When a customer taps their card or phone to pay for something at a store, it feels so easy. In the world of payments, this is called a card-present transaction, and it’s incredibly reliable. In fact, these in-person payments have a Visa authorization rate of about 98%.1 However, when we buy things online, known as card-not-present (CNP), success rate flags—often hovering around 80% for Visa CNP transactions.1 So why the drop?
It‘s largely because online stores face higher fraud risks. Without a card or the shopper physically present, they must be extra careful of fraud, which sometimes makes it harder for good payments to get through. CNP transaction fraud can be very challenging for SMBs in particular, as many lack the resources to fight it effectively.
This gap between the physical and digital worlds is significant because shopping habits have changed so much over the years. Your customers are increasingly browsing the latest fashion or technology and buying it all on the go—while riding the bus, sitting in the park or relaxing on the couch at home. More than two thirds of shoppers, about 69%,2 used a mobile phone for their latest online purchase, requiring businesses to make the checkout process smooth and mobile-friendly. If a website is clunky or slow, shoppers can easily click away and move on.
What’s more, if a shopper gets declined even once, there is a chance they will just give up and never shop at that store again. But in their effort to stop fraudsters, businesses sometimes stop the good guys. This is called a false decline, and it’s a massive, expensive problem. It’s estimated that blocking these valid transactions will cost the global economy more than $264 billion a year by 2027.3 That is a staggering amount of money lost just because the system was too risk averse.
The question becomes how to safely authorize transactions. Merchants need to offer a variety of ways to pay that are fast, safe and reliable—tough on fraud but smooth for customers. Optimizing authorization rates is now a top priority for merchants around the world. They want to close that gap between the high success rate in stores and the lower rate for online. With smarter tools and better technology, you can ensure that, whether shoppers are tapping their phones at a store or clicking buy in an app, the experience is one they’ll keep coming back to.
And when it comes to enabling secure CNP payments, you can trust in Visa’s solutions—it was ranked number one by Juniper Research in its eCommerce Fraud Prevention 2025–2030 Leaderboard.4
What are CNP payments?
A card-not-present transaction (CNP transaction) happens any time a shopper buys something without physically showing their card to the merchant. This covers a huge part of how customers pay for goods and services today: shopping for clothes on a website or via an app or ordering something from a catalog by mail. It also includes recurring payments, which are automatic weekly, monthly or annual charges for things like TV streaming services or music subscriptions. Since the business can’t see the customer or their card, the process relies entirely on digital information rather than a physical chip or magnetic stripe.
What is card-on-file?
Since customers can’t just tap their card or phone for a CNP transaction, they must enter their information digitally. But it is time consuming to type in that 16-digit number, the expiration date and the CVV code every time a customer wants to buy from your company. So instead, many systems use stored credentials, also known as card-on-file (COF) to save the customer’s payment info after the first use. Then the next time the customer visits the merchant’s website, they simply click “buy” and the system automatically grabs their details. Retailers like Amazon use it to make shopping frictionless. Another form of digital entry is using digital wallets like Apple Pay or Google Pay. These options aren't sharing the customer’s real card number. Instead, the system uses a special digital code called a token to represent the card and keep the customer's information secure.
What is a risk profile?
During a digital checkout, because a merchant cannot check a customer’s ID card or verify the sale using methods like contactless authentication, the risk of accepting a fraudulent order is higher than for card-present. In fact, fraud rates for CNP transactions are about 7.5 times5 higher than for in-person payments. This elevated risk should make business owners hyper-vigilant, requiring the creation of a unique “risk profile” for every online or remote transaction.
To protect your business, fraud management systems monitor everything about an incoming order in the background. They analyze the buyer's digital footprint—such as their geolocation, the type of device they are using, and even behavioral clues like how fast they type. For example, if a customer’s card is typically used for local purchases in New York but suddenly attempts to buy a high-value item from a London IP address, the system might flag the order as risky. For a merchant, this creates a constant balancing act: you must stop fraudsters while ensuring your legitimate customers can still check out with ease. This daily battle is exactly why CNP transactions require such a complex risk profile.
What is a dynamic CVV?
The three-digit code on the back of a credit or debit card is known as the card verification value (CVV). With a standard card that number is static, meaning it never changes. If a hacker steals it, the bad actor can continue to buy things online forever—or at least until the card is cancelled. But a new technology called dynamic CVV solves this problem, changing to a new random code periodically. For example, depending on the issuer, this could be twice a day or after every transaction. Your customers might also have an app on their phone that generates a fresh code, similar to getting a one-time passcode for online banking. Because this information changes constantly, it adds an extra layer of armor to digital wallets, making sure that even if data is stolen, it likely can’t be used.
How do you accept CNP payments?
The payment gateway: This is the first step in the journey, which starts when a customer clicks buy on your website and then inputs payment information. The gateway connects the online store to the banking world. Because card numbers are valuable to fraudsters, the gateway immediately uses encryption to scramble the data. The gateway then securely sends this encrypted data to the acquirer (the merchant bank), which contacts the issuer (the customer's bank) to ask for authorization.
Why it matters to the business owner: For a business, this step is the foundation of getting paid. Without a gateway to encrypt and send data, an online store cannot function. The gateway protects the business from being responsible for stolen data. Plus, a good gateway makes the process smooth, ensuring the money moves from the shopper’s account to the business's bank account without getting lost or stolen along the way.
Authentication: Before the financial institution says yes to a purchase, they will often want to make sure that the customer is the genuine cardholder, for example by using EMV 3-D Secure (3DS). Think of this powerful tool as a digital ID check: the system might ask the shopper to prove their identity by entering a one-time passcode sent to their phone or by presenting biometric data like a fingerprint or face scan. This creates a frictionless flow where safe shoppers get through instantly, while suspicious ones are challenged to prove they are the cardholder.
Why it matters to the business owner: When a business uses tools like 3DS, it significantly reduces the risk of accepting a stolen card, which is critical to protecting profits. If a fraudster buys something and the real card owner files a dispute, the bank usually takes the money back from the merchant, called a chargeback. By using 3DS authentication, the business is often protected from these costs because they did their homework to verify the shopper. It helps the business keep the money they earned while keeping fraudsters out.
Tokenization: Sharing real credit card numbers online is risky, so businesses use a technology called tokenization. This replaces the card’s primary account number (PAN) with a random string of unique numbers while the real data is in a secure vault; only the token travels through the internet. When a payment is made, the system uses a special digital key, or cryptogram, to prove the token is valid for that specific purchase. This makes the data almost useless to hackers because the token can't be used outside of that specific transaction.
Why it matters to the business owner: Financial institutions (issuers) trust transactions with tokens more than regular card numbers, so they are more likely to approve the sale. It also makes things easier for repeat customers. If a shop offers subscriptions or “one-click” buying, they can save the token safely. Even if the customer gets a new physical card with a new expiration date, the network token can update automatically meaning the merchant won’t lose the sale just because a card expired.
Risk scoring: Every time a transaction happens, AI models analyze multiple pieces of data about the order in milliseconds. The model looks at the device being used, the location of the shopper (geolocation), what they are buying and their shopping history. Based on these clues, the AI assigns a risk score, usually a number between 0 (very safe) and 99 (very risky). If the score is low, the payment goes through instantly. If it is high, the system might block it or ask for more proof. This happens so fast the customer doesn't even notice.
Why it matters to the business owner: Speed and accuracy are everything. A merchant can't manually check every single order to see if it looks suspicious. Risk scoring automates this, allowing the business to accept as many good orders as possible without letting bad guys in. It helps prevent false declines, which is when a legitimate shopper gets rejected by accident—which can often drive frustrated customers away. Accurate risk scoring keeps good customers happy and keeps fraudsters at bay.
Card testing: A risk to your business, card testing (also known as enumeration), is where fraudsters use software bots to test thousands of stolen card numbers on a website to see which ones work. They make tiny purchases just to see if the card is valid before going on a spending spree elsewhere.
Why it matters to the business owner: For a business, card testing clogs your website with fake traffic and can lead to expensive fees from payment processors for processing so many failed transactions. Worse, if a stolen card works, your business could get hit with a chargeback—meaning you lose not only the merchandise but also the money, plus you have to pay a penalty fee. Understanding why declines happen can help your business adjust its fraud settings to stop the bots without blocking real people and sales.
| Payment step | How it works | Why it matters |
|---|---|---|
| The payment gateway is the first step in the journey, which starts when a customer clicks buy on your website then uses their CNP transaction method. And it all happens in the blink of an eye. The payment gateway acts like a secure digital bridge connecting the online store to the banking world. | Because card numbers are valuable to fraudsters, the gateway immediately uses encryption to scramble the data into a secret code. The gateway then securely sends this encrypted request to the acquirer (merchant bank), which then contacts the issuer (the customer's bank) to ask for authorization. | For a business, this step is the foundation of getting paid. Without a gateway to encrypt and send data, an online store simply cannot function. It protects the business from being responsible for stolen data, and ensures money gets where it needs to go safely and securely. |
| Authentication happens before the bank says yes to a purchase. They will often want to make sure that the customer is the genuine cardholder, for example by using EMV 3-D Secure (3DS). Think of this powerful tool as a digital ID check. | Instead of just accepting the card number, the system might ask the shopper to prove their identity by entering a one-time passcode sent to their phone or by presenting biometric data like a fingerprint or face scan. This creates a frictionless flow where safe shoppers get through instantly, while suspicious ones are challenged to prove who they really are. | When a business uses tools like 3DS, it significantly reduces the risk of accepting a stolen card, which is critical to protecting profits. If a fraudster buys something and the real card owner files a dispute, the bank usually takes the money back from the shop, called a chargeback. By using 3DS authentication, the business is often protected from these costs because they did their homework to verify the shopper. |
| Tokenization is used because sharing real credit card numbers online can be risky. This technology replaces the card’s primary account number (PAN) with a random string of unique numbers while the real data is locked away in a secure vault. Only the token travels through the internet. | When a payment is made, the system uses a special digital key, or cryptogram, to prove the token is valid for that specific purchase. This makes the data almost useless to hackers because the token can't be used outside of that specific transaction. | Banks (issuers) trust transactions with tokens more than regular card numbers, so they are more likely to approve the sale. It also makes things easier for repeat customers—for example, when it comes to offering subscriptions or “one-click” buying. Even if the customer gets a new physical card with a new expiration date, the network token can update automatically, meaning you won’t lose the sale just because a card expired. |
| Risk scoring is like an AI detective that gets to work every time a transaction happens. In just milliseconds, AI models analyze multiple pieces of data about the order. This can include looking at the device being used, the location of the shopper (geolocation), what they are buying and their shopping history. | Based on these clues, the AI assigns a risk score, usually a number between 0 (very safe) and 99 (very risky). If the score is low, the payment goes through instantly. If it is high, the system might block it or ask for more proof. This happens so fast the customer doesn't even notice. | Speed and accuracy are everything. A shop owner can't manually check every single order to see if it looks suspicious—that would take forever. Risk scoring automates this, allowing the business to accept as many good orders as possible without letting bad guys in. It helps prevent false declines, which is when a legitimate shopper gets rejected by accident—which can often drive frustrated customers away. |
| Your business needs to watch out for “card testing” (also known as enumeration), which is where fraudsters use software bots to test thousands of stolen card numbers on a website to see which ones work. They make tiny purchases just to see if the card is valid before going on a spending spree elsewhere. | For a business, card testing clogs your website with fake traffic and can lead to expensive fees from payment processors for processing so many failed transactions. Worse, if a stolen card works and the owner finds out, your business could get hit with a chargeback—meaning you lose not only the merchandise but also the money, plus you have to pay a penalty fee. | Understanding why declines happen can help your business adjust its fraud settings to stop the bots without blocking real people and sales. |
What can you do to enable CNP payments?
To effectively enable card-not-present (CNP) payments, businesses must streamline the mobile checkout experience with secure, one-click tokenized solutions and implement smart authentication tools that block fraud without adding customer friction.
1. Click to Pay: Usually when shoppers buy something online, they have to type in their name, card number and address every single time. These steps are not only an inconvenience but it's easy to make mistakes too. Plus, it’s a prime target for hackers. Click to Pay saves the customer’s details safely so that when they see the icon at checkout, they simply click it and the system remembers them instantly and retrieves their payment information. It makes checking out faster and safer, so customers have a much better shopping experience and businesses have fewer headaches to sort out.
2. Network tokens: Instead of sharing real card numbers, the financial institution creates a unique digital code, known as a token, that replaces the sensitive card information. If a hacker steals this token, it’s next to useless to them. Even better, these tokens are updated automatically behind the scenes if a card is reported stolen or has expired.
3. EMV 3-D Secure (3DS): This technology looks at things like device type and location in the background to verify a customer. If something looks out of place, it may ask for a quick text message code to prove their identity. Merchants that use this tool won’t be blamed if a fraudster manages to trick the system—the card issuer takes responsibility instead. It creates a safe path for good shoppers, while shutting the door on bad guys, all in just seconds.
4. Optimize for mobile: Because so many people browse and buy things on their screens, stores have to optimize for mobile. This means making sure their checkout page isn’t too tiny, broken, or confusing on a smartphone. If a customer has to pinch and zoom just to find the buy button, they will probably leave the site without buying anything. Using tools that create a mobile-friendly experience makes the process smooth and easy.
5. Confirm at the counter: Merchants must always be ready for friendly fraud, otherwise known as first-party misuse. This perennial problem happens when a customer buys something, receives it, then lies to their bank saying they never received it in order to get their money back. For orders that customers buy online but pick up at a store, a merchant can require a physical card tap at the counter to prove the shopper is real. This simple step bridges the gap between online risk and in-store safety, making it much harder for dishonest people to steal items.
What does Visa offer?
Visa Click to Pay: For a small business owner, one of the biggest headaches is checkout abandonment. This is when a customer fills up their shopping cart but leaves before completing their purchase, perhaps because of the amount of information they need to enter, or they forget their password. Click to Pay recognizes the shopper and fills in their payment and account information automatically. This creates a seamless experience and eliminates the friction that drives customers away, helping to ensure more clicks turn into actual sales.
Token Management Service: Instead of storing customers’ card numbers (which hackers want to steal), this solution helps businesses manage tokens. For a small business owner, this solution helps keep customers’ sensitive details safe from bad guys, minimizing the risk of data theft and chargebacks, and the tokens can be updated automatically with lifecycle management. If a customer gets a new card because their old one expired, the service works to update the token automatically behind the scenes. This means the business owner doesn't have to chase customers to ask for new card numbers for monthly subscriptions. The payments just keep working, keeping the business running smoothly.
Decision Manager: Decision Manager uses an AI that has learned from more than 260 billion6 global transactions a year to spot the difference between a real customer and a thief in milliseconds. Visa’s tool works automatically, reducing the time spent on manual reviews and ensuring you don’t accidentally block a real customer, keeping sales high and stress low.
Advanced Fraud Detection Suite: Built into Authorize.net, Advanced Fraud Detection Suite (AFDS) has powerful rules, filters and tools to watch over suspicious CNP activity like velocity and shipping-billing mismatch. It’s designed to help online merchants identify, manage and prevent costly fraudulent transactions, and includes a whole array of tools that work together to examine transactions for any signs of fraud.
Payment Account Tokenization: Visa’s Payment Account Tokenization extends the standard tokenization model beyond debit and credit cards to automated clearing house (ACH) and real-time payments, meaning the convenience of payment in a click is available to even more customers.
CNP payments are a great way to grow your business but they also mean keeping a constant watch for cybercriminals. Authorize.net offers a suite of tools that act like a digital store guard—to catch the bad guys quickly, while giving good customers a great shopping experience.
What do users say about Visa’s CNP payment solutions?
Harley-Davidson
The legendary American motorcycle manufacturer and lifestyle brand needed a fraud management solution that would help it to transact quickly, safely and reliably across multiple territories. By working with Visa, the company was able to grow its online sales by selling across nine countries while keeping chargebacks to a minimum.
Shopline
Conversion rates are a tricky area for businesses and can be affected by the likes of friction in payments and false declines. Shopline achieved a higher conversion rate and reduced fraud by 50% after using Visa’s Decision Manager for their merchants’ online stores.
Razorpay
Cross-border CNP transactions present a fraud risk to businesses that requires effective mitigation while allowing good customers to shop seamlessly. Razorpay saw an 18% reduction in false positives and a 40% decrease in chargebacks for cross-border CNP transactions by using Visa’s robust risk management tools.
FAQs
The cost of CNP payments is a huge deal for merchants. Accepting payments online usually costs more than accepting them in a store. This is because the risk of fraud is higher, so financial institutions and processors charge higher fees to cover that risk. These costs include processing fees paid to the payment gateway and interchange fees paid to the financial institution. Because these costs add up, managing them is a top priority for businesses. In fact, one of the main reasons merchants encourage customers to use specific payment methods like debit cards or local bank transfers is to lower these processing costs.
For a small to medium-sized business (SMB), fraud hits hard. Unlike big companies with huge budgets, an SMB might not have a dedicated fraud team. They have to spend valuable time on CNP fraud prevention instead of growing their business. When fraud happens, the business often loses the product (which the thief stole) and the money too (which the bank takes back), called a chargeback. Furthermore, in an attempt to stop fraud, they might accidentally block good customers, which can hurt sales revenue. These operational challenges and costs are likely to be an ongoing concern for many smaller merchants who are trying to compete in a risky digital world.
There are specialized providers who build the technology that keeps online shopping safe, such as Visa and its affiliates. Visa Protect includes tools like Decision Manager to help merchants automatically spot fraud. Verifi specializes in post-purchase solutions—for example, preventing chargeback fraud by sharing transaction data in real time . Then there is CardinalCommerce, which focuses on authentication (like EMV 3-D Secure) to ensure that the person using the card is legitimate. Visa and its affiliates work together to offer everything from risk scoring to dispute resolution, helping merchants of all sizes navigate the world of CNP transactions.
To accept CNP payments safely, merchants should follow a multi-layered “defense-in-depth" approach. First, validate the data. Always check that the billing address matches the card's records and that the three-digit CVV code is correct. Second, use authentication like EMV 3-D Secure to challenge risky orders while letting safe ones pass through quickly. It is also best practice to monitor patterns. If a single account is trying to make ten purchases in one minute, or if a user is trying different card numbers rapidly (velocity checks), they might need to be blocked. Finally, educate your customers. Remind them to keep their accounts secure and update their profiles. By combining strict data checks with active monitoring, merchants can accept more good orders, while shutting the door on more of the fraudulent ones.
Verifying that a customer is who they say they are is the best way to reduce fraud. The industry standard for this is EMV 3-D Secure (3DS). This technology assesses the risk of a transaction. If it looks safe, the customer doesn't do anything. If it looks risky, they verify themselves using a one-time passcode sent to their phone or by using biometrics like a fingerprint or face scan on their banking app. Other effective methods include an account name inquiry, which checks if the name on the order matches the name on the bank account. Merchants can also check the device ID or mobile phone number linked to the user's name. These layers of verification make it very hard for a thief with a stolen card number to successfully check out.
When a cardholder sees a transaction they didn't make, they initiate a dispute (or chargeback) with their bank in order to get their money back. For the merchant, this means losing the money and paying a fee. However, merchants can fight invalid disputes. If a customer claims they didn't receive their purchase but actually did (friendly fraud), the merchant can use compelling evidence like a delivery signature, device ID, or history of previous undisputed purchases from the same IP address to help prove that the customer could be misrepresenting the situation.
Mobile wallets with Apple Pay and Google Pay can be used when shopping online for a fast and secure checkout experience—and this counts as card-not-present. However, when a customer uses a digital wallet in your store, it counts as a card-present transaction. CP transactions using digital wallets are kept secure by using tokens to protect customers’ information, and by adding an extra layer of authentication such as biometrics. Ensuring your terminals and checkout support digital wallets helps reduce fraud risk, improve customer trust and speed up checkout.
Those three or four little numbers on the back or front of credit or debit cards are used to verify card-not-present transactions, and are a common target for fraud. A dynamic CVV reduces this risk by replacing the static codes with a random code that changes periodically. Codes can be generated via a customer’s mobile banking app, or within a small screen on the card itself. Because the CVV changes frequently, a stolen code quickly becomes useless, significantly reducing fraud risk.
Yes, customers can use their dynamic CVV to set up recurring payments such as gym memberships. The cardholder simply enters their temporary code for the first payment to be accepted, then your businesses will be able to take payments automatically in future—even when the code has changed.
A payment gateway (such as Authorize.net) acts as a secure bridge between your business and the payments ecosystem to connect key players. These include the customer, the store owner, the issuer (the customer’s credit card bank), the acquirer (the merchant bank), and the card network (Visa). When your business uses a payment gateway, it can process and accept payments, while providing tools like transaction management, reporting and billing. For online and card not present transactions, a gateway is essential. For in store payments, transactions are typically handled by a POS system and processor, though some setups route data through a gateway for centralized reporting or mobile checkout.
How soon you can start accepting payments depends on factors like how quickly your gateway can approve your account and whether you have an existing merchant account (needed to accept credit cards). For example, Authorize.net can approve your account automatically once the application is completed successfully, then you can be ready in a few minutes simply by updating your gateway with the parameters provided by your merchant provider. Merchant accounts can take up to five business days to open, subject to factors like what industry you work in, or your credit history.
An acquirer (or acquiring bank) is a financial institution that processes card payments on behalf of your business. It processes and settles payments made by your customers via their issuing bank by communicating between the merchant, and a card payment network, like Visa.
No, acquirer bundling is not required for your business to accept payments, but for some it’s a quicker and easier way to get started. Traditionally, services like merchant accounts, payment gateway and payment processing were sourced separately. Today, a payment service provider might offer an all-in-one package, known as “acquirer bundling”, but this may not suit someone who already has a merchant account or prefers to keep things separate. Authorize.net offers bundled options that may be approved quickly if the application qualifies for auto-approval, but it can also be used independently with an existing merchant account.
Start accepting payments today
- Visa. (2024). Gross Approval Rate from Global Risk Team, Global Authorization Trends Tracker
- 2025 Global Digital Shopping Index: U.S. Edition commissioned by Visa Acceptance Solutions and PYMNTS Intelligence
- Datos Insights. (August 2024). The Future of E-Commerce: Innovations to Protect and Enrich the Online Channel [https://globalclient.visa.com/datospaper]
- (eCommerce Fraud Prevention 2025–2030, Juniper Research, 2025)
- Mattei, D. (2024 August). The future of e-commerce: Innovations to protect and enrich the online channel. [White paper]. Datos Insights.
- VisaNet transaction volume based on 2023 fiscal year. Domestically routed transactions may not hit VisaNet.
Disclaimer: Case studies, comparisons, statistics, research, and recommendations are provided “AS IS” and intended for informational purposes only and should not be relied upon for operational, marketing, legal, technical, tax, financial or other advice. Visa neither makes any warranty or representation as to the completeness or accuracy of the information within this document, nor assumes any liability or responsibility that may result from reliance on such information. The information contained herein is not intended as investment or legal advice, and readers are encouraged to seek the advice of a competent professional where such advice is required.
