Best practice on offering and processing ‘card not present' payments

This guidance is designed to inform retailers about best practice on offering and processing ‘card not present' payments during the Covid-19 outbreak. This advice has been collated by partner members of the Independent Retailers Confederation (IRC), with particular credit due to the Association of Convenience Stores.

How can I accept ‘card not present' transactions?

Step 1: Retailers should contact their card acquirer or POS terminal provider to enquire about adding CNP services onto their existing agreement.

Step 2: Mitigate fraud risks from CNP transactions by following your acquirer/terminal provider's anti-fraud advice.
It should be noted that in-store CNP transactions raise additional risks of fraud and chargeback liability for the merchant. To minimise risk you could consider:

• Putting a limit on payment values, for example £100.
• Limiting use of CNP payments per customer, for example three per week.
• Limiting high value products per transaction, for example spirits or tobacco.

Step 3: When on the phone with the customer enter the following details into your card terminal:

• The long card number.
• The card expiry date.
• The three-digit security code or house number/postcode of the card holder.

Do not write down or record customer card details!

Retailers should check with their card acquirer about the information they need to ask for over the phone.

How can I reduce the chances of fraud?

Retailers are strongly advised to authenticate use of the card over the phone via the following fraud detection and prevention tools:

• Address Verification Services. An Address Verification System (AVS) checks the billing address of the card provided by the customer with the address on file at the customer's bank. This is an instant check made by the customer's bank but retailers taking details for a CNP transaction will need to ask for billing address details too for this to be completed. Results from the AVS check can help retailers decide whether to accept the order. This check is most commonly completed for telephone orders.
• Card Security Codes. Card Security Codes (CSC) are the three-digit numbers present on the back of most cards. By entering the CSC during a CNP transaction, retailers enable a check to be made that the customer is in possession of the valid physical card. CSCs cannot be recorded or stored by retailers, including for recurring transactions.
• PCI DSS Standards. The Payment Card Industry Data Security Standard (PCI DSS) is a standard used across all major card brands to protect cardholder account security when account details are shared with retailers and anyone involved in processing and transmitting payment card information. Your card terminal should be PCI DSS compliant, if in doubt please contact your acquirer.

How can I reduce risks of chargeback?

Chargebacks occur when a customer disputes a charge on their card. The customer typically contacts their card issuer and initiates the process for a refund via the acquirer paid for by the retailer. Retailers can challenge any disputes in a process called representment by substantiating the charge and providing verification of the sale. The following best practice to prevent chargebacks is additional to the anti-fraud measures outlined above:

• Retain copies of order forms if applicable and evidence of customer receipt of goods (i.e. signed receipt).
• Use email to notify consumers of the details of sales and to indicate that their cards will be charged.
• Post clear policies for billing, returns, delivery and data privacy on your website. Order confirmation emails should include this information and any further terms and conditions in the content or via a web page link.
• Always provide a clear billing descriptor with a phone number so the customer can contact you directly rather than calling their bank to discuss any dispute.
• If you have a website or social media pages, provide a contact phone number and email address so customers can contact you directly.
• Obtain the customer's phone number and email address.
• Notify customers in writing when a refund has been issued. Provide them with the date the transaction was submitted and a reference number.
• Indicate that the card issuer may require a full billing cycle to apply any refunds, which may not immediately appear on an online statement.

Useful links

• Find a shop
  
• Best Small Shops competition
  
• Jobs board
  

If you have any other queries please contact us.