How Card-Not-Present (CNP) Transaction Works
A Card-Not-Present transaction follows a distinct authorization path compared to in-store payments. Without a physical terminal handshake, the payment network relies on cardholder-supplied data and layered authentication signals to approve or decline the payment. Understanding each step helps merchants and developers build more resilient checkout flows.
Customer enters card details
The cardholder provides their card number (PAN), expiration date, billing address, and CVV2 on the merchant's checkout page, mobile app, or over the phone. No physical card interaction occurs—the merchant receives only digital credentials.
Merchant's payment gateway submits authorization
The payment gateway encrypts the card data and transmits an authorization request to the acquiring bank, which forwards it to the card network (Visa, Mastercard, etc.) and on to the issuing bank.
Fraud and risk scoring
Before the issuer responds, both the acquirer and issuer run real-time risk scoring. Signals include velocity checks, device fingerprint, IP geolocation, billing/shipping address match, and behavioral data. High-risk transactions may trigger a 3DS authentication challenge.
3D Secure authentication (when triggered)
If 3D Secure is invoked, the cardholder is authenticated by their issuing bank—via OTP, biometric, or app push. Successful 3DS authentication shifts chargeback liability from the merchant to the issuer for fraud disputes.
Issuer approves or declines
The issuer returns an authorization code (approved) or a decline reason code. Soft declines may prompt a retry with additional authentication; hard declines end the transaction.
Capture and settlement
The merchant captures the authorized funds—either immediately or on shipment—and the acquirer batches the capture for settlement, typically within one to two business days.
Why Card-Not-Present (CNP) Transaction Matters
CNP is the dominant payment mode for ecommerce, subscription businesses, and any merchant without a physical storefront. Its growth trajectory makes understanding its mechanics and risks non-negotiable for anyone building or operating a digital payment stack.
Global ecommerce payment volumes exceeded $6.8 trillion in 2023 (Statista), with the overwhelming share processed as CNP transactions. Meanwhile, CNP fraud accounts for roughly 73% of all card fraud losses in mature markets such as the UK and United States (UK Finance, 2023 Annual Fraud Report), illustrating the direct relationship between CNP volume growth and fraud exposure. A third data point: Juniper Research projects CNP fraud losses will surpass $28 billion globally by 2026, driven by the continued migration of commerce online and increasingly sophisticated automated attack tooling.
For merchants, the financial stakes are concrete. Every fraudulent CNP chargeback costs not just the transaction value but also chargeback fees (typically $15–$100 per dispute), operational investigation time, and—if chargeback ratios exceed network thresholds (1% for Visa, 1.5% for Mastercard)—potential fines or loss of card acceptance privileges. Building robust CNP controls is therefore a revenue-protection measure, not merely a compliance exercise.
Liability reminder
In a standard CNP dispute, the merchant loses the transaction amount plus fees. Successful 3DS2 authentication shifts that liability to the card issuer. Every unprotected CNP order is a potential unrecoverable loss.
Card-Not-Present (CNP) Transaction vs. Card-Present Transaction
The distinction between CNP and card-present shapes everything from fraud liability to interchange rates. The table below covers the key dimensions merchants and developers should understand.
| Dimension | Card-Not-Present | Card-Present |
|---|---|---|
| Physical card required | No | Yes (swipe, chip, or tap) |
| Authentication method | CVV, AVS, 3DS, device signals | PIN, chip handshake, signature |
| Fraud liability (no 3DS) | Merchant | Card issuer |
| Fraud liability (with 3DS) | Card issuer | Card issuer |
| Interchange rate | Higher (card-absent surcharge) | Lower |
| Chargeback risk | High | Low |
| PCI DSS scope | Depends on integration (SAQ A–D) | Typically SAQ B or C |
| Typical use cases | Ecommerce, MOTO, subscriptions | Retail POS, restaurants, kiosks |
| CVV storage | Prohibited (PCI DSS) | N/A — chip handles verification |
Types of Card-Not-Present (CNP) Transaction
CNP is not a single transaction type but a family of payment scenarios unified by the absence of a physical card. Each variant carries its own risk profile and technical requirements.
Ecommerce (web and mobile): The most common CNP form. The cardholder enters credentials at checkout on a website or app. Ecommerce CNP is the primary target for automated fraud tooling due to scale and speed.
Mail Order / Telephone Order (MOTO): The merchant manually keys card details provided by a customer over the phone or by mail. MOTO has no 3DS path, so liability always rests with the merchant. Requires a virtual terminal and heightened manual review.
Recurring and subscription billing: After an initial CNP transaction, the merchant stores a token (not the raw PAN) to charge the card on a recurring schedule. Network rules require initial consent and subsequent transaction flagging as recurring. Tokenization and network tokens are essential here.
Card-on-file (COF): The cardholder authorizes the merchant to store credentials for future one-click purchases. COF transactions must be flagged appropriately to card networks and require an initial authenticated transaction to establish the stored credential.
Pay-by-link: The merchant sends a payment link via email or SMS. The cardholder clicks through to a hosted payment page. Liability and authentication follow standard CNP rules.
Best Practices
Strong CNP hygiene requires coordinated effort from both the business side and the technical implementation layer.
For Merchants
- Enable 3DS2 on all eligible transactions. Liability shift alone justifies the implementation cost. Configure your payment provider to apply 3DS dynamically based on risk score rather than universally, preserving conversion for low-risk orders.
- Use Address Verification Service (AVS) and CVV matching. Decline or flag transactions where billing address or CVV do not match issuer records. These are cheap first-line filters.
- Monitor chargeback ratios weekly. Set internal alert thresholds well below network limits (e.g., 0.7% for Visa) to catch deteriorating fraud trends before they trigger formal monitoring programs.
- Apply velocity rules. Multiple orders from the same IP, device, or email within a short window are strong fraud signals. Implement velocity caps at the gateway or fraud platform level.
- Communicate clearly with customers. Unexpected 3DS challenges cause cart abandonment. Ensure checkout copy explains the authentication step and that your customer support team can handle related inquiries.
For Developers
- Implement network tokenization (Visa Token Service, Mastercard MDES). Network tokens replace PANs with dynamic credentials, reducing the value of stolen card data and lowering interchange on eligible transactions.
- Flag transaction types correctly. Use the correct electronic commerce indicator (ECI) values and recurring/COF flags in authorization requests. Incorrect flagging results in wrong liability assignment and potential network fines.
- Scope PCI DSS accurately. Hosted payment fields (iframes) or redirect-based flows (SAQ A) minimize PCI scope versus direct API integrations (SAQ D). Choose the integration method that matches your security capacity.
- Implement idempotency keys. CNP retries on network timeouts can cause duplicate charges. Always send a unique idempotency key per payment attempt.
- Log device fingerprints and behavioral signals. Pass enriched client-side data (screen resolution, timezone, interaction timing) to your fraud detection layer and payment provider for improved risk scoring.
Common Mistakes
Even experienced teams make avoidable CNP errors that increase fraud losses or reduce authorization rates.
1. Skipping 3DS to avoid cart abandonment. Many merchants disable 3DS to protect conversion, not realizing that 3DS2's risk-based frictionless path resolves the friction concern for most transactions. Skipping 3DS entirely forfeits liability shift and exposes the merchant to the full cost of fraud chargebacks.
2. Storing CVV values. PCI DSS explicitly prohibits storing the CVV2/CVC2 after authorization. Merchants who store it—even inadvertently in logs—face significant compliance penalties and create a high-value target for attackers.
3. Not flagging recurring transactions correctly. Failing to use the correct subsequent recurring transaction flag causes issuers to treat repeat charges as new CNP transactions, resulting in higher decline rates and incorrect liability assignment.
4. Treating all declines as final. Soft declines (e.g., issuer requires authentication) can often be resolved by re-submitting with a 3DS challenge. Merchants who abandon on the first decline leave recoverable revenue on the table. Implement intelligent retry logic with your payment orchestration layer.
5. Ignoring AVS mismatch signals. AVS mismatches—especially on high-value orders or orders with different billing and shipping addresses—are strong fraud indicators. Automatically approving AVS-mismatched transactions without additional review inflates fraud rates.
Card-Not-Present (CNP) Transaction and Tagada
CNP transaction management sits at the core of what Tagada's payment orchestration platform addresses. Tagada routes each CNP authorization to the optimal acquirer based on real-time performance data—maximizing approval rates while minimizing fraud exposure across the merchant's acquirer mix.
Tagada and CNP optimization
Tagada's orchestration layer applies dynamic 3DS triggering, intelligent retry logic for soft declines, and acquirer routing rules tuned to CNP transaction profiles—helping merchants recover revenue that static single-acquirer setups routinely lose to unnecessary declines and unprotected chargebacks.
For merchants processing high CNP volumes, Tagada enables cascading fallback across acquirers when a CNP authorization fails, combined with network tokenization support to improve card-on-file authorization rates over time. The platform's fraud signal enrichment passes device and behavioral data to connected fraud tools, creating a coordinated defense layer rather than siloed point solutions.