A card-not-present transaction (CNP, mail order / telephone order, MO/TO) is a payment card transaction made where the cardholder does not or cannot physically present the card for a merchant's visual examination at the time that an order is given and payment effected. It is most commonly used for payments made over the Internet, but can also be used with mail-order transactions by mail or fax, or over the telephone.
Card-not-present transactions are a major route for credit card fraud, because it is difficult for a merchant to verify that the actual cardholder is indeed authorizing a purchase.
If a fraudulent CNP transaction is reported, the acquiring bank hosting the merchant account that received the money from the fraudulent transaction must make restitution to the cardholder, which is called a chargeback. In addition, the merchant account would be assessed a chargeback fee by the acquiring bank. [1]
This is the opposite of a card present transaction, when the issuer of the card is liable for restitution. [2] Because of the greater risk, some card issuers charge a greater transaction fee to merchants who routinely handle card-not-present transactions.
The card security code (in this case, CVV2) system has been set up to reduce the incidence of credit card fraud arising from CNP. [3]
If a card is not physically present when a customer makes a purchase, the merchant must rely on the cardholder, or someone purporting to be so, presenting card information indirectly, whether by mail, telephone or over the Internet. [4]
Shipping companies may guarantee delivery of goods to a location, but they are normally not required to check identification and they are usually not involved in processing payments for the merchandise. A common preventive measure for merchants is to allow shipment only to an address approved by the cardholder, and merchant banking systems offer simple methods of verifying this information. Before this and similar countermeasures were introduced, mail order carding was rampant as early as 1992. A carder would obtain the credit card information for a local resident and then intercept delivery of the illegitimately purchased merchandise at the shipping address, often by staking out the porch of the residence.
Small transactions generally undergo less scrutiny, and are less likely to be investigated by either the card issuer or the merchant. CNP merchants must take extra precaution against fraud exposure and associated losses, and they pay higher rates for the privilege of accepting cards. Fraudsters bet on the fact that many fraud prevention features are not used for small transactions.
Merchant associations have developed some prevention measures, such as single-use card numbers, but these have not met with much success. Customers expect to be able to use their credit card without any hassles, and have little incentive to pursue additional security due to laws limiting customer liability in the event of fraud. Merchants can implement these prevention measures but risk losing business if the customer chooses not to use the measures. [5]
The United States Federal Trade Commission uncovered an operation running from 2006 to 2010 that netted more than $10 million in fraudulent charges on credit and debit cards. The perpetrators used more than 100 merchant accounts that they had created to do the billing. [2] [6]
Each merchant account was attached to an Employer Identification Number belonging to a real merchant with a similar-sounding name. [6] [7]
Each merchant account was tied to an 800-number from CallMe800. [6] Each account was also tied to a website they had created. They also rented physical addresses from companies which rent virtual offices, such as Regus (now IWG), for each merchant account. These virtual office companies, which did not know of and were otherwise not involved in the scam, would then forward any mail received at the virtual office to Earth Class Mail, a digital mailroom service that scanned mail from the physical address of the merchant account and forwarded it as a PDF to email accounts that the scammers had established. [2] [6] The scammers also ensured that when they checked their online merchant accounts, that they used an IP address located near the billing address so as not to arouse suspicion. [6]
A charge of $9 was processed on about one million credit cards over the four-year period. [6] Each card was billed a single time. Credit card companies only investigate if the charge is more than $10 because it costs about that much to run an investigation. Then the money was moved to bank accounts in Lithuania, Estonia, Latvia, Bulgaria, Cyprus, and Kyrgyzstan where the money could not be traced or recovered. The perpetrators experimented with a 20-cent charge and that generated more suspicion than the $9 charge. [2] Only about 10 percent of the fraudulent charges were ever reported or contested by the card owner that was billed. [6] [7]
A debit card, also known as a check card or bank card, is a payment card that can be used in place of cash to make purchases. The card usually consists of the bank's name, a card number, the cardholder's name, and an expiration date, on either the front or the back. Many of the new cards now have a chip on them, which allows people to use their card by touch (contactless), or by inserting the card and keying in a PIN as with swiping the magnetic stripe. These are similar to a credit card, but unlike a credit card, the money for the purchase must be in the cardholder's bank account at the time of the purchase and is immediately transferred directly from that account to the merchant's account to pay for the purchase.
EMV is a payment method based on a technical standard for smart payment cards and for payment terminals and automated teller machines which can accept them. EMV stands for "Europay, Mastercard, and Visa", the three companies that created the standard.
Dynamic currency conversion (DCC) or cardholder preferred currency (CPC) is a process whereby the amount of a credit card transaction is converted at the point of sale, ATM or internet to the currency of the card's country of issue. DCC is generally provided by third party operators in association with the merchant, and not by a card issuer. Card issuers permit DCC operators to offer DCC in accordance with the card issuers' processing rules. However, using DCC, the customer is usually charged an amount in excess of the transaction amount converted at the normal exchange rate, though this may not be obviously disclosed to the customer at the time. The merchant, the merchant's bank or ATM operator usually impose a markup on the transaction, in addition to the exchange rate that would normally apply, sometimes by as much as 18%.
An address verification service (AVS) is a service provided by major credit card processors to enable merchants to authenticate ownership of a credit or debit card used by a customer. AVS is done as part of the merchant's request for authorization in a non-face-to-face credit card transaction. The credit card company or issuing bank automatically checks the billing address provided by the customer to the merchant against the billing address in its records, and reports back to the merchant who has the ultimate responsibility to determine whether or not to go ahead with a transaction. AVS can be used in addition to other security features of a credit card, such as the CVV2 number.
A chargeback is a return of money to a payer of a transaction, especially a credit card transaction. Most commonly the payer is a consumer. The chargeback reverses a money transfer from the consumer's bank account, line of credit, or credit card. The chargeback is ordered by the bank that issued the consumer's payment card. In the distribution industry, a chargeback occurs when the supplier sells a product at a higher price to the distributor than the price they have set with the end user. The distributor submits a chargeback to the supplier so they can recover the money lost in the transaction.
An overdraft occurs when something is withdrawn in excess of what is in a current account. For financial systems, this can be funds in a bank account. In these situations the account is said to be "overdrawn". In the economic system, if there is a prior agreement with the account provider for an overdraft, and the amount overdrawn is within the authorized overdraft limit, then interest is normally charged at the agreed rate. If the negative balance exceeds the agreed terms, then additional fees may be charged and higher interest rates may apply.
A merchant account is a type of bank account that allows businesses to accept payments in multiple ways, typically debit or credit cards. A merchant account is established under an agreement between an acceptor and a merchant acquiring bank for the settlement of payment card transactions. In some cases a payment processor, independent sales organization (ISO), or member service provider (MSP) is also a party to the merchant agreement. Whether a merchant enters into a merchant agreement directly with an acquiring bank or through an aggregator, the agreement contractually binds the merchant to obey the operating regulations established by the card associations. A high-risk merchant account is a business account or merchant account that allows the business to accept online payments though they are considered to be of high-risk nature by the banks and credit card processors. The industries that possess this account are adult industry, travel, Forex trading business, multilevel marketing business. "High-Risk" is the term that is used by the acquiring banks to signify industries or merchants that are involved with the higher financial risk.
Chargeback fraud, also known as friendly fraud, cyber shoplifting, or liar-buyer fraud, occurs when a consumer makes an online shopping purchase with their own credit card, and then requests a chargeback from the issuing bank after receiving the purchased goods or services. Once approved, the chargeback cancels the financial transaction, and the consumer receives a refund of the money they spent. Dependent on the payment method used, the merchant can be accountable when a chargeback occurs.
Payment cards are part of a payment system issued by financial institutions, such as a bank, to a customer that enables its owner to access the funds in the customer's designated bank accounts, or through a credit account and make payments by electronic transfer with a payment terminal and access automated teller machines (ATMs). Such cards are known by a variety of names, including bank cards, ATM cards, client cards, key cards or cash cards.
An acquiring bank is a bank or financial institution that processes credit or debit card payments on behalf of a merchant. The acquirer allows merchants to accept credit card payments from the card-issuing banks within a card association, such as Visa, MasterCard, Discover, China UnionPay, American Express.
Merchant Account Providers give businesses the ability to accept debit and credit cards in payment for goods and services. This can be face-to-face, on the telephone, or over the internet.
Chargeback insurance is an insurance product that protects a merchant who accepts credit cards. The insurance protects the merchant against fraud in a transaction where the use of the credit card was unauthorized, and covers claims arising out of the merchant's liability to the service bank.
A controlled payment number, disposable credit card or virtual credit card is an alias for a credit card number, with a limited number of transactions, and an expiration date between two and twelve months from the issue date. This "alias" number is indistinguishable from an ordinary credit card number, and the user's actual credit card number is never revealed to the merchant.
Internet fraud prevention is the act of stopping various types of internet fraud. Due to the many different ways of committing fraud over the Internet, such as stolen credit cards, identity theft, phishing, and chargebacks, users of the Internet, including online merchants, financial institutions and consumers who make online purchases, must make sure to avoid or minimize the risk of falling prey to such scams.
Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard is the data security standard created to help financial institutions process card payments securely and reduce card fraud.
An issuing bank is a bank that offers card association branded payment cards directly to consumers, such as credit cards, debit cards, contactless devices such as key fobs as well as prepaid cards. The name is derived from the practice of issuing cards to a consumer.
A credit card is a payment card, usually issued by a bank, allowing its users to purchase goods or services or withdraw cash on credit. Using the card thus accrues debt that has to be repaid later. Credit cards are one of the most widely used forms of payment across the world.
A card security code is a series of numbers that, in addition to the bank card number, is printed on a credit or debit card. The CSC is used as a security feature for card not present transactions, where a personal identification number (PIN) cannot be manually entered by the cardholder. It was instituted to reduce the incidence of credit card fraud.
In a credit card or debit card account, a dispute is a situation in which a customer questions the validity of a transaction that was registered to the account.
Venmo is an American mobile payment service founded in 2009 and owned by PayPal since 2013. Venmo is aimed at friends and family who wish to split bills, e.g., for movies, dinner, rent, or event tickets etc. Account holders can transfer funds to others via a mobile phone app; both the sender and receiver must live in the United States. Venmo also operates as a small social network, as users can observe other users’ public transactions with posts and emoticons. In 2021, the company handled $230 billion in transactions and generated $850 million in revenue.
If a credit card is physically swiped in the transaction, the bank that issued the card is on the hook for fraudulent charges. If it is a phone or Internet purchase — called a card-not-present transaction — the bank that hosted the merchant account that received the ill-gotten charges must make restitution, said Ms. Litan, the Gartner analyst.
The scammers stayed under the radar by charging very small amounts — typically between $0.25 and $9 per card — and by setting up more than 100 bogus companies to process the transactions. ... According to the FTC, the fraudsters charged 1.35 million credit cards a total of $9.5 million, but only 78,724 of these fake charges were ever noticed.
Altogether, the thieves charged a total of $9.5 million from a total of 1.35 million compromised cards over a period of four years starting in 2006. However, only about 10 percent of the fraudulent charges were ever reported or contested, according to the FTC.