Tighten Up Your eCommerce Security with Dynamic CVV
We’re fast approaching a holiday season in which ecommerce merchants are set to do brisk business, but surging sales often come with increased levels of fraud and chargebacks. Protecting yourself requires the right tools implemented with the right strategies.
To combat the rise in online fraud, Visa is rolling out dCVV2, or Dynamic CVV2, a new version of the Card Verification Value system that has been designed to reduce some of the vulnerabilities to fraud that have long been an inescapable part of card-not-present transactions. How does Dynamic CVV2 work, and can it really help ecommerce merchants put a stop to card-not-present fraud?
With EMV technology thwarting fraud so effectively for card-present merchants, fraudsters have ramped up their efforts in attacking ecommerce stores. Online transactions can’t make use of the EMV chip’s capabilities, so ecommerce merchants are left with decidedly low-tech identity verification methods, such as Address Verification Service (AVS) and CVV—or, they can invest in third-party fraud prevention tools.
Online fraud has been rising sharply in recent years, and merchants have no recourse to fight true fraud chargebacks once they occur. Dynamic CVV numbers were created to address this problem by providing card-not-present merchants with a way to verify that the person placing an order is in possession of the actual payment card they’re using.
What is dCVV2?
“Card Verification Value” is how Visa refers to the three-digit security code printed on the backs of credit and debit cards. The “2” distinguishes it from CVV1, which is encoded in the card’s magnetic stripe and used to verify card-present transactions.
The idea is that the CVV is not stored with the other payment credentials, so if the purchaser can provide it at the time of the transaction, it serves as reasonable assurance that they have the actual card and not a set of stolen credentials. However, it is far from foolproof and fraudsters have more ways than one to obtain CVV data for their illicit transactions.
With dCVV2, a new CVV2 number is dynamically generated at regular intervals and will only work until the next number is generated.
For example, a dCVV2-enabled card might generate a new number every day at midnight. For the entire day, the cardholder can use that CVV2 number to verify their transactions, but once midnight rolls around again and a new number is generated, it will stop working and the new number must be used instead.
How does dCVV2 Work in Practice?
The CVV numbers we’re used to seeing are printed in indelible ink on the backs of credit cards—how, you may wonder, are they supposed to get swapped out at regular intervals?
The original concept for dCVV2 envisioned special cards with “digital ink” that would allow changing numbers to be displayed directly on the card surface. Some issuers offer these cards, but they’re more expensive to produce than regular credit cards, and there’s a cheaper option that many other issuers have embraced—using their mobile banking apps to generate dynamic CVV2 numbers.
In this case, when a cardholder wants to make an online purchase, they simply request a fresh CVV from their banking app, which they can then enter at checkout.
Why Use dCVV2?
Checking a card’s CVV is one of a merchant’s first lines of defense against fraud. It won’t stop all of it, but imagine how many fraudulent transactions could get through if you didn’t use it.
Checking dCVV2 provides even greater confidence that the cardholder and the purchaser are the same individual, because it would be extraordinarily difficult for a fraudster to get their hands on a valid dCVV2 code before it expires.
Even if a fraudster is sniffing the merchant’s internet traffic, or has installed a keylogger on the cardholder’s device, dynamic CVV numbers will only be good for a few days or hours before becoming useless.
Visa’s embrace of dCVV2 should be painless enough for merchants, who only stand to benefit from the widespread use of protocols that minimize ecommerce fraud. It requires no change in procedure on the merchant’s end; dCVV2 data is captured and processed in the exact same way as existing CVV2 data.
Will dCVV2 Impact Chargebacks?
The use of dCVV2 is unlikely to have any effect on chargebacks other than to help merchants avoid them by screening out true fraud transactions. References to CVV2 in the Visa Rules have been updated to include dCVV2, and there is no change to the dispute process whether dynamic or static CVV numbers are used.
There is always the possibility that dCVV2 will create some challenges for the end users, which merchants should be aware of, since they tend to get implicated—fairly or not—when a transaction goes wrong. The jury is still out on the ideal frequency for changing dCVV2 numbers: too often can be frustrating for cardholders, not often enough defeats the point of having dynamic numbers in the first place.
Because dCVV2 numbers serve as strong confirmation that the cardholder had the actual card in their possession at the time they placed a transaction, proof that you verified a dCVV2 number can be compelling evidence against friendly fraud chargebacks.
At times, dealing with online fraud can feel like participating in an arms race. Every time merchants, card networks, and cybersecurity companies come together to devise new solutions to detect and prevent fraud, the fraudsters shift their tactics and find new vulnerabilities to attack. It may feel discouraging when you’re stuck cleaning up the financial mess fraudsters leave behind, but don’t despair—every time you implement a new and effective anti-fraud solution, you’re permanently shutting down some of their attack vectors and making it that much harder for them to target you in the future.
Dynamic CVV2 is just one of many anti-fraud tools that merchants have to consider as they develop their comprehensive defenses against fraud and chargebacks. Every merchant’s situation is different, and the right combination of tools and methods for one merchant may be less effective for another. Careful analysis of your chargeback data can help reveal the right choices for your business.
Analyzing chargebacks and identifying their root causes is essential to figuring out which tools and strategies to deploy for optimal effect. Few merchants have the time or staffing to fully engage in this analysis on their own, but when this process is overlooked it’s easy to misallocate resources on fighting the wrong kinds of chargebacks, while the ones that are really eating up your revenue continue to plague you.
When you understand where your chargebacks are coming from and what is needed to fight them, you can choose the right tools and put them to work where they will do the most good for you.