Anyone who shops online – which these days is basically everyone – is familiar with the three-digit security code on the back of your debit or credit card. Also referred to as CVV or CVC, you frequently need to provide it when you’re not paying face-to-face like when shopping online or paying bills over the phone. CVVs are a good vehicle to prevent CNP fraud, but are by no means perfect – let’s understand why.
Why do we need card security codes?
The security code’s purpose is to prove you are in possession of the physical card itself (and its rightful owner) when you’re not paying face-to-face. Those types of transactions are called card-not-present transactions, or for short CNP. Simply put, the security code is supposed to prevent CNP fraud.
Unlike all the other card details (cardholder name, card number, expiration date), the security code is the only piece of data that is not encoded in the magstripe nor transmitted as part of an in-store purchase. In CNP transactions security codes are passed directly to the processor and not stored in merchant card-on-file databases. Therefore, in the event of a data breach where millions of cards are stolen off a merchant’s server, the security code is safe.
Without the CVV data, fraudsters can only shop on websites that do not require a security code at checkout. That’s why the more websites that require a CVV, the better.
So where’s the problem?
The problem is that unfortunately fraudsters CAN and DO manage to obtain CVVs through a variety of methods…
How fraudsters steal CVVs
Spying on your keystrokes
While you are innocently filling in your card information online, a hacker may be collecting the info you type. Web-based keyloggers are a type of malware that targets website forms – including checkout pages – to secretly capture the information customers are typing, including the CVVs.
Non-compliant card on file databases
While merchants should not be storing CVVs on their servers according to PCI requirements, some of them do anyway. And if those database are ever breached, fraudsters obtain all the card info needed to buy whatever they want, on whatever website they want.
Phishing and social engineering
Phishing is a practice that’s not going away. Fraudsters send out phony emails with various “calls-to-action” which criminals use to phish for account access. Or they create duplicate versions of bank websites – which are difficult to spot – and direct traffic to their self-engineered sites where victims are stripped of passwords, security questions, and card information.
Often, fraudsters will call customers and pose as bank employees. Citing some personal information and perhaps the last four digits of a credit card, they sound legitimate. They then coax customers to disclose full credit card information, account PINs and much more vulnerable information.
Can the card itself be the solution to prevent CNP fraud?
There are other ways fraudsters can get your CVV. Let’s say you’re at a restaurant, and after enjoying your meal, you hand your card to the server for payment. The server goes into the kitchen and copies down all the card details including the CVV. That server can now shop to their heart’s delight until you or your issuer detect some unauthorized transactions.
But what if – twenty minutes later – the CVV they copied were no longer valid?
How can that be done? With dynamic security codes, or what we call Dynamic Code Verification.
A Dynamic Code Verification (DCV) card is an EMV payment card with a special ePaper display. The display replaces the static 3-digit security code with a time-based dynamic code. The code changes every 20 minutes automatically, so basically you have a different security code for every transaction. The code is generated based on a cryptogram and validated by a server on the backend.
The point of these cards is to make sure that in all cases – even when the CVV is obtained – the stolen card data has very limited value, preferably no value at all.
If a fraudster manages to steal a DCV card’s security code, they won’t have much time to use it. Because within 20 minutes, the stolen code will expire, transactions will fail, and a fraud alert will be triggered with the issuer. You can nip fraudulent activity in the bud, minutes after its detection.
Here’s a video to show how DCV works:
Increasing security without creating friction
In the search for a solution to prevent CNP fraud, the one thing you want to avoid is creating friction in the cardholder’s experience.
Consumer tolerance for interference and hassle is so low, it’s absolutely critical to make the checkout experience as simple, familiar and seamless as possible. If there’s one thing merchants hate, it’s abandoned shopping carts due to a poor checkout experience.
The ideal remedy should also require nothing of the merchant – no code to develop, no new step or new screen to create.
With DCV nothing needs to change on the merchant’s website. All checkout screens remain the same. When the customer checks out, they enter the code currently displayed on their card. This code will be verified at the issuer’s side (via their processor), and the transaction will be approved. DCV is also available on mobile, so it can be a feature of your mobile banking app.
DCV is complimentary to other CNP mitigation strategies like 3DS or tokenization, and it’s supported and encouraged by Visa and MasterCard. Unlike those other solutions, it’s a completely issuer-centric solution that requires no merchant integration and is compatible with existing infrastructure, and it’s very easy to implement.
Another plus – there’s no cardholder enrollment and no cardholder education. The familiar act of getting the security code off the back of the card remains the same.
Now is the time to focus on CNP fraud
EMV has done wonders to reduce in-store fraud, so it’s no surprise that fraudsters are directing all their energy to the online fraud, where they can still get away with it.
And they have plenty of opportunity:
The e-commerce share of total retail sales has doubled roughly every six years since 2004, reaching 8.3 percent at the end of 2016.
Issuers, who bear the brunt of card fraud, should focus their attention on options like DCV and strong fraud monitoring solutions that can detect anomalies in transaction behavior. Through the combination of EMV and DCV, credit unions and community banks can achieve a holistic approach to countering fraud across all commerce channels: EMV to prevent in-store fraud and DCV to prevent CNP fraud.