MoTo: A Legacy Payment Method with a High Risk of Fraud
MoTo (Mail Order/Telephone Order) payments are those in which you must provide your card details over the phone or send them by email so the merchant can enter them manually. No basic security features: no chip, no CVV required, no biometrics, and no two-factor authentication (SCA).
Why is it so risky?
Because MoTo combines all the ideal ingredients for fraud:
- It is a remote payment without cardholder verification (Strong Customer Authentication, or “SCA”).
- Many merchants don’t even ask for the CVV: the card number and expiration date are enough.
- The data is entered manually, with all the risks that entails.
| Features: | MoTo payments: |
|---|---|
| In-person customer | No |
| Collection of data | Dictated over the phone or via email |
| CVV validation | Not available |
| Cardholder verification / SCA | Not available |
| Fraud risk | Very high |
While payment security continues to evolve with the use of biometrics, tokenization, digital wallets, and other technologies, MoTo remains a gateway for fraud: if a fraudster obtains your basic card information (which, unfortunately, is a common practice), they can make purchases at any merchant that accepts MoTo without you noticing anything until you check your card statement.
Case in point: a fraud involving over 2 million euros was committed through the telephone sale of fake hotel vouchers, taking advantage of MoTo’s ease of use.
A legacy method… but still very much in use
Although it may sound like a thing of the past, MoTo is used more often than it should be. It is present in industries such as travel and entertainment, as well as in retail, restaurants, and gambling.
Many merchants keep using it because it reduces friction (no CVV required, no two-factor authentication) which increases conversion rates.
The hidden cost:
- The merchant bears the cost of fraud.
- The user remains equally exposed.
You can even notice it in everyday experiences. For example, recently I wanted to book a hotel room: since they didn’t have a website, I had to call. When they asked for my card details, I hesitated: who can guarantee that person won’t use this information for something else? In the end, I paid, but with a sense of unease.
Industry data shows that, despite representing just 1% of total transactions, MoTo concentrates around 10% of confirmed annual fraud. A hard-to-justify imbalance.
Are there alternatives? Yes, and very good ones
The surprising part is that MoTo continues to exist when there are safer, technologically mature options that offer good conversion rates:
- Standard e-commerce with strong authentication.
- Payment links for remote transactions, such as Redsys’s PayGold solution.
The case of PayGold is particularly clear:
- The merchant sends a secure payment link to the customer.
- The customer pays as if it were a standard e-commerce transaction.
- If applicable, two-factor authentication is required.
- The merchant does not see the card details.
- There is no manual data entry.
- And the transaction is protected.
What do the regulations say?
Under PSD2, MoTo payments are exempt from SCA for technical reasons, not because they are considered secure. In fact, since they lack robust traceability and end-to-end encryption, they do not align with the security principles required by the EBA. Furthermore, the merchant bears liability for fraud, even though many are unaware of this.
Everything points to MoTo being an obsolete payment method, with regulatory risk and an experience that falls far short of current security standards.
What Redsys Is Doing
Redsys is working with Spain’s leading Financial Institutions to promote industry-wide measures to reduce its use. The goal is to limit the number of merchants that accept it and encourage secure alternatives.
As a result:
- Only 4.3% of active merchants accept MoTo (previously around 50%).
- Only 1.0%of new sign-ups include this method.
This reduces overall risk and allows for more accurate fraud detection.
The question is inevitable: Does it make sense to continue accepting payments by phone or email given the technology we have today?
Set of recommended best practices to minimize risk
| If you are an acquirer: | If you are a cardholder: |
|---|---|
| Limit MoTo in MCCs where it is not appropriate. | Be wary if you are asked for your card details over the phone or by email. |
| Restrict its use for new sign-ups until genuine activity is verified. | Prioritize verified channels with authenticated payment. |
| Encourage secure alternatives such as PayGold. | Whenever possible, use two-factor authentication methods. |