In the credit-card industry, card not present transactions typically represent e-commerce transactions where the customer is buying products and services from their desktop or mobile device across the internet, and the credit-card is “ not present” in front of the merchant. Customers, typically, type in the sensitive credit-card details on a payment form in the browser as part of their e-commerce transaction. Note that this is no different from a user typing in other sensitive information like a social security number, a bank account number, medical data, etc; card not present transactions represent all types of transactions that involve the direct input of unencrypted sensitive data into the application's input interface.
The browser, using Secure Socket Layer (SSL)/Transport Layer Security (TLS), encrypts the sensitive CHD and transmits it to the application server. After passing through the web-tier, the CHD arrives in the application tier for business processing.
e-commerce applications vary in how they process credit-card transactions depending on agreements established by the company with their Merchant Bank (MB). Some may contact the payment gateway of the MB immediately and settle the transaction, while others may store CHD with the transaction and batch the settlement for a different time-period during the day. In some cases, the application handling the customer transaction may not even be responsible for transaction authorization, and may store incomplete transactions in the ADB while another application within the infrastructure reads the ADB to settle incomplete transactions.
The following considerations need to be made with-respect-to “card not present” transactions: