What are card-not-present best practices?

Last updated: December 11, 2024

Card-not-present transactions include:

  • Mail order

  • Telephone order

  • E-commerce

  • Other scenarios where the cardholder is not physically present

Card-not-present transactions have a substantially higher risk of chargebacks and fraud. Lack of cardholder presence means you will not have the standard documentation as you would in a card-present transaction. The following list of actions is useful in reducing chargebacks and should be implemented in your business processes:

  • Obtain the expiration date of the card.

  • If feasible, obtain and retain a signed authorization form from the cardholder for the transaction(s).

  • Use AVS and process transactions only if there is a positive match.

  • Obtain the three or four-digit card validation value (CVV) and include it with the authorization request and process the transaction only if there is a positive match.

  • You may not submit a transaction for processing until after the merchandise has been shipped or the service has been provided to the customer. The card organizations will permit the immediate billing of merchandise manufactured to the customer’s specifications (i.e., special/custom orders) provided the cardholder has been advised of the billing details.

  • Provide a copy of the sales receipt to the cardholder at the time of delivery and obtain proof of delivery to the complete address provided by the cardholder. This could be a signature at the time of delivery or tracking numbers showing delivery to the complete address provided by the cardholder (proof of delivery to just a city, state, and zip code may not be sufficient).

  • Communicate delivery timeframes, delays, special handling, and/or cancellation policies to the cardholder.

  • Ship merchandise within seven days of the transaction date. If unexpected delays are encountered, if applicable, provide the cardholder with an opportunity to cancel.

  • Provide a description of security used on the website.

  • It is prohibited to sell or disclose data containing cardholder account numbers, personal information, or other card transaction information to third-parties.

  • All cardholder interaction points clearly indicate your business identity.

  • Do not accept card data through email.

  • If products and services are sold on a website, include the following information:

    • Full description of the goods or services offered.

    • Any applicable policies and disclosures (merchandise return policy, cancellation policy, refund policy, delivery policy, consumer data privacy policy, free trial period terms, etc.).

    • Customer service email address and/or phone number and business address.

    • Appropriate currency of the transaction.

    • Applicable export or legal restrictions.

Implementation of the above does not guarantee against chargebacks; however, used appropriately, it can assist in reducing the risk of fraud. AVS and card validation value are disconnected from the authorization process. An authorization request can return an approval even with an AVS and CVV mismatch.

It is your responsibility to monitor the AVS and CVV responses, in conjunction with approved authorizations and use the information to avoid suspicious transactions.