Card Security Codes and Fraud Prevention
The lack of security around card-not-present transactions has been a known issue for a long time. One of the first tools to prevent credit card fraud in phone and online transactions was the card security code, a short string of numbers separate from the card account number that could be used to verify whether the cardholder had the payment card in their actual possession.
Card security codes pose a significant obstacle for fraudsters, but merchants should be aware that they aren’t foolproof. How do card security codes work, and what should merchants keep in mind about what they can—and can’t—do to prevent fraud?
The EMV chip, for example, has made cloned and counterfeit cards practically obsolete, significantly reducing fraud rates in card-present spaces.
When it comes to card-not-present transactions, however, it’s not quite so easy to develop a technological solution that retains the speed and convenience consumers are used to when they make credit card payments. The card security code (CSC), also widely known as the card verification value (CVV), was one of the first attempts to solve this problem, and it’s still an important element of online payment card security.
Card-not-present fraud steals billions of dollars per year, most of it from the merchants who ultimately end up liable for the costs of fraud. Every instance of true fraud is likely to result in a legitimate chargeback, and the only way for merchants to avoid this revenue loss is to anticipate and prevent fraud ahead of time. While there are usually a lot of components to a successful anti-fraud strategy, simple safety precautions—such as handling CSCs correctly—can make a noticeable difference.
What Is a Card Security Code?
A CSC is a three or four digit number printed (not embossed) on a credit card. It is used as a form of proof that the person attempting to use the card has the physical card in their possession.
CSCs were developed by Equifax in the late 1990s as a way to increase security in the newly emerging world of e-commerce. The concept was soon adopted by all of the major credit card networks, although they have each chosen to implement CSCs in slightly different ways.
Discover, Mastercard, and Visa use a three-digit CSC that is printed on the back of the card; American Express uses four digits and prints it on the front. Furthermore, each card network uses a different term to refer to their CSC:
- American Express: Card Identification Number
- Discover: Card Security Code
- Mastercard: Card Validation Code 2
- Visa: Card Verification Value 2
Mastercard and Visa use a “2” to designate the CSC printed on the back of their cards. This is used to differentiate them from the similar codes that are encoded in the magnetic stripe and used to validate card-present transactions.
How Are Card Security Codes Used in Transactions?
When a merchant processes a card-not-present transaction, they should request the CSC from the cardholder in order to verify that they actually possess the physical card.
One of the biggest security risks with e-commerce is the fact that card numbers have to be transmitted and stored on networks that may not be fully secure.
Cybercriminals can intercept network traffic and breach merchant servers to steal credit card account numbers, allowing them to use those cards fraudulently in card-not-present environments.
CSCs should never be stored locally alongside the associated card account number. Instead, they are sent securely and directly to the issuer as part of the process of authorizing a transaction. If the issuer can confirm that the CSC matches the account number (and everything else about the transaction is valid), they will send back an authorization approval message and the transaction can be completed safely.
It may be possible to force an online transaction through without CSC verification. However, this will leave the merchant without a valid defense if the cardholder decides to file a chargeback later.
Are There Security Issues with Card Security Codes?
A CSC is sort of like a password in the sense that it’s only secure if the owner takes care to protect it. Physical cards get lost and stolen by fraudsters, and CSCs can also be compromised when cardholders share them with others, write them down in conspicuous places, or provide them to phishers or fraudulent merchants.
If a fraudster can pair a card number with its CSC, they can freely use that card with online retailers until the cardholder catches on and reports it to their issuer. Merchants can prevent this by implementing additional security measures, such as anti-fraud filters and multi-factor authentication.
Some contactless cards and digital wallets use a dynamically-generated CSC (sometimes referred to as a cryptogram or token) to provide an additional security layer. It’s much harder for fraudsters to steal and utilize dynamic CSCs, but not every card has this functionality, and those that do may still have a static CSC that can be used as well.
What Should Merchants Keep in Mind about Handling Card Security Codes?
The best practices for CSCs are simple and easy enough to remember:
- Use secure web servers and shopping cart solutions that encrypt CSC transmissions
- Never ask customers to provide their CSC over unsecured channels such as email
- Never store CSC data in your customer database
- Use additional security measures, such as address verification, multi-factor authentication, and anti-fraud software, so that all of your protection doesn’t hinge on the CSC
CSCs are a well-established element of payment card security. Cardholders generally know why they’re necessary (and that they need to be kept private), and merchants should understand why it’s so risky to process credit card transactions without them.
While they are effective at stopping low-effort fraudsters who only have access to basic payment credentials, sophisticated fraudsters may have ways to get around this form of protection.
A comprehensive chargeback defense strategy always needs to account for the prevalence of true fraud. True fraud chargebacks cannot be fought, and the only good time to deal with them is before they happen. CSC verification needs to be coupled with other anti-fraud measures in order to minimize these types of chargebacks.