In The News

Customer Quotes

"The Fraud Practice is a world-class credit card fraud mitigation consulting practice."

Kevin Mitnick, President Mitnick Security Consulting LLC

For Email Marketing you can trust

Fraud Blog Subscribe in a reader

ACH Processing

Advertisement

Consulting Services
Mr. Montague  is the founder and President of The Fraud Practice. He has spent the last fourteen years in the information technology industry.
Read more
Fraud Library
Looking for information on fraud prevention techniques, solutions and best practices. The fraud library is your first stop to find free research.
Read more
Fraud in the News
A series of news feeds and articles of interest to fraud professionals.
Read more

Card Security Schemes - Fraud Library

The Fraud Practice eCommerce Fraud Consulting Services

The CV number is a tool for merchants to verify that the consumer is in possession of the card. This helps to prevent fraud in which the fraudster may have acquired the credit card number in the trash or online, but is not in possession of the physical card so they cannot give this extra set of numbers. This number is a three or four digit number located either above the credit card number for American Express cards or on the back for MasterCard and Visa.

Google

Even if you don't actually verify the card security code, just asking for it is an effective fraud deterrent ...

The CV number is a tool for merchants to verify that the consumer is in possession of the card. This helps to prevent fraud in which the fraudster may have acquired the credit card number in the trash or online, but is not in possession of the physical card so they cannot give this extra set of numbers. This number is a three or four digit number located either above the credit card number for American Express cards or on the back for MasterCard and Visa.

These numbers have been in place for a while, and have been slowly adopted by merchants. You are more likely now to be asked for this number when you are trying to complete a MOTO transaction than a year and half ago. The Discover card was one of the last cards to implement this technology. At this time all of the issuing and acquiring banks should support this technology, but a few smaller holdouts may still exist.

How Good Is It? 

Implementing card security checks, such as CV, CVV2 etc., has shown the ability to reduce the number of fraudulent attempts. It has also shown that it will cause a nominal reduction in sales conversion for online transactions. Merchantsdo not have to actually check the card security number to get the reduction in fraud attempts. Merchants should expect an increase in call center calls when they implement card security for the first time. The use of card security schemes by merchants is on the rise but the vast majority of merchants still do not use card security. MOTO has had a higher take-up on card security schemes than e-commerce. 

  • In the UK, card security schemes are not even recommended for use by e-commerce merchants by VisaEU.
  • The intent of card verification is to attempt to verify that the consumer using the card is in possession of the card.
  • Good for catching fraudsters attempting to use stolen credit card information from online or through other means like the trash, or through other card activity.
  • Good at catching fraudsters who gained access to cards via skimming.

  • Adoption of card verification has increased dramatically in the last 12 months, call center-based operations have picked up the use more heavily than e-commerce.

  • Blog: Will requiring Card Security numbers lower sales conversion?

Considerations When Implementing or Buying This Functionality  

  •  When a merchant implements this check on their website they will have to change their credit card submittal screen to show a picture of the credit card and where to find this number because a lot of consumers have no idea what this number is. It can cause some confusion and some additional customer service calls to complete an order. ·         Does not actually verify that the cardholder is making the purchase.

  • Not all consumers understand what this number is on their card.
  • Make sure all payment processors or banking institutions in use for payment support the card security check data elements.

Estimated Costs – There are no extra costs to run the Card Security Check. You will have to update your website to include the new field, and you will have to make sure your payment processing software, processor and Acquirer support it. 

Alternative Solutions – None

Vendors – Any banking institution

How Does it Work? 

The card security code is a three- or four-digit value. It has been implemented as a security feature to help stop counterfeit cards, and use of card numbers without the physical card. The value provides a cryptographic check of the information embossed on the card.

      The three-digit number is derived from the card account number by means of an algorithm and a “seed.” It is possible to have repeat numbers about every 900 cards there is a repeat. There would never be a number of all zeros or all zeros and a single one.

     The card security value is printed on the signature panel on the back of Visacards immediately following the Visa card account number or on the front of American Express  and Discover cards just after the account number. 

The Card Security Scheme validates two things:

  • The customer has a card in his/her possession.
  • The card account is legitimate.

The card security number is not contained in the magnetic stripe information, nor does it appear on sales receipts. Using the card security scheme helps to prevent merchants from receiving counterfeit cards or being a victim of fraud.

For transactions conducted over the Internet, you may ask cardholders for their CVV2 online. Their Internet screen might include these elements, for example:

Include CVV2 in Authorization  Requests

Authorizationrequests must include at least:

  • Account number
  • Expiration date
  • CVV2 value
  • Transaction dollar amount

To learn more about the benefits of CVV2 and CVV2 technical requirements, contact the card association.

How Do I Use the Results? 

When a merchant processed their authorization call they will get back a “match” or “no match” response. If they receive a no-match I recommend an auto decline. Merchantsshould tell the consumer they cannot validate the card security number they submitted, and ask them to call in their order to their call center. This allows the merchant to coach a legitimate consumer to find the card security number.

Building This In-House 

Implementing this service as part of the back-end process is not a major initiative, and requires mostly data element changes. Updates need to be made to the front end to allow consumers to input the new data points. Merchantswill have to provide some visual aids for the consumer.

Articles 

Requiring the Card Security Code at Checkout could be dropping your sales conversion by 40%???

Property of The Fraud Practice, all rights reserved, no unauthorized duplication, reproduction or distribution without the express written permission of The Fraud Practice.