Card Not Present Transactions: Fees, Fraud & Best Practices

A card-not-present transaction happens when a customer pays without their physical card touching a payment terminal. Online checkout, phone orders, recurring billing, anything where the card details move through a form or a stored profile rather than through a chip reader.

For most ecommerce businesses, this is just how payments work. For high-risk businesses, it's the entire operating model.

Key Takeaways

• A card-not-present transaction is any payment where the card isn't physically read by a terminal, regardless of whether the customer is in front of you

• CNP fees run higher than card-present because the issuing bank takes on more fraud risk when there's no in-person authentication

• CNP fraud rates are roughly 4x higher than card-present, and authorisation rates are around 11 percentage points lower

• For high-risk businesses, CNP is the default operating mode, which compounds both the fee structure and the chargeback exposure

• AVS, CVV, 3D Secure, and tokenization are the standard tools for managing CNP risk

Examples of Card Not Present Transactions

Common CNP transaction types:

• Online checkout — card details entered on a website or mobile app

• Mail order and telephone order (MOTO) — card details given by phone, fax, or order form

• Recurring subscriptions — stored cards charged on a schedule

• Card-on-file payments — returning customer charged using saved details

• Manually keyed entries — card details typed into a virtual terminal

• Invoice payments — customer pays through an emailed payment link

The last few catch people out. Manually keying a card into a terminal counts as CNP even with the customer standing right there, because the card itself never made physical contact with the reader. A logged-in customer using saved card-on-file details is also doing a CNP transaction.

This classification sets the fees, the fraud liability, and the chargeback dispute rules. Everything downstream flows from how the card networks treat CNP as a higher-risk category.

Card Present vs Card Not Present: How They Differ

The card itself isn't the point. What matters is whether the cardholder gets authenticated at the moment of payment.

A card-present transaction runs a one-time cryptogram between the chip and the terminal, the cardholder enters a PIN or signs, and the issuing bank gets a strong signal that the right person authorised the purchase. A CNP transaction has no equivalent. The merchant has the card number, expiry date, and CVV, all of which can be stolen, leaked, or guessed. AVS and 3D Secure add layers back in, but they're proxies for in-person authentication, not equivalents.

The authorisation rate gap is the one most merchants miss. CNP declines run roughly four times the card-present rate, which translates straight into lost sales.

Why are CNP Transaction Fees Higher?

Two reasons: interchange and risk.

Interchange is set by the card networks and runs structurally higher for CNP because the issuing bank carries more fraud risk without in-person authentication. Visa CNP rates run 0.4 to 1.0 percentage points above card-present equivalents. Mastercard's structure mirrors this.

The processor's markup also tends to be higher for CNP-heavy merchants. They're pricing their own chargeback exposure on top. On flat-rate pricing, the CNP premium is baked into the headline number. On interchange-plus, you see the components separately.

Situational fees CNP merchants encounter more often:

• Higher chargeback fees, since CNP disputes are more common

• Gateway fees, since CNP routes through a payment gateway

• Tokenization fees for storing card-on-file data securely

• Authorisation fees on declines, which hit harder given the lower auth rate

For high-risk businesses, all of this stacks on top of an already elevated baseline. The transaction rate reflects two premiums compounding: one for being CNP, one for being in a high-risk vertical. Add the rolling reserve and the higher chargeback fees on top, and the total cost picture is shaped by the actual exposure of the business rather than a generic processor rate. A processor pricing the risk accurately produces sustainable terms, while a processor pricing it generically either declines the merchant or terminates the account once activity catches up to the underwriting.

CNP Fraud and Chargeback Risks Explained

CNP fraud is its own category, and the numbers are large. Card-not-present fraud losses reach $28 billion globally, and CNP transactions account for roughly 73% of all e-commerce fraud despite making up a smaller share of total transactions.

The patterns merchants see most often:

Stolen card details. Number, expiry, and CVV from a data breach, used before the cardholder notices.

Account takeover. Fraudster gains access to a customer's existing account, uses the saved card-on-file, and sometimes changes the shipping address.

Card testing. Automated scripts run small transactions across many cards to find which stolen numbers still work. Merchants without rate limiting on checkout become free testing infrastructure.

Friendly fraud. A real cardholder buys something, gets the goods, then disputes the charge. CNP transactions are particularly vulnerable because the merchant has limited evidence to push back.

When chargebacks come, the codes are CNP-specific. Visa's reason code 10.4 covers fraud in card-absent environments. Codes 13.1 through 13.6 cover service and refund disputes that almost always apply to CNP.

The threshold that matters is 1%. Both Visa's VAMP program and Mastercard's ECM run formal monitoring once a merchant's chargeback ratio crosses that line, with additional per-chargeback penalties applying on top of what the processor already charges.

Best Practices for Accepting CNP Transactions Securely

The fraud tools work, but only when configured properly and used together.

• AVS checks the billing address against the issuer's records. Standard with most processors.

• CVV verification confirms the customer has the physical card. Not bulletproof, but raises the bar.

• 3D Secure shifts fraud liability to the issuing bank for authenticated transactions. Worth the small conversion cost for high-risk merchants.

• Tokenization replaces stored card data with values that have no use if breached. Required for proper card-on-file and reduces PCI DSS scope.

• Velocity checks and rate limiting stop card testing attacks. Must be enabled and tuned.

• Clear billing descriptors that match what the customer remembers buying. Reduces friendly fraud caused by confused customers.

• Responsive customer service. Working support channels and friction-free refunds prevent disputes from becoming chargebacks.

Sensapay layers these tools into its fraud protection for high-risk merchants, configured against the actual exposure of the vertical rather than a generic ruleset.

CNP Transactions for High-Risk Merchants

For most online businesses, CNP is one channel. For high-risk merchants, it's the whole channel. CBD, subscription billing, online gaming, telehealth, dating, adult content payments, and most regulated verticals run almost entirely CNP, which makes everything covered above more acute.

Three things compound:

The fee math. Where a standard merchant pays one CNP premium, a high-risk merchant pays two: one for being CNP, one for being high-risk. At meaningful volume, the gap from low-risk card-present rates lands at three to four percentage points or more.

The chargeback threshold. Subscription cancellations, billing confusion, and recurring payment friction generate baseline disputes that take you toward the 1% line even when nothing's wrong with the business. CNP fraud on top tips merchants over the edge into VAMP or ECM monitoring.

The aggregator problem. Stripe, PayPal, and Square decline or terminate high-risk CNP merchants because their automated monitoring is calibrated to flag exactly the patterns these merchants generate normally.

A high-risk CNP merchant needs a processor that knows the vertical, prices the risk explicitly, runs underwriting that doesn't terminate on automated triggers, and supplies the fraud tools and dispute support that match the actual exposure.

Working with Sensapay

Sensapay specialises in high-risk payment processing and chargeback management for businesses operating primarily or entirely in CNP environments. Underwriting and account management run in-house, which means the people pricing your account understand what your chargeback ratio should look like for your vertical, what your authorisation rate should be doing, and what tools fit your actual exposure.

For businesses moving off an aggregator, building a new high-risk operation, or running existing CNP volume that's outgrown its current setup, Sensapay offers a straightforward high-risk merchant account application process.

Frequently Asked Questions

How do you process a card-not-present transaction? 

The customer enters their card details on a checkout page, virtual terminal, or payment link. Those details move through the payment gateway, hit the issuing bank for authorisation, and the charge gets approved or declined. Sensapay runs AVS and CVV checks on every transaction. 3D Secure is available where the liability shift makes sense for the merchant.

Is a digital wallet payment like Apple Pay card-present or card-not-present? 

Depends where the payment happens. Tapping a phone or watch on a contactless terminal is card present because the terminal captures encrypted card data from the device. Using the same wallet in an app or on a website is card-not-present. No terminal, no card-present.

How do you reduce card-not-present chargebacks? 

One of two factors accounts for the majority of chargebacks: actual fraud or confused customers. The first category is handled by tokenization, AVS, CVV, and 3D Secure, while the second is handled with clear billing descriptors. Sensapay adds chargeback warnings and dispute management to high-risk merchants so problems are identified before they become more serious.

Are contactless and card-not-present the same thing? 

No, because the reader obtains authentication information from the card or device, contactless at a terminal is card-present. Even when the customer is holding the card while entering the number into a website, a card-not-present transaction occurs remotely without the use of a terminal.