Card-Not-Present (CNP)

CNP is the dominant transaction environment for digital commerce. Every online purchase, subscription charge, and in-app payment is a CNP transaction. The operational, fraud, and compliance implications of CNP differ significantly from card-present, and payment operators must design their systems accordingly.

CNP Transaction Types

E-commerce (ECI 7): Cardholder-initiated transactions where card details are entered online without authentication.

3DS authenticated (ECI 5/6): E-commerce transactions where the cardholder has completed 3D Secure authentication. ECI 5 indicates full authentication; ECI 6 indicates attempted authentication (issuer does not support 3DS).

Mail Order / Telephone Order (MOTO): Orders taken by phone or mail where card details are provided verbally or in writing. MOTO is a separate ECI (ECI 01/02) with its own set of scheme rules.

Merchant-Initiated Transactions (MIT): Charges that occur without the cardholder actively participating — recurring billing, subscription renewals, installment payments. MITs require a prior cardholder-initiated authorization as the agreement anchor.

Card-on-File (COF): Stored card credentials used for subsequent purchases. Must be tokenized and linked to a prior cardholder-initiated transaction.

Fraud Dynamics in CNP

CNP fraud rates are structurally higher than card-present fraud because:

• The physical card is not verified
• There is no PIN or signature at the point of interaction
• Stolen card data can be used remotely without the physical card
• Card details can be obtained through data breaches and phishing at scale

Card-present fraud largely shifted online when EMV chip adoption made in-person counterfeiting economically unattractive. This “fraud migration” from CP to CNP was well-documented in the US following the 2015 EMV liability shift.

Liability and Chargebacks

CNP chargeback liability rules differ from card-present:

• Non-authenticated CNP: The merchant bears fraud chargeback liability. If the cardholder disputes a transaction as unauthorized, the chargeback is typically upheld against the merchant.
• 3DS authenticated: Liability for fraud chargebacks shifts to the issuer. This is the primary commercial incentive for merchants to implement 3DS, beyond regulatory requirements.
• MITs: Limited chargeback protection; the initial cardholder-initiated authorization provides some coverage but disputes related to recurring charges are frequent.

Authentication Requirements

For CNP transactions subject to SCA (EU/EEA issuers), 3DS2 authentication is mandatory unless an exemption applies. Outside SCA-regulated markets, authentication is optional but strongly recommended for its liability and authorization rate benefits.

In Southeast Asia, 3DS adoption varies significantly by issuer market. Singapore and Malaysia issuers generally support 3DS2. Indonesia, Philippines, and Vietnam issuers have more variable 3DS2 support, with some still operating on 3DS1 or not supporting 3DS at all. Payment operators routing CNP transactions in SEA must handle graceful fallback when authentication is unavailable.

CNP and Tokenization

Network tokenization is especially valuable in CNP environments. Replacing raw PAN storage with network tokens (Visa Token Service, Mastercard MDES) reduces the value of stored card data if a merchant’s systems are breached and improves authorization rates through token lifecycle management — issuers push card updates to the token rather than requiring cardholders to re-enter credentials.

PCI-DSS scope reduction is another benefit: merchants that store only tokens rather than raw card numbers have reduced PCI audit scope, lowering compliance costs.

MOTO Specifics

MOTO channels have no available authentication mechanism — the cardholder is not online during the transaction. MOTO merchants must rely entirely on pre-authorization fraud controls (AVS, CVV verification, velocity rules) and accept higher fraud risk as a cost of the channel. Card networks treat MOTO differently from standard CNP in certain chargeback dispute scenarios.