Online shopping keeps getting more and more popular. In-store transactions are increasingly moving online. Even if a person picks up an item in a store or restaurant, the ordering might happen before online or via the store app. In many transaction where people are not physically present, the CVV code number comes into play. This blog will dig into this number, from the perspective of both the consumer and the merchant.
The Codes Explained
In the mid-to-late 90s, payment card companies added this additional data point to help secure transactions over the phone or online. The number has a many alternate names depending on the issuing company.
- Mastercard: CVV (Card Verification Value)
- VISA: CVC = (Card Verification Value)
- American Express: CID = (Card Identification Number)
- Discover: CVD = (Card Verification Data)
- JCB: CAV = (Card Authorization Value)
The 3, or 4 with American Express, numbers are generated using an encryption algorithm incorporating the account number, expiration data and encryption keys that is held by the card issuer. The results of this are then decimalized. When a transaction occurs, the payment card bank authenticates the number. To further safeguard card data, the Payment Card Industry Data Security Standard (PCI DSS) requires companies to not store this data at all.
PCI DSS does not prohibit the collection of card verification codes/values prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes/values once the specific purchase or transaction for which it was collected has been authorized.
When a transaction occurs, the data is sent or stored. After the transaction has occurred, it should not be stored. The standard further goes on to specify that the data cannot be stored even if the card owner requests it.
Merchant’s Choice
Online merchants are not required to ask for the CVV code. Weighing the cost of possible fraud versus the benefits of easier checkouts is the calculation they make. The organization responsible for fraud is either the bank, payment card, or the merchant. There is a complex and massive world behind this and the chargebackelement of fraudulent charges. In general, it will be the responsibility of the online merchant to pay for the fraud and reimburse the person whose card used.
The merchant must choose to be more strict in accepting orders or not. Amazon is the king of online retail. They do not require the CVV code for many purchases. Upon first entering a card, they require the CVV code. The fraud detection that Amazon employs beyond CVV authorization is likely immense. Smaller retailers could require CVV as a mechanism to stop them from having their profits eaten away. There are a number of services and software that merchants can use to lessen fraud.
Card-Not-Present Fraud
Transactions where the card is not be physically present are vulnerable to fraud. A criminal only needs to get an order past a checkout shopping cart to succeed. Sneaking past that eCommerce goal line is possible if they get the right data. The CVV values are available in dumps by criminals, despite their supposed anonymity.
Criminals can get this information in a number of ways. Key-loggers on websites could get the numbers when people type them in. The websites themselves could be compromised by “magecart attacks”. Phishing attacks could result in people giving the information up. During real-world interactions, cards are often taken out of sight and employees might simply write them down. Since the CVV is just three numbers, there are 1,000 possible configurations and brute force methods combined with a high volume of accounts can work.
A researcher has estimated the cost of the average compromised account with a CVV code to be between $2 to $8. With this information the scam can occur. Demand for account information containing the CVV code is high. The reason might be that fraud with cards being present is more difficult with new cards with chips.
CVV and More to Stop Fraud
Both consumers and merchants are affected by payment card fraud. For the consumer, the impact can come in the form of money lost in the first place. Charges are often under $10. This low amount can let them go under the radar. If the fraud is discovered, then they must cancel their card, file a claim and then wait to receive a new card and update the information anywhere it was stored. For merchants, the impact is money spent to reimburse the consumer.
The CVV code is a noble attempt to stop credit card fraud, but it is not the only answer. Merchants should follow the PCI DSS standards to lessen the likelihood of fraud. The standards have specific guidelines and requirements for every element of payment card data, transmission and storage. Cipher works as a trusted advisor to companies, as they follow PCI DSS standards. Join us for a webinar PCI compliance.
What do you think about attack maps? Comment below with your feedback.
As an enthusiast with a deep understanding of online security and payment systems, let me delve into the intricate world of CVV codes and their role in securing online transactions. My expertise in this area is grounded in a comprehensive knowledge of payment card industry practices, encryption algorithms, and security standards.
The Evolution of CVV Codes: In the mid-to-late 90s, major payment card companies introduced the CVV (Card Verification Value) as an additional layer of security for phone and online transactions. The CVV serves as a unique identifier for each card network:
- Mastercard: CVV (Card Verification Value)
- VISA: CVC (Card Verification Code)
- American Express: CID (Card Identification Number)
- Discover: CVD (Card Verification Data)
- JCB: CAV (Card Authorization Value)
These codes, typically 3 digits (or 4 for American Express), are generated using encryption algorithms that incorporate account numbers, expiration dates, and encryption keys held by the card issuer. The resulting values are then decimalized.
PCI DSS Standards: To safeguard card data, the Payment Card Industry Data Security Standard (PCI DSS) mandates that companies do not store CVV data. While the standard allows the collection of CVV codes prior to authorization, storing them after the transaction or purchase is not permitted, even upon the card owner's request.
Merchant's Dilemma: Online merchants face a crucial decision regarding CVV code usage. Although not mandatory, merchants must weigh the risk of fraud against the benefits of streamlined checkouts. Amazon, a giant in online retail, exemplifies a lenient approach, not requiring CVV for many purchases after the initial entry. However, smaller retailers might opt for stricter measures to prevent profit erosion due to fraud.
Card-Not-Present Fraud: Transactions without the physical presence of a card are susceptible to fraud. Criminals can obtain CVV values through various means, including key-loggers, compromised websites, phishing attacks, or even real-world scenarios where cards are taken out of sight. The relatively limited number of combinations (1,000 possibilities for a 3-digit CVV) makes brute force attacks viable.
Impact on Consumers and Merchants: Both consumers and merchants bear the brunt of payment card fraud. Consumers may lose money, especially when fraud involves small, inconspicuous amounts. Merchants, on the other hand, incur costs to reimburse affected consumers.
CVV as a Security Measure: While CVV codes play a vital role in combating credit card fraud, they are not a standalone solution. Merchants should adhere to PCI DSS standards, incorporating comprehensive guidelines for the secure handling, transmission, and storage of payment card data.
In conclusion, my in-depth knowledge of online security and payment systems positions me to emphasize the multi-faceted nature of combating fraud, where CVV codes, PCI DSS standards, and other security measures collectively contribute to a robust defense against online threats.
