Card-Not-Present Payment (CNP)

What Is a Card-Not-Present Payment?

A card-not-present (CNP) payment is any credit or debit card transaction where the cardholder does not physically present the card to the merchant at the time of purchase. The merchant cannot inspect the card, read its chip, or verify the cardholder's identity through a point-of-sale terminal. Instead, the customer provides card details manually: the primary account number (PAN), expiration date, CVV code, and billing address.

CNP transactions are the backbone of online commerce. Every time you check out on a website, pay for a subscription, order something over the phone, or tap "buy" in a mobile app, you are initiating a CNP transaction. As global e-commerce sales surpassed $6.4 trillion in 2025, CNP volume now represents the majority of card-based commerce worldwide and over 90% of all online purchases.

The term originated in the card network rules that distinguish transaction types for risk classification. Its counterpart, the card-present transaction, involves chip-and-PIN or contactless tap verification where the physical card and the cardholder are confirmed to be at the merchant location.

How It Works

A CNP transaction follows the same general authorization flow as any card payment, but without the chip or contactless verification step. The process relies entirely on data transmitted digitally between the merchant and the card-issuing bank.

1. The cardholder enters card details (PAN, expiration, CVV, billing address) on the merchant's checkout page, over the phone, or via a stored credential
2. The merchant's payment gateway encrypts the data and transmits it to the acquiring bank
3. The acquirer routes the authorization request through the card network (Visa, Mastercard) to the issuing bank
4. The issuer verifies card validity, available funds, CVV match, address verification (AVS), and fraud scoring
5. If 3D Secure is enabled, the issuer may trigger an additional authentication challenge (one-time password, biometric, or app-based approval)
6. The issuer returns an approval or decline code back through the network to the merchant
7. On approval, the merchant captures the authorized amount during batch settlement, typically daily

CNP vs. Card-Present Verification

The critical difference is what proves the transaction is legitimate. In a card-present transaction, the EMV chip generates a unique cryptogram for each payment, making it nearly impossible to counterfeit. In a CNP transaction, the merchant must rely on weaker signals:

This gap in verification strength is why CNP transactions carry significantly higher fraud rates and interchange fees.

Fraud Prevention Tools

Because CNP transactions lack the physical card verification that makes in-person fraud difficult, merchants and payment processors deploy multiple layers of fraud prevention. No single tool is sufficient on its own: effective CNP fraud prevention requires combining several signals.

CVV/CVC Verification

The card verification value (CVV) is a 3- or 4-digit code printed on the physical card but not stored on the magnetic stripe or chip. PCI DSS prohibits merchants from storing CVV after authorization, so even if a merchant's database is breached, the CVV cannot be extracted from stored records. The code provides a basic proof that the person initiating the transaction has physical access to the card.

Address Verification Service (AVS)

AVS compares the billing address provided by the customer against the address on file with the issuing bank. The system returns a match code (full match, partial match, or no match) that the merchant can use to accept, flag, or decline the transaction. AVS is available primarily in the United States, United Kingdom, and Canada.

3D Secure 2.0

EMV 3-D Secure (3DS2) adds an authentication layer where the customer verifies their identity directly with the issuing bank. The protocol analyzes up to 150 data elements per transaction for risk-based decisioning: over 90% of transactions proceed frictionlessly with no additional customer input, while high-risk transactions trigger a step-up challenge such as a one-time password or biometric confirmation. Mastercard reports up to 80% fewer fraud disputes for 3DS-authenticated transactions.

In Europe, 3DS2 is the primary compliance mechanism for PSD2 Strong Customer Authentication (SCA), which requires multi-factor authentication for electronic payments using at least two of three factors: knowledge (PIN or password), possession (phone or card), and inherence (fingerprint or face ID).

Risk Scoring and Velocity Checks

Risk scoring engines evaluate dozens of signals in real time: device fingerprint, IP geolocation, transaction amount, purchase history, and behavioral patterns. Velocity checks flag unusually rapid transaction attempts from the same card, device, or IP address. Together, these tools catch fraud patterns that static checks like CVV and AVS miss.

Interchange Rate Impact

Card networks charge higher interchange fees for CNP transactions to compensate for elevated fraud risk. The difference is meaningful for merchants processing high volumes:

Premium rewards, business, and corporate cards can see differentials of 50–100+ basis points. For a merchant processing $10 million annually in CNP transactions, this translates to tens of thousands of dollars in additional fees compared to equivalent card-present volume. For a deeper analysis of how these costs accumulate, see the merchant payment acceptance costs research article.

Use Cases

CNP transactions are not limited to traditional online shopping. They appear anywhere a physical card cannot be presented:

• E-commerce checkout: the most common CNP scenario, where customers enter card details or use stored credentials on merchant websites
• Subscription and recurring billing: streaming services, SaaS platforms, and membership programs that charge stored cards on a schedule
• Mail order and telephone order (MOTO): catalog purchases, phone-based reservations, and call center transactions
• In-app purchases: mobile apps that process payments without redirecting to a physical terminal
• Virtual card transactions: digitally-generated card numbers used for online purchases, often with single-use or spend-limited controls
• Buy now, pay later services: installment payment platforms that initiate CNP charges against stored card credentials

Why It Matters

CNP fraud cost U.S. merchants an estimated $10 billion in 2024, and global CNP fraud losses are projected to reach $49 billion by 2030 according to the Nilson Report. Beyond direct losses, merchants face the chargeback multiplier effect: for every $1 of fraud, the total cost including merchandise loss, processing fees, and operational overhead reaches $4.61.

The fundamental problem is architectural. Traditional card payments use a pull payment model: the customer shares account credentials, and the merchant (or any party in the chain) can initiate charges against those credentials. Every entity that touches the card number becomes a potential attack surface.

This is where Bitcoin and stablecoin payments offer a structural advantage. As push payments, they invert the model entirely. The payer cryptographically signs each transaction with a private key: no credentials are shared, no merchant can initiate unauthorized charges, and there is nothing to steal from a database breach. The entire CNP fraud category ceases to exist because there are no reusable account details to compromise. For a detailed comparison of how these payment rails differ, see the stablecoin payment rails vs. traditional research article.

Platforms like Spark enable merchants to accept Bitcoin and stablecoin payments with instant settlement and no chargeback risk, sidestepping the entire CNP fraud prevention stack that traditional card processors must maintain.

Risks and Considerations

Fraud Exposure

CNP fraud remains the dominant category of card fraud globally, accounting for roughly 70% of total card fraud losses in markets like the United Kingdom. Despite improvements in fraud prevention tools, the fundamental vulnerability persists: any system that transmits reusable credentials is susceptible to credential theft, phishing, and account takeover attacks.

Chargeback Liability

Without 3D Secure authentication, the merchant bears liability for fraudulent CNP transactions. When a cardholder disputes a charge, the chargeback process reverses the transaction, and the merchant loses both the merchandise and the payment amount plus processing fees. 3DS2 shifts this liability to the issuing bank for authenticated transactions, but adoption outside Europe is still growing.

Compliance Burden

Merchants that handle CNP transactions must comply with PCI DSS requirements proportional to their transaction volume. Level 1 merchants (over 6 million annual transactions) require annual on-site assessments by a Qualified Security Assessor. Even smaller merchants must complete Self-Assessment Questionnaires and maintain security controls around cardholder data. In Europe, PSD2 Strong Customer Authentication adds further regulatory obligations for CNP payment flows.

Higher Processing Costs

The interchange premium on CNP transactions directly impacts merchant margins. Combined with scheme fees, acquirer markups, and fraud prevention tooling costs, the total cost of accepting a CNP payment can be substantially higher than the equivalent in-person transaction. For high-volume e-commerce businesses, these costs are a significant line item. See the card network economics research for a full breakdown.

This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.