A payment made without the cardholder physically presenting the card to a terminal. These transactions rely on digital signals rather than in-person verification, so issuers usually apply stricter fraud controls and may decline more often when the merchant cannot provide strong supporting context.
Expanded Definition
A card-not-present transaction is a payment flow where the merchant captures card details without a physical card or chip-read event, so the decision depends on digital evidence such as billing address, device signals, transaction history, and authentication outcome. In practice, the term is used across e-commerce, mail order, telephone order, in-app payments, and recurring billing, but definitions vary across vendors when tokenization, wallets, and network authentication are involved. For security teams, the key distinction is that the cardholder is not physically present, which removes a major fraud signal and shifts trust to remote controls, customer behaviour analysis, and payment authentication. This makes card-not-present activity fundamentally different from card-present acceptance, even when the merchant uses strong checkout tooling. Guidance from NIST Cybersecurity Framework can help organisations frame risk management around remote transaction trust decisions, while NIST SP 800-53 Rev 5 Security and Privacy Controls provides control language relevant to authentication and monitoring. The most common misapplication is treating card-not-present status as a checkout channel rather than a fraud-risk condition, which occurs when teams ignore the loss of physical card verification.
Examples and Use Cases
Implementing card-not-present payments rigorously often introduces friction at checkout and more false declines, requiring organisations to weigh conversion rate against fraud loss and chargeback exposure.
- An online retailer accepts payment through a web checkout and uses 3-D Secure, address verification, and device fingerprinting to reduce fraud on high-risk orders.
- A subscription service stores a network token for recurring billing and correlates renewal attempts with prior account behaviour to identify abnormal usage.
- A call centre processes telephone orders, where agent procedures, call verification, and fraud screening matter because the customer never presents the card physically.
- A travel booking platform approves purchases with limited merchant context, then flags mismatched geolocation, email age, or velocity patterns for manual review.
- A digital wallet transaction still counts as card-not-present when the underlying authorization depends on remote credentials rather than a physical terminal interaction.
For broader payment-security context, PCI DSS guidance is commonly used alongside internal fraud rules to reduce exposure in remote channels. The concept also overlaps with identity proofing when a merchant uses account takeover resistance, step-up authentication, or out-of-band verification to confirm the payer. Where payment risk is concentrated in digital channels, the merchant has to assume that more evidence is needed than a card number alone.
Why It Matters for Security Teams
Card-not-present transactions matter because they compress multiple risks into a single trust decision: stolen credentials, account takeover, synthetic identity use, bots, and refund abuse can all surface in the same payment flow. Security and fraud teams need to understand the term because the controls that work for card-present environments do not transfer cleanly to remote commerce. Monitoring, authentication strength, transaction scoring, and dispute handling all become part of the control stack, especially where merchants support guest checkout, recurring billing, or international orders. The identity connection is direct: when a customer cannot present a card, the merchant often relies on account identity, device reputation, and behavioural signals to decide whether to proceed. That is why payment security increasingly blends with identity verification and NHI governance, especially where automated checkout bots or agentic purchasing workflows initiate transactions at scale. NIST control guidance and PCI-oriented safeguards help teams structure this risk, but local fraud patterns still determine the real exposure. Organisations typically encounter the cost of weak card-not-present controls only after chargebacks, authorization declines, or fraud ring activity spikes, at which point the term becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST SP 800-63 set the technical controls, while PCI DSS v4.0 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.RM | Frames remote-payment risk management and trust decisions for digital transaction channels. |
| NIST SP 800-53 Rev 5 | IA-2 | Authentication controls are central when cardholders are not physically present. |
| PCI DSS v4.0 | PCI DSS v4.0 governs payment security requirements for card-not-present environments. | |
| NIST SP 800-63 | AAL2 | Digital identity assurance helps validate remote customers when no card is physically presented. |
Document card-not-present fraud risk and assign ownership for controls across checkout, review, and disputes.
Related resources from NHI Mgmt Group
- How should security teams reduce chargeback risk in card-not-present commerce?
- Why do misleading consent statements present significant risks?
- What is the difference between entitlement review and transaction-first governance?
- How should security teams implement continuous transaction monitoring across business systems?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org