MOTO Payment (Mail Order/Telephone Order)
What is a MOTO payment for call centers?
A MOTO payment (Mail Order/Telephone Order) is a credit or debit card transaction where the cardholder is not physically present. The customer provides their card details by phone, postal mail, or fax, and the merchant manually enters them into a virtual POS terminal to process the charge.
This type of operation is classified as a CNP transaction (Card Not Present): there is no EMV chip reading and no biometric authentication. The absence of the physical card increases the risk profile and affects both the fees applied and the liability in case of fraud.
How a MOTO payment works
The operational flow of a MOTO transaction follows these steps:
- The customer provides their card details: PAN number, expiry date, CVV, and billing information.
- The agent accesses the virtual POS dashboard and manually enters the information.
- The processor sends the authorization request to the card network and the issuing bank.
- The issuer checks validity, available funds, and applies fraud controls.
- If approved, the funds are reserved until settlement, which usually takes 24 to 48 hours.
One key factor differentiates MOTO payments from other CNP transactions: PSD2 explicitly exempts them from Strong Customer Authentication (SCA). Because the payment is not initiated by the payer through an electronic channel, the 3D Secure protocol is not required. This exemption reduces friction, but shifts full fraud liability to the merchant and its acquirer.
Requirement 3.3.1.2 of PCI DSS v4.0 prohibits storing the card verification code (CVV) once the authorization process is completed. Its purpose is to prevent stolen data in MO/TO environments from being used to perform fraudulent transactions.
Regulatory impact and security requirements for MOTO payments
MOTO transactions operate at the intersection of several European regulations:
- PSD2 and SCA. Royal Decree-Law 19/2018, which transposes PSD2 in Spain, requires strong customer authentication for most electronic payments. MOTO operations are excluded because they are not considered electronic payments initiated by the payer. The merchant assumes the fraud risk without issuer verification.
- PCI DSS v4.0. Any entity that receives card data by phone or mail must comply with PCI DSS. Requirements 3.3.1.1 and 3.3.1.3 state that neither full track data nor the PIN may be stored after authorization. Tokenization is the recommended practice to reduce PCI scope.
- AML/CFT. MOTO channels are under regulatory scrutiny due to the difficulty of verifying the payer’s identity in real time.
| Aspect | MOTO payment (CNP) | Card-present payment (CP) |
|---|---|---|
| Authentication | No SCA or 3D Secure | EMV chip or contactless |
| Fraud liability | Borne by the merchant | Borne by the issuer |
| Typical fees | Higher (risk premium) | Lower |
| Chargeback risk | High | Low |
| Key PCI DSS requirement | Storing CVV is prohibited | Secure reading via certified terminal |
Operational advantages and disadvantages of MOTO
Advantages:
- Enables payments from customers without Internet access or who prefer phone-based service, expanding the buyer base.
- Supports remote sales in sectors such as hospitality, travel reservations, and professional services.
Disadvantages:
- Processing fees are higher due to the inherent risk premium of CNP transactions.
- Fraud liability falls entirely on the merchant, without shifting it to the issuer through SCA.
- Exceeding 0.9%–1% chargebacks over total volume can lead to scheme penalties and inclusion in restrictive lists such as MATCH.
- Manual handling of card data requires a full PCI DSS-compliant environment, with the associated certification and audit costs.
Was this term useful?
Leave a Comment