can be stored safely in your systems for recurring billing or one-click checkouts. If your environment is ever breached, attackers get useless tokens, not real PANs. Network tokenization through Visa Token Service and Mastercard Digital Enablement Service takes this one step further by issuing tokens that the networks themselves recognize, with built-in lifecycle management.

Comparing CNP security technologies

Each technology plays a role. The strongest CNP security strategies combine them to build layered defense.

Using secure, isolated payment channels

The most effective architecture brings these technologies together in a secure, isolated payment channel. From the moment a customer starts to enter their details, the entire process is separated from your business infrastructure.

Whether it's over the phone, via a payment link in chat, or through an online portal, the customer interacts directly with a secure platform like Paytia. The platform captures the data, processes it with the acquirer, and confirms the result — all without the data touching your systems. The benefits stack up quickly: PCI scope reduction of up to 95%, better security because card details never enter the room they'd be stolen from, and a payment experience that builds trust instead of testing it.

Handling CNP payments with remote and hybrid teams#

For US businesses running remote contact centers — which is most of them in 2026 — taking a CNP payment can feel like walking a tightrope. Old-school methods aren't just awkward; they're a genuine security gap waiting to happen.

The old way

For years the standard way to take a phone payment was dangerously simple. The agent asks the customer to read out the full card number, expiration, and CVV. The agent types it into a payment terminal or CRM. That single everyday interaction sets off a chain of security risks. The agent has now seen and heard everything needed to commit fraud. The call recording holds the card data. The agent desktop and the local network are in scope for PCI.

To manage this risk, businesses end up with clean-room policies — agents can't have pens, paper or phones at their desk. These measures slow operations and create a culture of mistrust.

The new way

Modern payment technology turns this around. Instead of pulling sensitive data into your environment, it isolates the payment from your infrastructure completely.

1. Initiation — the agent tells the customer that for their security, the system will prompt them to enter details directly.
2. Secure capture — the customer types the card number on their phone keypad. DTMF masking stops the agent from hearing the tones, replacing them with a flat neutral sound.
3. Direct processing — the sensitive data travels straight from the customer to the payment processor, bypassing the agent, the desktop, and your business systems.

This flow adapts to any channel. On web chat the agent sends a secure payment link that opens a separate PCI-compliant page. On email the same link works. On SMS too.

Operational comparison

How modern platforms slash your PCI scope#

Bringing in modern security for CNP payments isn't just adding another tool to the stack. It changes your relationship with risk. By using a secure payment platform, you remove cardholder data from your environment altogether. Your PCI DSS scope shrinks, and your compliance headache shrinks with it.

Going back to the house analogy: the old way stashes cash and valuables in every room. The entire building becomes a high-risk zone needing alarms, reinforced windows and constant surveillance. A modern platform acts like a secure off-site vault. When it's time to get paid, the valuables go directly to the vault, bypassing your property entirely.

That's exactly what Paytia is built to do. Over the phone, DTMF masking intercepts keypad tones before they reach your agent or your recorder. By chat or email, secure payment links shift the entire transaction to a dedicated PCI-compliant page. The result is a measurable PCI scope reduction. Your call recordings no longer hold sensitive data. Your agent desktops are clean. Your network is out of the firing line.

The core idea is simple but strong: you can't lose what you don't have. By preventing card data from ever entering your environment, you remove the primary target for criminals and reduce the burden of protecting it.

More than fines and audits

This strategy goes well beyond ticking a compliance box. It builds a sustainable foundation of trust and security. CNP fraud is the fastest-growing category of US card fraud, and a proactive defense is the only one that works. A platform that descopes your environment shields you from the financial and reputational fallout of a breach, and gives your customers a payment experience that signals you take their security seriously.

3DS2 also has a part to play here. US merchants aren't required to use it for regulatory reasons the way European merchants are under PSD2 SCA — adoption here is driven by fraud-tier and chargeback economics. Issuers will give you a liability shift on online 3DS2-authenticated transactions, but the protection doesn't extend to phone payments. That makes the capture architecture for your phone channel the single most important investment in your CNP security posture.

Common questions about CNP security#

Does a secure payment platform eliminate our PCI DSS responsibilities?

Not completely, but it makes a real difference. A secure platform like Paytia can cut your PCI DSS scope by as much as 95%, but you'll still complete an annual Self-Assessment Questionnaire. The process gets simpler, faster and cheaper because your systems no longer touch, store or see cardholder data. The SAQ shrinks from SAQ D (329 controls) down to SAQ A (22 controls) for most merchants.

How does DTMF masking actually work on a live call?

The customer types their card details on their phone keypad. DTMF masking technology intercepts those tones before they reach your agent or your call recording. The agent hears a flat monotone beep to confirm a key was pressed; the real tones are routed directly and securely to the payment processor. The card data for the CNP transaction never enters your environment.

Can we really take payments securely through web chat?

Yes. Asking a customer to type their card details into the chat window is a serious security problem. The modern approach lets an agent send a secure payment link inside the chat. The customer clicks the link, which opens a secure branded payment page. All sensitive data stays separate from the chat log and your business systems.

What about recurring billing and stored cards?

Network tokenization (Visa Token Service, Mastercard Digital Enablement Service) and provider token vaults both keep raw PANs out of your environment for subscriptions. The token is stored in your CRM or billing system; the real PAN lives at the network or provider. If your environment is ever breached the attackers get nothing usable.

What about chargeback fights?

Visa's CE 3.0 (December 2023) gave merchants better evidence options for first-party fraud disputes — historical AVS matches, prior non-disputed transactions on the same card, IP and device fingerprint reuse. Mastercard's ECM/CCM thresholds still apply, so the goal is to prevent the chargebacks in the first place. 3DS2 on the online side and channel separation on the phone side are the two biggest levers. For the technical reading on how CCaaS platforms expose the integration points DTMF masking needs, see our cloud contact center solutions guide.

How does AVS fit alongside CVV in a CNP transaction?

AVS (Address Verification System) matches the numeric portion of the cardholder's billing address against the issuer's records — typically the street number and ZIP code. The response codes (full match, partial match, no match) let the merchant decline borderline transactions or route them through additional verification. CVV is the three or four-digit security code printed on the card; the issuer verifies it as part of authorization but PCI DSS prohibits the merchant from storing it post-authorization. Combining AVS and CVV reduces CNP fraud rates materially compared to PAN-and-expiration-only authorization, but neither replaces 3DS2's liability shift.

What about BIN-based risk scoring?

The first six to eight digits of the PAN form the Bank Identification Number (now formally called the IIN) and identify the issuer, card type (credit, debit, prepaid), and country of issuance. BIN-based filtering can block obvious fraud patterns — for example, declining all transactions from prepaid BINs in jurisdictions with no chargeback rights, or routing high-risk BINs through additional verification. Most modern fraud-prevention platforms (Sift, Kount, Forter, Riskified, Signifyd) bake BIN signals into their risk scores along with device, behavioral, and historical data. BIN filtering on its own is a blunt instrument; layered into a broader risk model it's a useful signal.

What about Apple Pay and Google Pay on phone payments?

Apple Pay and Google Pay don't apply to traditional phone payments — they require an NFC-capable terminal or a web/in-app checkout. For phone payments, the closest equivalent is sending the customer a secure payment link via SMS that opens an Apple Pay or Google Pay checkout on their phone, processed outside the call. That pattern keeps the phone leg PCI-clean (no card data spoken or keyed) and gives the customer a familiar wallet checkout experience. It also benefits from the network tokenization that the wallets perform — the merchant never sees the underlying PAN, the token rotates per-device, and the wallet provides device-level biometric authentication that issuers treat as equivalent to a 3DS2 step-up for liability purposes. For US merchants running phone-heavy operations, the SMS-pay-link pattern is often the single fastest way to cut both fraud rates and PCI scope on the same channel, and it pairs cleanly with the agent-assisted phone-payment patterns documented elsewhere in this US pillar set.

Ready to take the risk and complexity out of CNP payments? See how Paytia can shrink your PCI scope and secure every transaction. Explore our solutions today.

Related reading#

• What Is Tokenization? A US Merchant's Guide
• Tokenization vs Encryption: What's the Difference?
• DTMF Masking and PCI Compliance
• PCI DSS v4 for US Contact Centers
• State Data Breach Laws for Payment Companies

For the product side, see our DTMF masking solution.

Want to see this working in your setup? Book a working-demo call — we'll wire up your actual phone system and show you a live capture.