Why card presence is no longer a key security metric

When the first ecommerce purchase happened, the payments industry needed a way to distinguish in-person transactions from online ones. That’s when the terms card present (CP) and card not present (CNP) were introduced. This framework helped assess risk, set specific scheme and interchange fees, and define performance standards at a time when paying meant swiping a physical card in a store or typing its numbers online.

A lot has happened since then. Commerce is no longer tied to a single point of interaction. It’s contextual. It happens in apps, through voice assistants, in cars, and, very soon, with AI-driven agentic commerce. 

However, one thing remains: payments are still classified as CP or CNP, with CP transactions often considered more secure due to card and cardholder presence. 

For example, if you charge your electric car and pay using the car’s built-in system linked to its digital wallet, the transaction is technically classified as card-not-present (CNP) because no physical card is used. In reality, though, the car acts as a physical device, similar to using Apple Pay or Google Pay. Even if the payment credentials aren’t physically present, the driver is, and the payment relies on a strong possession factor (the car with its bound credential).

With so many powerful, new security technologies at scale, we need a fundamental shift in our thinking. 

By treating each transaction as its own, rather than forcing them into CP or CNP, we can apply the right risk models, streamline processing, and improve performance for each payment type.

What really matters isn't the physical card but the strength of the authentication behind the payment; it's about whether the transaction is digitally authenticated, tokenized, analyzed in real time, and anchored in identity.

Authentication has evolved from 3DS1 being the single point of authentication to a multi-layered capability that embeds biometrics and multiple data points. It's no longer about proving an account holder has the card details; it's about proving they are who they say they are, across time, devices, and platforms.

The real opportunity lies in treating a customer's digital identity as a security function and a powerful enabler for better, more cost-effective experiences. The more confidently we know who someone is, the more seamless we can make their interactions, whether approving a payment, opening a loan, or logging into a platform.

The shift is underway. In the last 5 years, we've seen a more than 150% increase in authenticated ecommerce transactions.

A new game with AI and regulation

AI is now the common element for both the good and bad actors in the financial ecosystem, changing the game by making fraud more dynamic than ever.

At the same time, the regulatory landscape is also tightening.

Regulations like PSD3, eIDAS, the AI Act, and global privacy frameworks (like GDPR) are reshaping the rules and creating opportunities for differentiation. Regulations aren’t a burden; they can be a catalyst to upgrade our infrastructure and unify data, building long-term trust.

The best players won’t be the fastest. They’ll be the most secure. The most resilient organizations will be the ones that embed intelligence and trust into their core operations proactively rather than as an afterthought.

As our understanding of payments evolves, the industry must rethink how it approaches risk and security:

• Issuers must rethink their risk models and authentication strategies to support emerging user journeys.

• Merchants should view regulation not as a cost center but as a driver of smarter, more secure flows.

• Networks need to anchor their revamp of the point-of-interaction model in security and identity, not physical presence.

PSPs must orchestrate identity, security, and AI to provide safe and seamless commerce at scale.

The future of payments belongs to those who put identity and intelligence at the center of security. 

Secure payments will rely on strong, portable, and user-centric identity frameworks powered by authentication, tokenization, biometrics, and AI. The focus must be on embedding intelligence, authentication, and risk controls into every point of interaction, ensuring that security is not just a checkbox, but a seamless part of the customer journey.

Forward-thinking players will leverage mandates like PSD3 and eIDAS to build smarter, safer, and more inclusive payment experiences, turning compliance into a competitive advantage.

Moving beyond card presence, businesses can embed trust into every transaction, protecting customers while creating secure, seamless, frictionless experiences.