Preventing fraud is a priority for merchants and customers alike. When a customer pays using a credit or debit card, procedures are in place to ensure the transaction is not fraudulent. The card itself has multiple features built into its design. Recognizing and understanding these features allow merchants to identify fake credit cards. One of the most common security features is the credit card CVV code.
Depending on the credit card type and provider, the code may be called any of the following terms:
- Card Verification Value (CVV or CVV2)
- Card Verification Data (CVD)
- Card Verification Code (CVC or CVC2)
- Card Code Verification (CCV)
Where are CVV codes located?
CVV codes are found in a different location, depending on the type of credit or debit card:
- American Express - The code is located on the front side of the card, above the card number. It is four-digits long.
- Discover, MasterCard, and Visa – The three-digit code is located next to the signature panel on the back of the card.
A three-digit CVV code on the back of a credit card.
How do CVVs protect against fraud?
CVV codes are designed to prevent fraud during card-not-present (CNP) transactions. When a merchant requests a CVV number, it ensures that the customer physically has the card in their possession. When a payment is being made online or over the phone, collecting a CVV code is critical. It prevents identity thieves from being able to carry out a transaction. Without the card in their possession, they will not be able to provide the CVV code to the merchant. Sometimes, these codes are also used for card present transactions, to prevent fraudulent employees or merchants from capturing card details when accepting payments and using them later on.
According to global PCI DSS standards, it is forbidden for merchants to store CVV numbers. Doing so can result in hefty fines or cancellation of merchant facilities by the acquirer or payment processor. These standards increase the protective power of the CVV code, ensuring it doesn’t get into the wrong hands.
Can transactions be authorized without a CVV number?
CVV numbers are not required in order to carry out a transaction – they are simply an extra security measure. Because of this, some online merchants choose not to capture CVV codes for fear of reducing conversions.
This is a mistake, as CVV codes are an important line of defense against fraud. There are some payment types that require a CVV code for one-off payments. For a recurring payment, it will only be required for the first payment in the series.
Here are the steps a merchant takes when processing a card-not-present transaction with a CVV code:
- The merchant captures credit card information from the customer. At this stage, they can choose whether or not to request the CVV code. If they do, they usually refer to it as ‘the last three digits on the back of the card’, which is a more commonly known reference than ‘CVV’.
- The merchant sends the card details, including the card number, expiration date, cardholder name and address, and optionally the CVV code, to the acquiring bank, for authorization. Together with the authorization request, the merchant adds a CVV indicator – a number indicating whether or not a CVV code is being included. The CVV number is not stored by the merchant.
- The acquirer sends the authorization request to the credit card association (Visa, MasterCard, American Express etc.).
- The credit card association sends the request to the card issuer.
- The card issuer decides whether to approve or decline the transaction, sending back the response in the same way it arrived— through the credit card association and acquirer, and then back to the merchant. If a CVV code was included, a CVV response code will be returned, detailing whether or not the CVV code was a match. If it was not a match, or if it was missing, the merchant can decide whether or not to proceed with the transaction.
CVV codes are a first step towards mitigating the risk of online fraud. For CNP transactions, capturing a CVV code is the best way to confirm that the customer has the card in their possession, thus reducing the risk of fraudulent transactions using stolen card information.