3 Numbers Behind eCommerce Payments

Online shopping keeps getting more and more popular. In-store transactions are increasingly moving online. Even if a person picks up an item in a store or restaurant, the ordering might happen before online or via the store app. In many transaction where people are not physically present, the CVV code number comes into play. This blog will dig into this number, from the perspective of both the consumer and the merchant.

The Codes Explained

In the mid-to-late 90s, payment card companies added this additional data point to help secure transactions over the phone or online. The number has a many alternate names depending on the issuing company.

• Mastercard: CVV (Card Verification Value)
• VISA: CVC = (Card Verification Value)
• American Express: CID = (Card Identification Number)
• Discover: CVD = (Card Verification Data)
• JCB: CAV = (Card Authorization Value)

The 3, or 4 with American Express, numbers are generated using an encryption algorithm incorporating the account number, expiration data and encryption keys that is held by the card issuer. The results of this are then decimalized. When a transaction occurs, the payment card bank authenticates the number. To further safeguard card data, the Payment Card Industry Data Security Standard (PCI DSS) requires companies to not store this data at all.

PCI DSS does not prohibit the collection of card verification codes/values prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes/values once the specific purchase or transaction for which it was collected has been authorized.

When a transaction occurs, the data is sent or stored. After the transaction has occurred, it should not be stored. The standard further goes on to specify that the data cannot be stored even if the card owner requests it.

Merchant’s Choice

Online merchants are not required to ask for the CVV code. Weighing the cost of possible fraud versus the benefits of easier checkouts is the calculation they make. The organization responsible for fraud is either the bank, payment card, or the merchant. There is a complex and massive world behind this and the chargeback element of fraudulent charges. In general, it will be the responsibility of the online merchant to pay for the fraud and reimburse the person whose card used.

The merchant must choose to be more strict in accepting orders or not. Amazon is the king of online retail. They do not require the CVV code for many purchases. Upon first entering a card, they require the CVV code. The fraud detection that Amazon employs beyond CVV authorization is likely immense. Smaller retailers could require CVV as a mechanism to stop them from having their profits eaten away. There are a number of services and software that merchants can use to lessen fraud.

Card-Not-Present Fraud

Transactions where the card is not be physically present are vulnerable to fraud. A criminal only needs to get an order past a checkout shopping cart to succeed. Sneaking past that eCommerce goal line is possible if they get the right data. The CVV values are available in dumps by criminals, despite their supposed anonymity.

Criminals can get this information in a number of ways. Key-loggers on websites could get the numbers when people type them in. The websites themselves could be compromised by “magecart attacks”. Phishing attacks could result in people giving the information up. During real-world interactions, cards are often taken out of sight and employees might simply write them down. Since the CVV is just three numbers, there are 1,000 possible configurations and brute force methods combined with a high volume of accounts can work.

A researcher has estimated the cost of the average compromised account with a CVV code to be between $2 to $8. With this information the scam can occur. Demand for account information containing the CVV code is high. The reason might be that fraud with cards being present is more difficult with new cards with chips.

CVV and More to Stop Fraud

Both consumers and merchants are affected by payment card fraud. For the consumer, the impact can come in the form of money lost in the first place. Charges are often under $10. This low amount can let them go under the radar. If the fraud is discovered, then they must cancel their card, file a claim and then wait to receive a new card and update the information anywhere it was stored. For merchants, the impact is money spent to reimburse the consumer.

The CVV code is a noble attempt to stop credit card fraud, but it is not the only answer. Merchants should follow the PCI DSS standards to lessen the likelihood of fraud. The standards have specific guidelines and requirements for every element of payment card data, transmission and storage. Cipher works as a trusted advisor to companies, as they follow PCI DSS standards. Join us for a webinar PCI compliance.

What do you think about attack maps? Comment below with your feedback.