Unlike their offline counterparts, Internet retailers have not benefited from recent declines in overall U.S. credit card fraud rates. In fact, credit card fraud online is rising. Meridien Research Inc. estimates that fraud losses last year on Internet payments topped $1.6 billion and would have reached $2 billion if some fraud detection systems had not been in place already.
As most e-merchants know (although a surprising number do not), Internet purchases are considered card-not-present transactions. Thus the online merchant, and not the card-issuing bank, bears 100% of fraud losses-even when the credit card issuer has authorized the transaction.
To fight card fraud-both online and off-the card associations have come up with an additional security measure: the card verification number, or CVN. MasterCard introduced its CVN, CVC2, way back in 1993, and Visa followed soon thereafter. The CVN typically appears on the back of the card in the cardholder signature panel. The intent was that these numbers could be requested by merchants to verify cardholders were indeed who they said they were, since they would have the card in-hand when making an online purchase. The card companies hoped these numbers would reduce the problem of criminals using compromised and generated credit card account numbers fraudulently online.
After nearly a decade, CVNs are now a mandatory component in the transaction processing flow. Visa and MasterCard both have CVNs encoded on the magnetic stripe as an additional security feature to protect their issuers from counterfeit card fraud. Visa calls this feature CVV1, or card verification value 1, while MasterCard named this feature CVC1, for card validation code 1. Issuers verify these numbers during an authorization request when the card is physically present and the magnetic stripe is read at the point of sale.
For card-not-present transactions and for the protection of card-accepting merchants, CVNs are also printed on the back of Visa, MasterCard, Diners Club and Discover cards. American Express puts its CVN on the front and the back of the card. Visa calls this number CVV2, MasterCard calls it CVC2, while Diners Clubs calls it card verification value or CVV. Discover calls this the Cardmember ID, or CID, while American Express calls it the card identification number, also known as CID. Last year, American Express also began issuing cards with a card security code, or CSC, in addition to its CID.
In addition to attempting to verify the customer actually possesses the card in an Internet or other card-not-present transaction, issuers use CVNs for various purposes. Each of these uses, however, provides additional opportunities for fraudsters to capture, retain, and reuse the CVNs. Some issuers use CVNs during referral authorizations in point-of-sale transactions to verify a counterfeit card is not being used. Some use the CVN to verify that they are talking to the true cardholder during a change of address request. Many issuers employ voice response units and automated response units to provide account information to their customers over the phone. CVNs are sometimes used as a verification that the cardholder is in possession of the card.
The most recent, prevalent, and, arguably, the most important use of CVNs is merchant verification of the customer as the cardholder. Merchants do so to reduce their chargebacks by verifying the person they are interacting with on the phone or over the Internet actually possesses the card.
Here’s how the CVN verification process works for merchants: The customer (or the merchant on the customer’s behalf) enters the CVN in a web, mail, or phone order; the merchant requests verification of the CVN in the authorization request; the issuer verifies the accuracy of the CVN provided; the merchant (not the issuer) then has the responsibility of determining if the transaction will continue.
Although this process is simple enough, some scenarios can create difficulties for merchants to utilize CVNs. These include keying errors or CVNs that are covered up by the cardholder’s signature-either accidentally or maliciously. Another is customer confusion over exactly what the CVN is and where it is located. Merchants can overcome the confusion by presenting a visual of the back of the card and circling the number that they are requesting.
Another obstacle to adoption is that most online merchants are reluctant to put another step on the path toward completing a transaction for fear that customers will find the process too cumbersome and bail out. Merchants can overcome customer resistance by pitching the added step as a security measure to protect the customer, leveraging the general concern that using credit cards over the Internet is risky. Or they could request the CVN only when the transaction is identified as high risk by an advanced statistical scoring service. In that case, the merchant would send the transaction out for fraud prevention scoring and if it comes back with a high fraud score, ask the customer for the CVN. Such scoring takes less than 5 seconds and would not significantly slow the transaction from the customer’s point of view. The drawback is that an additional authorization costs money, but the reduction in fraud and reduced customer impact may be worth it.
Another problem arises when a customer mis-types or can’t read her CVN. In that case, merchants who provide her with another attempt to get the code correct will be giving fraudsters a tool to reverse engineer the actual CVN. Some merchants are placing the mismatches into an exception file that can be followed up on an individual basis by customer service or risk management departments. This is an expensive, manual process, but works well if error rates are sufficiently low.
This scenario illustrates the inherent limitations of security devices such as CVNs: They either match or they don’t. There will be fraudulent transactions that will receive a match response and legitimate transactions that receive a non-match response. CVNs are best employed as a piece of information to be fed into more advanced statistical models that weigh their impact together with the absence, presence, or sequence of hundreds of other relevant variables.