Didyou know

Card Security Schemes are also known as CV, CVV (Card Verification Value), CVV2, CSC (Card Security Code) and CID.

Implementing card security checks, such as CV, CVV2 etc., has shown the ability to reduce the number of fraudulent attempts. It has also shown that it will cause a nominal reduction in sales conversion for online transactions. Merchants do not have to actually check the card security number to get the reduction in fraud attempts. Merchants should expect an increase in call center calls when they implement card security for the first time. The use of card security schemes by merchants is on the rise but the majority of merchants still do not use the card security code. MOTO has had a higher take-up on card security schemes than e-commerce. 

In the UK, card security schemes are not even recommended for use by e-commerce merchants by VisaEU. The intent of card verification is to attempt to verify that the consumer using the card is in possession of the card. They are good for catching fraudsters attempting to use stolen credit card information from online or through other means like the trash, or through other card activity as well as good at catching fraudsters who gained access to cards via skimming.

Blog: Will requiring Card Security numbers lower sales conversion?

 

subscribe to newsletter

 

 

Card Security Schemestechnique overview

The CV number is a tool for merchants to verify that the consumer is in possession of the card. This helps to prevent fraud in which the fraudster may have acquired the credit card number in the trash or online, but is not in possession of the physical card and cannot give this extra set of numbers. This number is a three or four digit number located either above the credit card number for American Express cards or on the back for Discover, MasterCard and Visa. Key considerations when implementing or buying this functionality include:

  • When a merchant implements this check on their website they will have to change their credit card submittal screen to show a picture of the credit card and where to find this number because a lot of consumers have no idea what this number is. It can cause some confusion and some additional customer service calls to complete an order.
  • Does not actually verify that the cardholder is making the purchase.
  • Not all consumers understand what/where this number is on their card.
  • Make sure all payment processors or banking institutions in use for payment support the card security check data elements.

How does it work?

The card security code is a three- or four-digit value. It has been implemented as a security feature to help stop counterfeit cards, and use of card numbers without the physical card. The value provides a cryptographic check of the information embossed on the card.

The three-digit number is derived from the card account number by means of an algorithm and a “seed.” It is possible to have repeat numbers, about every 900 cards there is a repeat. There would never be a number of all zeros or all zeros and a single one.

The card security value is printed on the signature panel on the back of Visa cards immediately following the Visa card account number or on the front of American Express cards just after the account number. 

The Card Security Scheme validates two things:

  • 1) The customer has a card in his/her possession.
  • 2) The card account is legitimate.

 

The card security number is not contained in the magnetic stripe information, nor does it appear on sales receipts. Using the card security scheme helps to prevent merchants from receiving counterfeit cards or being a victim of fraud.

For transactions conducted over the Internet, you may ask cardholders for their CVV2 online. Their Internet screen might include these elements, for example:

CVV1

CVV2

Include CVV2 in Authorization Requests.

Authorization requests must include at least: The account number, expiration date, CVV2 value, and transaction dollar amount.

To learn more about the benefits of CVV2 and CVV2 technical requirements, contact the card association.

How do you use the results?

When a merchant processed their authorization call they will get back a “match” or “no match” response. If they receive a no-match I recommend an auto decline. Merchants should tell the consumer they cannot validate the card security number they submitted, and ask them to call in their order to their call center. This allows the merchant to coach a legitimate consumer to find the card security number.

AdditionalResources

  • Introduction to eCommerce Credit Card Payments.

    Covers the credit card process flow defining each of the "payment players"; reviews payment concepts such as authorizations, settlements, reversals, chargebacks and the credit card association's high risk programs.

  • OVERVIEW OF ECOMMERCE FRAUD PREVENTION TECHNIQUES.

    A core curriculum course providing an introduction to 30 plus fraud prevention techniques; what they are, high level discussion on how to employ them and big picture considerations for using them.

  • The Fraud practice llc.

    Offering a neutral, unbiased, source for information related to setting up and maintaining solutions for online payments and fraud prevention.

keynotes

  • Alternative Solutions - None
  • Building this In-House - Implementing this service as part of the back-end process is not a major initiative, and requires mostly data element changes. Updates need to be made to the front end to allow consumers to input the new data points. Merchants will have to provide some visual aids for the consumer.
  • Estimated Costs - There are no extra costs to run the Card Security Check. You will have to update your website to include the new field and you will have to make sure your payment processing software, processor and acquirer support it. 
  • Sample Vendors -