Unlike their offline counterparts, Internet retailers have not benefited from recent declines in overall U.S. credit card fraud rates. In fact, credit card fraud online is rising. Meridien Research Inc. estimates that fraud losses last year on Internet payments topped $1.6 billion and would have reached $2 billion if some fraud detection systems had not been in place already.
As most e-merchants know (although a surprising number do not), Internet purchases are considered card-not-present transactions. Thus the online merchant, and not the card-issuing bank, bears 100% of fraud losses—even when the credit card issuer has authorized the transaction.
To fight card fraud—both online and off—the card associations have come up with an additional security measure: the card verification number, or CVN. MasterCard introduced its CVN, CVC2, way back in 1993, and Visa followed soon thereafter. The CVN typically appears on the back of the card in the cardholder signature panel. The intent was that these numbers could be requested by merchants to verify cardholders were indeed who they said they were, since they would have the card in-hand when making an online purchase. The card companies hoped these numbers would reduce the problem of criminals using compromised and generated credit card account numbers fraudulently online.
After nearly a decade, CVNs are now a mandatory component in the transaction processing flow. Visa and MasterCard both have CVNs encoded on the magnetic stripe as an additional security feature to protect their issuers from counterfeit card fraud. Visa calls this feature CVV1, or card verification value 1, while MasterCard named this feature CVC1, for card validation code 1. Issuers verify these numbers during an authorization request when the card is physically present and the magnetic stripe is read at the point of sale.
Multiple uses
For card-not-present transactions and for the protection of card-accepting merchants, CVNs are also printed on the back of Visa, MasterCard, Diners Club and Discover cards. American Express puts its CVN on the front and the back of the card. Visa calls this number CVV2, MasterCard calls it CVC2, while Diners Clubs calls it card verification value or CVV. Discover calls this the Cardmember ID, or CID, while American Express calls it the card identification number, also known as CID. Last year, American Express also began issuing cards with a card security code, or CSC, in addition to its CID.
In addition to attempting to verify the customer actually possesses the card in an Internet or other card-not-present transaction, issuers use CVNs for various purposes. Each of these uses, however, provides additional opportunities for fraudsters to capture, retain, and reuse the CVNs. Some issuers use CVNs during referral authorizations in point-of-sale transactions to verify a counterfeit card is not being used. Some use the CVN to verify that they are talking to the true cardholder during a change of address request. Many issuers employ voice response units and automated response units to provide account information to their customers over the phone. CVNs are sometimes used as a verification that the cardholder is in possession of the card.
The most recent, prevalent, and, arguably, the most important use of CVNs is merchant verification of the customer as the cardholder. Merchants do so to reduce their chargebacks by verifying the person they are interacting with on the phone or over the Internet actually possesses the card.
Here’s how the CVN verification process works for merchants: The customer (or the merchant on the customer’s behalf) enters the CVN in a web, mail, or phone order; the merchant requests verification of the CVN in the authorization request; the issuer verifies the accuracy of the CVN provided; the merchant (not the issuer) then has the responsibility of determining if the transaction will continue.
Although this process is simple enough, some scenarios can create difficulties for merchants to utilize CVNs. These include keying errors or CVNs that are covered up by the cardholder’s signature—either accidentally or maliciously. Another is customer confusion over exactly what the CVN is and where it is located. Merchants can overcome the confusion by presenting a visual of the back of the card and circling the number that they are requesting.
Overcoming obstacles
Another obstacle to adoption is that most online merchants are reluctant to put another step on the path toward completing a transaction for fear that customers will find the process too cumbersome and bail out. Merchants can overcome customer resistance by pitching the added step as a security measure to protect the customer, leveraging the general concern that using credit cards over the Internet is risky. Or they could request the CVN only when the transaction is identified as high risk by an advanced statistical scoring service. In that case, the merchant would send the transaction out for fraud prevention scoring and if it comes back with a high fraud score, ask the customer for the CVN. Such scoring takes less than 5 seconds and would not significantly slow the transaction from the customer’s point of view. The drawback is that an additional authorization costs money, but the reduction in fraud and reduced customer impact may be worth it.
Another problem arises when a customer mis-types or can’t read her CVN. In that case, merchants who provide her with another attempt to get the code correct will be giving fraudsters a tool to reverse engineer the actual CVN. Some merchants are placing the mismatches into an exception file that can be followed up on an individual basis by customer service or risk management departments. This is an expensive, manual process, but works well if error rates are sufficiently low.
This scenario illustrates the inherent limitations of security devices such as CVNs: They either match or they don’t. There will be fraudulent transactions that will receive a match response and legitimate transactions that receive a non-match response. CVNs are best employed as a piece of information to be fed into more advanced statistical models that weigh their impact together with the absence, presence, or sequence of hundreds of other relevant variables.
MasterCard and Visa provide additional incentives for merchants to use CVNs. These include the potential for reduced discount rates and some minimal chargeback/re-presentment rights.
Visa and MasterCard have special interchange categories that they use to determine the interchange applicable rate called Incentive Interchange Rate Programs. The interchange rate is a fee paid to the issuing bank by the acquiring bank and is usually passed on to merchants, as part of the discount fee. There are numerous factors that drive interchange fees: speed, risk, processing, float and marketing are just a few.
In October and November of this year Visa is introducing two new Custom Payment Service categories; e-commerce basic and e-commerce preferred. Whether it is Visa’s Custom Payment Services programs or MasterCard’s Merit programs, the message is the same for e-merchants: provide the information in the transaction/authorization fast enough to qualify for the most advantageous interchange rates.
If the card issuer fails to respond to a CVN request, the merchant’s acquirer has the right to re-present a chargeback on the merchant’s behalf, stating the issuer did not validate the CVN information and therefore did not allow the merchant to utilize industry standard security measures.
Mandates
In an effort to fully implement CVN checking, both MasterCard and Visa have recently mandated participation by issuers, processors, and acquirers. Merchant participation is voluntary. Absent from the list of entities covered by the mandate are transaction processing vendors, e- commerce transaction processing platforms, gateways, and other transaction facilitators that sit between the merchant and the acquirer in the transaction processing flow. This is because these non-member processors are not within the scope of MasterCard’s and Visa’s mandates. The business and information technology decisions of these non-member processors will clearly impact their client merchant’s ability to benefit from CVNs.
Of course, any merchant will want to run a cost/benefit analysis of adopting CVNs. Among the costs a merchant will want to take into account are:
On the benefit side, of course, is the opportunity to reduce fraud and chargebacks. The card companies monitor each merchant’s volume of chargebacks. If the merchant’s chargeback volume is deemed excessive the merchant’s card acceptance rights can be terminated. All the associations take chargeback volumes seriously; for example, Visa, effective Nov. 1, will cut the acceptable chargeback rates in half for its Global Merchant Chargeback Monitoring Program.
An added benefit may be the opportunity to salvage some transactions by proceeding with seemingly risky transactions that the merchant might have denied before. While most people would assume that all transactions would be approved, I assume that some legitimate ones would be denied and thus these procedures would save them.
The bad news
While CVNs are finally gaining in widespread use, fraudsters are quickly adopting new methods to get around security checks. The Internet is providing a virtual automation tool that was unavailable in the physical world. Some web sites allow customers to enter their transaction information with no limitations to the number of attempts.
This “customer service” feature allows the criminals to enter the number over and over again until they get it right. With the use of electronic wallets or scripts, fraudsters can automate this attack until they get a valid number. Probably the most limiting feature of the CVNs is the fact that they are clearly printed on cards. Thus, they are easily compromised at the point of sale.
A low-tech approach
To get past CVN security, card fraud now combines skimming techniques with identity theft for e-commerce transactions. The new fraud typically follows this scenario:
