Tighten Up Your eCommerce Security with Dynamic CVV
Table of Contents
- What is dCVV2?
- How does dCVV2 work?
- Why use dCVV2?
- Will dCVV2 impact chargebacks?
- The anti-fraud arms race
- What is a dynamic CVV?
With EMV chips making fraud more difficult in card-present environments, combined with a rise in eCommerce in part driven by the Coronavirus pandemic, more and more fraudsters are going online.
To combat the rise in online fraud, Visa has created dCVV2, or Dynamic CVV2, a new version of the Card Verification Value system designed to reduce some of the vulnerability to fraud that's long been an inescapable part of card-not-present transactions. How does Dynamic CVV2 work, and can it really help eCommerce merchants put a stop to card-not-present fraud?
Since online transactions can’t make use of the EMV chip’s capabilities, eCommerce merchants are left with decidedly low-tech identity verification methods, such as Address Verification Service (AVS) and CVV. Thus, most merchants invest in third-party fraud prevention tools to try to make up for the increased difficulty of customer identification. While there are new identity verification technologies on the horizon, dCVV2 has the advantage of working with existing systems.
Online fraud has been rising sharply in recent years, and merchants can't fight true fraud chargebacks once they occur. Dynamic CVV numbers were created to address this problem by creating what is essentially a two-factor authentication system that doesn't require merchants to implement any new systems.
What is dCVV2?
“Card Verification Value” is the term Visa uses for the three-digit security code printed on the backs of credit and debit cards. The “2” distinguishes it from CVV1, which is encoded in the card’s magnetic stripe and used to verify card-present transactions.
The idea is that the CVV is not stored with the other payment credentials in a merchant's system, so if the purchaser can provide it at the time of the transaction, it serves as reasonable assurance that they have the actual card and not a set of stolen credentials. However, it is far from foolproof and fraudsters have more ways than one to obtain CVV data for their illicit transactions.
With dCVV2, a new CVV2 number is dynamically generated at regular intervals and will only work until the next number is generated.
For example, a dCVV2-enabled card might generate a new number every day at midnight. For the entire day, the cardholder can use that CVV2 number to verify their transactions, but once midnight rolls around again and a new number is generated, it will stop working and the new number must be used instead.
How does dCVV2 work?
The CVV numbers we’re used to seeing are printed in indelible ink on the backs of credit cards—how, you may wonder, are they supposed to get swapped out at regular intervals?
The original concept for dCVV2 envisioned special cards with tiny batteries and digital displays, allowing the card itself to display the current number. Some issuers have offered these cards, but they’re more expensive to produce than regular credit cards, and they have to be replaced whenever the battery runs out. Instead, there’s a cheaper option that many other issuers have embraced—using their mobile banking apps to generate dynamic CVV2 numbers.
Using this method, when a cardholder wants to make an online purchase, they simply open their banking app and check the current CVV number, which they can then enter at checkout. In essence, this system works almost exactly like the Google Authenticator app does for two-factor authentication, with random rotating codes that don't need to be sent via text message, and therefore aren't vulnerable to interception.
Why use dCVV2?
Checking a card’s CVV is one of a merchant’s first lines of defense against fraud. It won’t stop all of it, but imagine how many fraudulent transactions could get through if you didn’t use it.
Checking dCVV2 provides even greater confidence that the cardholder and the purchaser are the same individual, because it would be extraordinarily difficult for a fraudster to get their hands on a valid dCVV2 code before it expires.
Even if a fraudster is sniffing the merchant’s internet traffic, or has installed a keylogger on the cardholder’s device, dynamic CVV numbers will only be good for a few days or hours before becoming useless.
The jury is still out on the ideal frequency for changing dCVV2 numbers: Too often can be frustrating for cardholders making frequent purchases, not often enough defeats the point of having dynamic numbers in the first place.
Visa’s embrace of dCVV2 should be completely painless merchants, who only stand to benefit from the widespread use of protocols that minimize eCommerce fraud. It requires no change in procedure on the merchant’s end; dCVV2 data is captured and processed in the exact same way as existing CVV2 data.
While dCVV2 is currently only offered by certain issuing banks, it's likely to catch on quickly with larger banks that already have their own apps to add the service to. Plus, Visa has paid special attention toward making the process of integrating dCVV2 generation into banking apps as simple as possible. However, it's likely that for now cardholders will have to opt-in to a dCVV2 card, which will limit how widespread it becomes on the customer side of things. However, if customer adoption is high, we might see some banks start to make dCVV2 the default option a few years from now.
Will dCVV2 impact chargebacks?
The impact of dCVV2 on chargebacks is to help merchants avoid them by screening out true fraud transactions. References to CVV2 in the Visa Rules have been updated to include dCVV2, and there is no change to the dispute process whether dynamic or static CVV numbers are used.
There is always the possibility that dCVV2 will create some challenges for the end users. Since any obstacle in the transaction process can lead to cart abandonment, merchants should keep an eye on any customer frustrations that result from dCVV2, even if there may not be much they can do about them.
Because dCVV2 numbers serve as strong confirmation that the person who authorized the transaction is the actual cardholder, proof that you verified a dCVV2 number can also be compelling evidence against friendly fraud chargebacks. A customer who entered a dCVV2 number at checkout will have a hard time convincing their bank that the transaction wasn't authorized, which could prevent some friendly fraud chargebacks from happening in the first place.
The anti-fraud arms race
At times, dealing with online fraud can feel like participating in an arms race. Every time merchants, card networks, and cybersecurity companies come together to devise new solutions to detect and prevent fraud, the fraudsters shift their tactics and find new vulnerabilities to attack. It may feel discouraging when you’re stuck cleaning up the financial mess fraudsters leave behind, but don’t despair—every time you implement a new and effective anti-fraud solution, you’re permanently shutting down some of their attack vectors and making it that much harder for them to target you in the future.
Dynamic CVV2 is just one of many anti-fraud solutions that merchants should be aware of as they develop comprehensive defenses against fraud and chargebacks. Every merchant’s situation is different, and the right combination of tools and methods for one merchant may be less effective for another. Careful analysis of your chargeback data can help reveal the right choices for your business.
Analyzing chargebacks and identifying their root causes is essential to figuring out which tools and strategies to deploy for optimal effect. Few merchants have the time or staffing to fully engage in this analysis on their own, but when this process is overlooked, it’s easy to misallocate resources on fighting the wrong kinds of chargebacks, while the ones that are really eating up your revenue continue to plague you.
When you understand where your chargebacks are coming from and what is needed to fight them, you can choose the right tools and put them to work where they will do the most good for you.
What is a dynamic CVV?