While EMV chip cards were designed to reduce card-present fraud, combatting card not present (CNP) fraud remains a problem for merchants and issuers. New technologies have been introduced to combat CNP fraud, but none have gained traction. Here’s why they haven’t worked, and what the future may hold.
EMV and Card Not Present Fraud
The US migration and conversion to EMV has been very successful at reducing counterfeit fraud. As a result, fraudsters have focused attention on e-commerce and card not present (CNP) transactions.
Typically, a merchant or retailer requires only an account number, name, expiration date and a card’s CVV number. The three-digit code on the back of credit cards – the CVV – helps ensure that the individual making a transaction is indeed the cardholder. However, fraudsters have found ways to gain access to CVV numbers via phishing attacks, key loggers and other tricks that steal the information directly from a cardholder.
To combat such fraud, card manufacturers have created dynamic, or changing, CVV codes. By constantly changing the code, it becomes impossible for someone to know the number without holding the physical card.
Dynamic CVV Challenges in Penetrating Markets
The use of a dynamic CVV can only happen by adding a ‘display’ to the card that shows the changing value. Adding this technology to a plastic card has several key challenges. One challenge for card makers to penetrate the market with dynamic CVV stems from the price of creating a battery-powered card, which increases issuer card costs by 200-400 percent.
When first introduced, battery life wasn’t long enough to reach a card’s expiration date, and readability of the code was problematic. Today, those issues have been widely resolved:
• The battery recharges at the point-of-sale (POS).
• The battery doesn’t drain when the card is not in use.
• CVV code numbers have been enlarged for easy readership.
Solving the battery issue was a strong first step toward acceptance. However, systematic and processing issues still exist. These include the lack of industry standards and global inter-operability that is necessary for a new payment scheme to be successful. The reason that magstripe and EMV/chip technologies have been successful is because there was a global standard that issuers, merchants and processors all accepted and utilized. The same will have to happen for card-based dynamic CVV to gain traction.
Other operational challenges include synchronizing the rotation of the code numbers and how merchants submit their transactions for processing. The optimal window of rotation to prevent fraud is narrow – less than 30 minutes, for example. However, some merchants still batch their transactions, which means a longer window of code rotation would be required.
The Essence of the Dynamic CVV Dilemma
The failure of a card-based dynamic CVV to gain traction is a business case issue. Why would an issuer absorb the additional cost per card when the burden of mitigating CNP fraud falls on merchants? Regardless of how “cool” a technology appears, if the business case cannot be proven, the technology won’t move beyond its pilot stage.
Costs should reside with the key beneficiaries of technologies. As an example, tokenization places the cost of sending authentication tokens in the lap of merchants, where it makes sense.
A Better Alternative
Integrating dynamic CVV into mobile banking apps seems to be the most promising way forward for the technology. When making online transactions, the utilization of a token or dynamic CVV is a much more cost-effective way to accomplish the desired result. Several tier-one banks have already successfully introduced this technology.