The short answer
Card-not-present (CNP) is any transaction where the merchant doesn't physically see or swipe the card. The customer enters card data via a website, app, phone call (MOTO), or saved-on-file subscription. Opposite: card-present (CP), where the card is dipped, swiped, or tapped at a physical terminal. Almost all e-commerce is CNP. CNP carries higher interchange, higher fraud risk, and different liability rules than CP.
Why CNP is different
- No EMV chip read. EMV authentication shifts chargeback liability to the issuer when the chip is read. CNP has no chip — liability stays with the merchant unless 3DS is used.
- Higher interchange. CNP interchange runs 30-60 basis points higher than card-present on the same card type.
- Higher fraud rate. Stolen card numbers are fenced online. A CNP merchant sees 3-10x the fraud rate of a CP merchant.
- "Signature" doesn't exist. You can't compare a signature to the card back. Alternative verification mechanisms required.
CNP sub-categories
- E-commerce (EC). Web checkout. Most common.
- MOTO (mail-order / telephone-order). Customer dictates card on a call. Different MCC, different interchange.
- Recurring / card-on-file. Customer authorizes a card once; merchant bills periodically. Must disclose amount + cadence + cancellation.
- Installment / BNPL. Split payments. Mostly CNP though some BNPL providers treat it separately.
CNP fraud-reduction techniques
3DS 2.0 authentication
The current version of 3D-Secure. Issuer authenticates the cardholder at checkout (usually invisibly via risk-based scoring, occasionally via step-up challenge). On authenticated transactions, chargeback liability for fraud shifts to the issuer. Mandatory in EU/UK under PSD2 SCA rules; optional but increasingly important in US.
AVS (Address Verification Service)
Matches the billing ZIP or street address on the transaction to what the issuer has on file. Reduces fraud but increases friction. Some high-risk MCCs require full AVS match; others accept ZIP-only.
CVV / CVC verification
The 3- or 4-digit code on the back of the card. Never stored (per PCI). Required on most CNP transactions. Mismatch → decline.
Device fingerprinting
Browser fingerprint, IP address, device ID. Flags mismatches between the user's usual device and the current one. Used by fraud screening tools (Sift, Kount, Forter, Stripe Radar).
Velocity rules
Same card trying 3+ merchants in 60 seconds = card testing. Block.
CNP liability rules
Default: merchant loses on most CNP chargebacks. Exceptions:
- 3DS-authenticated transaction: issuer liable.
- Visa CE 3.0 compelling evidence: if you have two prior undisputed transactions from the same cardholder, liability can shift back to issuer. See compelling evidence.
- Mastercard First-Party Trust: similar shift on first-party fraud claims with documentation.
Why CNP operators pay more
On a blended e-commerce merchant doing $500k/mo, the CNP premium over the hypothetical card-present equivalent is roughly 40-80 basis points — $2,000-$4,000/mo. Much of that is interchange you can't negotiate; some is processor margin for CNP fraud risk. Shifting to EMV-equivalent authentication (3DS 2.0) recovers 10-20 bps of the premium on authenticated transactions.
Why multiflow operators particularly care
Multi-brand e-commerce is 100% CNP. Every optimization above compounds across your brands. Consolidating to one acquirer via multiflow gives you the volume and hygiene discipline to negotiate better CNP pricing than any individual brand could get alone.