The rise of the Card Security Code

From remote transaction outlier to most vital card data

Over the past 20 years, Card Security Codes (also known as CVC2, CVV2) usage has greatly expanded from confirming genuine cardholders to securing eCommerce transactions, eWallet enrollments, and profile management, to name just a few. The Card Security Code has become the initial verification key on which the security of recurring or future transactions depends.

 This evolution has rendered the Card Security Code the most important piece of card data.

Until recently, the imprinted CVV or CVC value remained identical during the entire three-to-five-year lifetime of the card.

The advent of the Dynamic Card Security Code at the card level has brought a necessary, overdue technology update.

Little known facts about the Card Security Code

The Card Security Code is a 3 or 4 digit number imprinted on the front or the back of a payment card.

As opposed to other information on the card, the effectiveness of the Card Security Code relies on the PCI-DSS rule prohibiting its storage. Merchants who require the Card Security Code for Card Non Present transactions are prohibited to store it once the individual transaction has been authorized. Therefore, if a database of transactions is compromised, the Card Security Code will not be among the compromised material and the stolen payment card numbers is rendered less useful.

Even for merchants who charge customers’ payment cards on a recurring basis, the Card Security Code is used to verify the initial transaction and the merchant may rely on this verification for future transactions for which the Card Security Code will not be required.

Increased usage & applications of the Card Security Code

As depicted in the graphic above, with the increasing reliance on the Card Security Code by the eCommerce ecosystem and the payment industry, it has come to be utilized as a nearly universal identifier, and the gatekeeper to downstream services and transactions.

1. The Card Security Code was originally introduced to secure Mail Orders and Telephone Orders (MOTO) where merchants were unable to physically verify the payment card. The scope of the Card Security Code soon expanded beyond this original purpose.
2. Initially, eMerchants collected the payment card information from the consumer and transmitted it to the issuer with every transaction and did not store any card information.
3. Later, merchants began storing the consumers’ payment card information without the Card Security Code and requested it for each transaction to confirm the cardholder was in possession of the card.
4. As the internet became the primary modality for Card Not Present transactions, customers began to store payment card information on their web browsers and were required to enter the Card Security Code for every transaction to confirm card ownership.
5. With the introduction of eWallets, the Card Security Code is requested from the card holder at the time of enrollment by the eWallet sponsor (Google, Apple Pay, etc.) and is then requested again when the card holder changes or replaces his/her phone or sometimes after an important phone OS update.
6. Today the Card Security is also used as an identity credential. If the card holder wants to modify an important element of information in his merchant profile (such as email, phone number, or physical address) the provider hosting this data may request the holder’s Card Security Code for the payment card on file as a means of authenticating his identity. For the same reason, a merchant often requires the Card Security Code during an order upon any request to change the delivery address.

The Card Security Code’s critical role in securing Card Not Present transactions its expansion into user identity verification, and resulting sharp increase in the volume of CVV verification requests led to the recent introduction of the Dynamic Card Security Code.

Refreshing the Card Security Code for the digital era

Despite their longevity as a long-time security feature of payment cards, Card Security Codes do have limitations and have become vulnerable to technological innovation. For example, the ubiquity of camera-enabled smartphones has made it easier for opportunistic fraudsters to photograph the front and back of a cardholder’s payment card and use it for fraudulent Card Not Present transactions. In most cases the cardholder has no reason to be aware of this theft of card information because the card is still in his or her possession. Moreover, because the Card Security Code is static, the stolen card information can be used and reused for fraudulent purposes until fraud is discovered by the card holder or the card issuer.

Now that the Card Security Code has evolved in the digital arena beyond securing CNP transactions to become a trusted identity credential, changing it from a static to a dynamic format at the card level greatly reduces the opportunity for unauthorized reuse. Once the Card Security Code value is updated, issuers can identify older or expired values and decline transactions accordingly.

Though it is now asked to do far more than the use case for which it was originally intended, more than two decades later the Card Security Code remains the most important data on the payment card and by migrating to a digital format, it is evolving to become even more effective at deterring compromised card data.