Card Present vs Card Not Present: Is there really a battle?
Posted 12 December 2018, Australia
Written by: Dan Billsdon, CTO, ADVAM
In the payment industry there are many terms that get referred to that everyone is expected to know and understand, two of these are Card Present (CP) and Card Not Present (CNP). Just from their name you would assume that you understand everything you need to know about them. As often with payments, there is more to them than first appears so I’m going to explain the differences between these types of transactions and the role they play in the payments scene.
The Names Say it All (or not): Card Present (CP) and Card Not Present (CNP)
Card Present transactions are exactly that. This is where the customer’s credit/debit card is present and used during the transaction. This includes, but not limited to, inserting your card into a payment terminal or tapping your phone on a terminal to make an Apple Pay or Google Pay payment.
Note: This is assuming that the transaction is EMV CP, if you would like more info on EMV please read this page, PCI Compliance and EMV Certification in a Nutshell. A Card Present transaction requires a payment terminal to read the card information. When an EMV CP transaction happens, dynamic data is created by the card, which when passed through the payment networks to the issuer, is verified whether or not the transaction is from a ‘Real’ card from the issuer and not from a ‘Fake’ card with copied card data.
As the issuer can trust that this transaction is coming from their card and not a copy/reproduction, the risk profile of the transaction is reduced, thus the merchant service fees (MSFs) will be of a cheaper rate.
Card Present transactions can also take this transaction authentication a step further by including a method of verification of the card holder, referred to as Cardholder Verification Method (CVM). There are different options for this verification and they all have a different risk profile associated with each of them, that can then drive differing MSFs.
The different CVMs available are:
No CVM
- This is where No Verification is completed, weird but it is still classified as a CVM
Signature
- This is where the card holders’ signature is verified against the one on the back of the card.
Offline PIN
- The customers PIN is collected by the payment terminal and the terminal verifies with the chip on the card if the PIN is correct. The PIN is stored on the customers card, in a secure encrypted manner.
Online PIN
- Primarily used in Australia, New Zealand and US. Online PIN is the most secure CVM. This is where the PIN is collected by the terminal and instead of the payment terminal verifying with the chip if the PIN is correct, the collected PIN is passed in a secure manner through the payment network to the card issuer for verification.
Consumer Device CVM
- This version of CVM is usd when a mobile phone is used as the payment card. This version verifies that the transaction is authorised by use of verification by pin code, finger print or facial recognition
Let’s look at the other side….
Card Not Present transactions are where a payment terminal has not dealt with the card directly, so this could be, but not limited to, an eCommerce transaction, an in-app purchase or a Mail Order Telephone Order (MOTO) transaction. These transactions have a much higher risk profile and are where most fraud occurs. The reason for this is there is no need to communicate directly with the card. The details that are printed on the card are all that is needed to process a transaction.
To reduce the risk profile slightly some extra information can be requested, and this would be:
Card Verification Value (CVV)
- Extra number that in theory proves you have the card in your possession
- 3-digit number on the signature panel for Mastercard, Visa, Diners & Discover cards
- 4-digit number on the front of the card for Amex cards
Address Verification System (AVS)
- Extra details are collected about the cardholders’ address and location. These details are verified with the issuing bank when a transaction is processed.
As you can see CNP transactions do not have as many security measures in place as CP transactions, but they are a very large part of the payments ecosystem. Consumers like the convenience of being able to make purchases online. They love having their card saved and filed on their online account because it eliminates the need to present it every time they complete a transaction. But with this convenience, comes challenges such as increased fraud which can take advantage of the vulnerabilities that the security process exposes This is the reason why the MSF rates are higher on CNP transactions.
Everything has a role to play
CP vs CNP, there is no competition here, they both perform very important transactions in the payment ecosystem.
CP has a lower risk profile as the card issuer can trust that they are communicating directly with the card, which in turn causes a cheaper MSF rate from the schemes for processing these transactions. There are some industries where CP transactions are more common such as the self service industry. They accept payments using physical payment terminals as that method is better suited to the nature of the business.
On the other hand, there are situations such as ecommerce, where CNP transactions are widely seen. With CNP’s limited verification methods, it doesn’t have the ability for the card issuer to confidently say the cardholder is making this transaction which causes these transactions to have a higher risk profile. Due to the necessity to receive payments via online or mobile channels, Merchants will accept the higher rate for processing these transactions, in order to remain competitive and retain customer share.
The payments industry acknowledges the role that each of the transaction types play in the payments ecosystem; hence, there are continuous improvements happening in this area. Just one example is 3DS 2.0 which will soon become mainstream. Keep an eye out for our follow up article on how 3DS 2.0 will improve CNP transactions and help reduce fraud.