Card Not Present: The Definitive Guide to Online, Remote and Mobile Payments

In the evolving world of commerce, card not present transactions sit at the heart of how we buy online, over the phone, or via mobile apps. The phrase describes any payment where the physical card is not presented to the merchant for a swipe or dip. From cluttered cart abandonments to seamless checkouts, Card Not Present processes shape customer experience, security, and commercial risk. This guide unpacks what Card Not Present means, how it differs from Card Present, the security frameworks that govern it, and practical steps that merchants can take to reduce risk without compromising convenience.

Card Not Present: What does the term really mean?

Card Not Present, often abbreviated as CNP, covers a wide array of payment scenarios. In essence, a remote transaction occurs when the purchaser uses card details without providing the physical card to the merchant. Common examples include online shopping, mobile app purchases, and telephone orders. The opposite is Card Present, where the card is physically present and typically used at a point-of-sale terminal. While Card Not Present payments enable global reach and 24/7 sales, they also introduce different risk profiles compared with Card Present transactions.

The Card Not Present landscape: online, mobile and MOTO

Within Card Not Present, different channels carry distinct expectations. Online payments refer to purchases made through a merchant’s website or app, while MOTO (Mail Order/Telephone Order) covers orders taken by voice with manual card entry. Each channel poses unique security challenges and fraud patterns. For instance, online shoppers expect frictionless checkout flows, yet a smooth journey must be balanced with strong authentication and data protection to guard against data breaches and card-not-present fraud. The growth of mobile wallets and one-click payments has further blurred the lines between traditional and modern Card Not Present payments, pushing merchants to adopt flexible, security-first approaches.

Why Card Not Present transactions are different from Card Present

In Card Present transactions, the merchant can rely on the card having been physically presented to the terminal, which provides a strong baseline for identity and card validation. For Card Not Present payments, the merchant does not have that assurance. The data model changes: sensitive card details are transmitted, stored or displayed in less secure environments, increasing exposure to interception, skimming and data breaches. Consequently, the risk of fraud and subsequent chargebacks tends to be higher in Card Not Present scenarios, which is why rigorous security standards and payment industry best practices focus strongly on data protection, tokenisation and customer authentication.

Risks and challenges in Card Not Present transactions

The risk landscape for Card Not Present is multifaceted. Merchants face the possibility of fraudulent orders placed using stolen card details, compromised credentials, or social engineering. In addition, legitimate customers may dispute transactions, leading to chargebacks that can be costly both financially and reputationally. Other challenges include reliance on third parties to process payments securely, the necessity to store or transmit payment data securely, and maintaining a seamless customer experience while adhering to strict compliance regimes. Understanding these risks is essential for developing a robust Card Not Present strategy that protects the business and reassures customers.

How Card Not Present payments work in practice

A typical Card Not Present payment flows through several key stages: initiation by the customer, transmission of payment data to a secure payment gateway, processing by the acquirer, and settlement to the merchant’s account. In many setups, tokenisation subs becomes central: actual card details are replaced with tokens that can be used for transaction processing but are useless to anyone who intercepts them. This architecture reduces the exposure of sensitive data and makes compliance more manageable. Additionally, 3D Secure authentication and risk scoring help verify the cardholder’s identity before a transaction is approved, particularly for high-risk orders.

From checkout to settlement: a typical Card Not Present flow

During checkout, the customer enters card details into a secure form hosted by a payment provider. The data is transmitted securely, often via encryption or TLS, and the merchant never stores raw card data on their systems. The gateway or processor receives the information, tokenises it, and forwards a payment request to the acquirer. If the cardholder’s bank approves the transaction, funds are debited and settled to the merchant, subject to fees and processing timelines. The involvement of tokenisation means that even if data is compromised in the merchant environment, the tokens alone cannot be used to access funds.

Security standards and compliance for Card Not Present

Security is not optional in Card Not Present environments. The payments ecosystem is built on a framework of standards and best practices designed to protect consumers and merchants alike. Central to this framework is the Payment Card Industry Data Security Standard (PCI DSS). Compliance with PCI DSS helps ensure that card data is handled securely across the lifecycle of a transaction. Beyond PCI DSS, strong customer authentication (SCA) under PSD2 in the UK and the EU places requirements on multi-factor verification for many Card Not Present payments, especially online transactions. Implementing these controls reduces the risk of fraud and supports smoother dispute resolution should issues arise.

PCI DSS: what merchants need to know

PCI DSS is a comprehensive security standard that applies to merchants and service providers that handle cardholder data. Depending on the volume of transactions and how card data is stored or transmitted, organisations may complete a Self-Assessment Questionnaire (SAQ) to demonstrate compliance. SAQ types range from simplely hosted payment pages where card data does not touch the merchant’s servers to more complex setups where some data processing occurs on the merchant environment. Regardless of the SAQ type, the overarching aim is to minimise data exposure and ensure robust protections around data at rest, in transit and in use.

Tokenisation and encryption: reducing sensitive data exposure

Tokenisation replaces card numbers with non-sensitive placeholders that retain the data’s functional value for processing payments. Tokens have no exploitable meaning outside the payment system, so even a breach of the merchant environment exposes nothing of value to criminals. Encryption protects data in transit, ensuring that card details are not readable if intercepted. Together, these technologies form the backbone of a secure Card Not Present environment, enabling merchants to offer convenient checkout experiences while minimising data risk.

3D Secure and customer authentication

3D Secure (often branded as Verified by Visa, MasterCard SecureCode, or similar) introduces an additional authentication step to online Card Not Present transactions. In practice, 3D Secure requires the cardholder to complete an additional verification, such as a one-time code sent to their phone or biometric verification. The result is a stronger assurance that the person initiating the payment is the cardholder. While 3D Secure can introduce extra friction for customers, many providers have streamlined flows to maintain usability while preserving security. PSD2’s strong customer authentication further emphasises these protective steps for Card Not Present payments in Europe and the UK.

Regulatory and compliance considerations in Card Not Present

The regulatory environment for Card Not Present payments continues to evolve as technology and consumer expectations change. In the United Kingdom and across Europe, PSD2 and SCA requirements have shifted the emphasis toward stronger authentication for most online purchases. Merchants should maintain awareness of local regulations as well as the compliance expectations of payment service providers. Keeping pace with regulatory changes helps protect customers and reduces the likelihood of chargebacks tied to non-compliant processing.

Payment methods under Card Not Present: beyond the primary card

Card Not Present payments extend beyond traditional card data. Digital wallets, token-based payments, and bank transfers are increasingly integrated into Card Not Present ecosystems. A well rounded strategy often combines card data with alternatives like Apple Pay, Google Pay, and other trusted wallets. These methods often use tokenisation behind the scenes and can deliver a smoother checkout process. In parallel, some merchants offer bank transfers or rapid settlement options to cater to customer preferences while maintaining strong security controls. The right mix supports conversion and reduces cart abandonment, especially in competitive markets where customers expect quick, reliable, and secure checkout options.

Mobile-first Card Not Present experiences

As mobile commerce grows, Card Not Present transactions increasingly happen on smartphones. Mobile wallets and in-app payments bring convenience but demand careful attention to app security, secure storage, and efficient authentication. Implementing strong customer authentication in mobile contexts, such as biometric verification and device binding, helps reduce fraud while keeping the experience frictionless for legitimate customers.

Reducing risk in Card Not Present transactions requires a layered approach that combines people, processes, and technology. A successful strategy blends risk governance with practical controls that do not unnecessarily hinder legitimate customers. Core elements include robust data protection, strong authentication, and continuous monitoring for emerging fraud patterns. By implementing these measures, merchants can maintain high conversion rates while strengthening overall payment security in Card Not Present environments.

Strong customer authentication (SCA) and risk-based authentication are pivotal in Card Not Present contexts. Not every transaction should trigger a heavy authentication flow; risk-based approaches assess factors such as device fingerprinting, historical spending patterns, shipping address consistency, and velocity checks. When risk is elevated, the system can prompt for additional verification. This helps maintain a frictionless experience for low-risk orders while protecting high-risk transactions from fraud.

Limit the amount of data stored on a merchant’s servers. Where possible, rely on hosted payment forms or tokenised data so that sensitive card data never resides in the merchant’s environment. Regularly review data retention policies and ensure encryption and access controls are in place. A data minimisation mindset reduces the potential damage from any breach and simplifies PCI DSS compliance.

Developers should follow secure coding practices to prevent common vulnerabilities. Third-party integrations, such as payment gateways and analytics tools, must be vetted for security. Regular security assessments, vendor risk reviews and timely patch management are essential to maintain a secure Card Not Present ecosystem.

Inform customers about how their data is used and protected. Clear privacy statements, transparent authentication flows, and well designed error messages contribute to trust. During high-risk episodes, proactive communication about delays or additional verification steps helps with customer satisfaction and reduces the likelihood of chargebacks that arise from misunderstandings.

Chargebacks are a reality of Card Not Present environments. When a cardholder disputes a transaction, the issuer may initiate a chargeback, which can be costly for merchants and disrupt cash flow. Preventing chargebacks starts with preventing fraud, ongoing monitoring of transactions, and maintaining thorough order documentation. If disputes do occur, a well-organised evidence package—with order details, authentication logs, and delivery confirmation—can support the merchant in the retrieval of funds. The goal is to optimise every step of the lifecycle to minimise chargebacks while preserving a positive customer experience in Card Not Present contexts.

Consider a mid-sized online retailer that processes tens of thousands of Card Not Present transactions daily. The business implemented tokenisation across its shopping cart, integrated 3D Secure for all high-risk orders, and introduced risk-based authentication for new devices. Within six months, charged back disputes declined by a meaningful margin, and the retailer reported improved conversion rates thanks to a smoother checkout flow. In the hospitality sector, hotels handling remote bookings rely on Card Not Present payments at the point of reservation. By combining secure online payment experiences with clear cancellation policies and rapid post-transaction updates, these organisations can manage risk without sacrificing guest satisfaction.

The Card Not Present space is continually evolving. Advances in biometrics, device fingerprinting, and machine learning-driven risk scoring will further refine authentication while preserving user convenience. Emerging technologies such as programmable card networks and secure element-based wallets are likely to shape how data is processed and stored, reducing exposure further. Merchants who embrace adaptive security, partner with reputable processors, and stay compliant with evolving standards can expect to maintain resilience against fraud in Card Not Present environments while meeting customer expectations for fast, frictionless payments.

Whether you are selling online, handling MOTO orders, or offering mobile apps, Card Not Present payments require a careful balance of security and usability. Key takeaways include adopting tokenisation and encryption to protect data, implementing strong customer authentication where appropriate, and maintaining PCI DSS compliance through appropriate SAQ selection. A risk-based approach helps tailor authentication and friction points to the real risk of each transaction, supporting both security and customer satisfaction in Card Not Present contexts.

Card Not Present: transactions where the card is not physically present. CNP: widely used acronym for Card Not Present. SAQ: Self-Assessment Questionnaire used to demonstrate PCI DSS compliance. 3D Secure: an additional authentication step for online payments. PSD2: the EU directive that introduced stronger customer authentication for many electronic payments, shaping Card Not Present flows across the region. Tokenisation: replacing card data with non-sensitive tokens. MOTO: Mail Order/Telephone Order channel within Card Not Present payments.

A resilient Card Not Present strategy is built on securing data, authenticating customers appropriately, and delivering a seamless checkout experience. By combining industry standards with practical controls, merchants can reduce fraud while maintaining a high level of customer satisfaction. The landscape will continue to change as technology and regulation evolve, so ongoing assessment, provider partnerships, and investment in secure payment technology will be essential for long-term success in Card Not Present commerce.