Every card not present transaction needs to be done right
When your business accepts a card not present transaction, it opens the door to a plethora of situations, some of which may not be ideal. Follow these guidelines to ensure that such transactions are carried out securely. Read more to know more!
As someone that owns or manages a business, you’re well-versed with all kinds of transactions – cash, card, digital wallets, and online payments. You’ve probably processed payments where the customer’s debit or credit card was not physically present during the transaction.
In this article we will discuss the many ways you can do your part in making sure that every card not present (CNP) transaction at your business is successful. These best practices include the following:
- Handle information properly
- Uphold PCI compliance
- Prioritize data security
- Avoid chargebacks
- Be aware of interchange fees
- Add an Address Verification Service (AVS)
- Implement card security checks
- Adopt tokenization
- Follow protocol in continuity marketing
- Consider alternative payment options
Keep reading to see the full list.
A successful transaction means a customer paid for products and services, and the merchant got paid for the same. Plus, there are no chargebacks! Just a great day to be accepting payments, I guess.
In this article we’ll cover how to have more successful transactions like these. But first, let’s have a quick recap on what a card not present transaction is.
Break free from fee overload
Eliminate payment processing fees through a merchant discounting program.
Break free from fee overload
Eliminate payment processing fees through a merchant discounting program.
What is a card not present transaction?
A card not present transaction is a transaction where the buyer’s credit card doesn’t have a physical interaction with the merchant’s terminal.
From online payments to manually entering card information into a terminal, (aka manually keyed-in transactions) there are situations where a debit or credit card is not physically present for the transaction to occur.
A major concern with any card not present transaction is fraud risk. In fact, 73% of all card payment fraud is made up of card not present payments! That’s why it is vital to have some measures in place to monitor every card not present transactions at your business. Keep reading to see how to prevent fraud like this.
Why is it important to follow guidelines for a card not present transaction?
It is important to follow a few guidelines every time you make a card not present transaction due to the following reasons:
There are consequences of a card not present transaction going awry if rules are ignored. Even if rules are followed, there’s still some risks with these transactions. Because of these higher risks, many payment processors charge an arm and leg for transactions like these. If you’re looking for ways to save money on merchant processing, even with card not present transactions, we have the inside scoop. Check out our latest e-book.
10 best practices to follow when performing a card not present transaction
When accepting a card not present transaction, we strongly recommend following our list of best practices. They are:
1. Handle information properly
The first pointer when you’re performing a card not present transaction at your business is to properly handle customer information. There are a few ways to achieve this.
First is presenting business information. This involves displaying your contact information on your website, emails, catalogs, and any similar mediums. Having your contact information listed online and on other marketing materials is a way to encourage a customer to reach out to you first if they saw a charge on their credit card statement that they don’t recognize, instead of simply calling their bank, denying the purchase, and demanding a refund. When a customer contacts you about a purchase they don’t believe they made, you have the opportunity to explain if the charge was legit. If the purchase was made online, you’ll have email records showing order confirmation and shipping. Similarly, if the purchase was made in person, you might have camera footage showing who came into your store and made that purchase. Be transparent about your policies surrounding billing, returns, shipping, privacy, etc.
Second is obtaining customer information. This involves getting customers’ phone numbers and email addresses along with card information such as name on card, account number, card type, expiration date, CVV (Card Verification Value, a 3-digit code on the back of a bankcard), etc.
Last comes securing customers’ information. There are several safety measures that can help you protect your customers’ sensitive information. From PCI compliance to data encryption and internal audits, you have many ways to keep your business safe from harmful elements.
2. Uphold PCI compliance
PCI compliance is a set of standards that all businesses accepting card transactions are mandated to uphold. Failure to do so can have a negative impact on a business. These negative impacts can range from fines to being banned from accepting credit cards entirely, depending on severity. PCI stands for “Payment Card Industry.” PCI requirements help protect businesses from potential data breaches. Writing down the customer’s card info on paper and asking for the customer’s card information over an unsecure channel are common PCI failings seen when teams aren’t as well-versed in card not present transactions.
1. Avoid writing down the customers card info on paper
A major PCI compliance no-no is writing down a customer’s card information to run a card not present transaction later. Teammates get busy, a customer calls, and they write the card numbers down with the intention to run the card in a little bit when they have a chance. It can seem like a easy fix at the time, but it can open the business and customer to risk. What if the written card info was seen by prying eyes? Always enter the information and run transactions in real time. There’s no need to write it down on paper.
2. Don’t request or allow the customer to send card information over email or text
Avoid asking or letting customers send their card information via text or email. This is a clear violation of PCI compliance. Such methods to get information to run a card not present transaction are not always secure, and they may put the customer and your business more susceptible to security risks. A phone call is a secure way to share card information. Explore this guide to PCI compliance.
3. Prioritize data security
Data breaches are a nightmare that can wreak havoc on a business. According to IMB, in 2023 the average cost for a business because of a data breach is $4.45 million. A business may never fully recover and that’s why it is important to put data security at the forefront of business concerns. Ensure your customer’s information is secure.
Any business that takes card transactions is at risk for cyberattacks as hackers want to steal sensitive data that they can misuse. This is true even for a card present transaction.
They say, ‘a chain is only as strong as its weakest link’. Human error can easily open up the door to a data leak or data breach. Ensure all employees handling card information, or that have access to card information, are well-trained. Having an employee with that much access fall victim to phishing schemes could open the company up to liabilities. Employees with access to this data should understand the potential risks and know how to avoid them.
4. Avoid chargebacks
A chargeback is when a customer disputes a charge on their card by contacting and reporting it to their card issuer. The card issuer and your payment processor are likely to take note of your business when this happens. Accidents can happen, but too many chargebacks could be a sign of fraud for these financial companies. Your payment processor might charge you a fee for every chargeback. And just like baseball, when a business is found with too many strikes from chargebacks, they’re out. They may lose the ability to accept card payments at all! I know, that doesn’t sound good at all. That’s why you want to avoid chargebacks as best as you can.
The good news is that you do have the option to fight any disputes. However, you must be able to provide verification for that sale. Failure to do so means you’ll need to reimburse the customer. It’s easy to dispute a chargeback when you have video of the customer using their card in your store. But what do you do when the card nor customer were present for the transaction?
If a customer claims that their card was used without their knowledge or consent, it falls under the unauthorized use category. Sometimes, this might be fraud where someone steals a customer’s information and asks a merchant to perform a card not present transaction. Obtaining information like a CVV can reduce such fraud risks.
The second category for common chargebacks is authorization not obtained. In this case, the card issuer might assert that the merchant didn’t have proper authorization to run the sale. Such chargebacks can be avoided by limiting forced transactions where a merchant bypasses the authorization process. Sometimes this type of chargeback is caused by human error and so caution needs to be exercised when running a card not present transaction.
The last category is recurring transactions where customers claim they were charged after cancelling a subscription. Act fast to update customer accounts when they ask to avoid this type of chargeback. Keep records of cancellations via email or even phone calls so you have time and date stamps to dispute such a chargeback.
5. Be aware of interchange fees
Interchange fees can be described as costs of doing business. They are fees charged by payment processors that merchants pay so that they can accept non-cash payments. In fact, interchange fees form the bulk of a merchant’s total processing fees. It is essential to be aware of how much you’re paying in interchange fees. If you need help understanding your statement, contact our team for a free statement evaluation. We’ll break down all your processor’s fees and even provide guidance on where you can save money.
There’s a lot of benefits to being able to accept card not present transactions, but they can come with risks. Because of these risks, merchant processing companies often charge more for fees associated with card not present transactions. It’s important to know that such transactions are just going to be inherently more expensive than other, less risky, transactions. It’s just one of the costs of business.
If you’re looking for ways to save on payment processing to cut down on costs, check out our latest e-book.
6. Add an Address Verification Service
An Address Verification Service (AVS) is an automated anti-fraud measure that can help lower risks that come with any card not present transaction. It verifies the customer’s billing address with the card issuer and enables you to decide whether to run a transaction or not. The verification is requested by the merchant.
There are two pieces of information included in the authorization request – numeric data in the address and the zip code. In the next step, your payment processor will match this data with information at the cardholder’s issuing bank and send a response code. Catching mismatched data can help prevent risks.
There may be instances where a customer’s addresses doesn’t match the billing address for legitimate reasons. Reasons could include someone sending a gift or using a business credit card. The good news is these can be resolved traditionally relatively easily.
7. Implement card security checks
Card fraud happens more often than you’d think. Financial theft and identity theft are unfortunately common in our world. Along with external bad actors, fraud can be internal. Your own teammates could steal card information and use it at your store. Implementing certain practices to avoid employee fraud and external fraud is essential.
Tip: Access more information on types of fraud and cybersecurity for businesses.
As a business, you shouldn’t have to foot the bill for other people’s wrongdoings. The best defense is empowering yourself with all the tools and information you need to stop fraudsters in their tracks. One way to do this is to ask for a CVV code when making a card not present transaction. It ascertains that the buyer has at least seen the card directly or otherwise.
The more information you ask for, the less chance of fraud. Often, card data is stolen rather than the physical card. Stealing (or even buying stolen) credit card numbers is one thing for a fraudster. Getting their hands on the expiration date, card holder name, CVV, billing address, and more too, is harder for fraudsters. Ensure that this is a required practice for all teammates handling card transactions.
Common pieces of information to collect are:
8. Adopt tokenization
In a world where data breaches happen, businesses of all kinds and sizes need to reevaluate their security measures. Several big-name companies and their customers have been victims of online bad actors. Tokenization is one way to protect your business and your customers from cyber criminals lurking on the world wide web. In simple terms, tokenization replaces card details of a customer with “tokens” that can’t be read or misused by anyone. Whether you run a card present transaction or one without a card, tokenization is a great option to keep you safe.
9. Follow protocol if engaging in continuity marketing
If your business requires customers to sign up to receive products or services periodically until they cancel, you’re participating in “continuity marketing,” aka “negative option marketing.” An example of this could be a subscription service where a customer agrees to pay for recurring items or services. There are some rules and regulations that come with this type of business practice.
Work with a reliable payment processor like Acumen Connections that can set you up with secure tools to safely keep customer card information and bill them on a reoccurring cycle. These tools are often referred to as a customer credit card vault.
10. Considering alternative payment options
It’s true that card not present transactions provide some benefits that wouldn’t otherwise be an option. There are plenty of businesses that rely on card not present transactions, some more than others. In some cases, it’s possible to avoid such transactions all together. When you have those options for alternative transaction types, take advantage of them. Here are a few examples:
1. Customer’s card won’t work
Before manually entering in their card, ask if they have another way to pay. Perhaps they have cash, a different card, or even a digital wallet. Google Pay and Apple Pay are becoming increasingly popular.
2. Customer is paying now, but picking up their order in-person later
If they’re planning to swing by your restaurant or store already, have them pay in-person. If you’re worried about payment, you can run their card first before handing them their order. This only works on low-cost orders, such as to-go food orders and items that aren’t customized/personalized.
Get paid, not penalized!
Who doesn’t like to get paid? You want to be compensated for the products and services you offer.
70% of Americans shop online and the numbers are predicted to rise each year. Is your business ready to accept online payments?
Discover Acumen Connections’ online payment solutions. More and more people are becoming adults and getting credit cards. If you’re not suited with the credit card reader of your dreams, find one of our in-person checkout tools to match your needs. Similarly, some businesses have customers’ card information on file if they’re signed up for a subscription service. Our online checkout tools can help with that.
When you offer a customer the convenience of a card not present transaction, you’re making the buying process easier for them. Customers like to make things simpler for themselves and businesses worldwide are catering to this. Therefore, it is unfair for businesses like yours to get stuck with fraud and the consequences of it. Sadly, we don’t live in an ideal, world and there will always be bad actors. The good news is that setting up a rigorous protocol might take time and effort, but it is worth the hassle.
Stay smart, stay safe!
Anna Reeve, MBA