Authenticating customers is one of the biggest fraud-fighting challenges for merchants. It gets tougher with every data breach, as stolen card data floods the criminal marketplace. When that stolen data includes card verification values (CVVs), criminals can use the 3-digit codes from the back of the card to appear to be the cardholder. But even when CVVs aren’t part of the haul, fraudsters can often guess them.
That’s why some banks and card issuers are experimenting with dynamic CVVs that change every few minutes or hours. Bank of America, PNC Bank and Worldpay are among the US-based financial institutions that are currently testing or recently tested cards with CVVs that change every few minutes or hours.
Dynamic code verification: cards with CVVs that change
It’s an intriguing idea. A dynamic code verification (DCV) credit or debit card includes a tiny long-life battery, a tiny screen and chip that allow the card to generate a new CVV as often as every 20 minutes. Even if the card number is exposed, any CVV exposed along with it would be useless within minutes our hours. Guessing the current CVV before it expires would be extremely difficult. Cardholders, meanwhile, simply need to enter the current CVV at checkout when they make a purchase.
The benefit of DCV seems clear: less fraud committed with stolen cards and static CVV numbers. But there are potential downsides to DCV that could impact banks, card issuers and merchants. Here are some of the issues that will need to be resolved before DCV can be put into wide use.
DCV cards are expensive
Before EMV was adopted in the U.S., one of the arguments against it was the high cost of the new chip-embedded cards. Each EMV card costs up to $3, much more than a 40-cent non-EMV magnetic stripe card. But DCV cards make EMV cards look like a bargain. Adding dynamic CVV technology raises the cost per card to as much as $15.
There might be other costs, too. Dynamic CVV cards might require banks and card issuers to adapt their systems. That would mean managing and securing processes for DCV and for static CVV cards, which are far more common and will be for the foreseeable future.
DCV cards may lead to failed recurring transactions
DCV could interfere with one of the most convenient features of e-commerce and online bill paying—the ability to have card data on file with a merchant for automatic recurring payments. Nearly 1/3 of Americans’ bills were on autopay in 2017, and more than 18 million Americans use subscription box services. Requiring a new CVV for each month’s transaction could cause these automated transactions to fail. That could lead to service delays, additional costs to merchants to contact customers about their failed transactions, poor customer experience and possible abandonment by customers.
DCV cards might lead to cart abandonment
Consumers who do a lot of shopping online, especially mobile shopping, often memorize their card CVVs. This frees them up to make purchases even if they don’t have the card with them, or to shop in a setting where they’d rather not take out a card, like on crowded public transportation. There are also many browsers and password security programs that will hold card information to autocomplete for easy shopping. Dynamic CVV would interfere with autocomplete functions and make it harder for shoppers who need to look up a new CVV every time they shop. Requiring a fresh CVV at checkout could force shoppers to delay those transactions, cancel them altogether or switch to a different payment method.
DCV systems will be targeted by criminals
While the other possible downsides of DCV implementation are just that—possibilities—there’s no question that hackers will try to exploit DCV technology. That’s simply what criminals do whenever a new payment technology is introduced. And while frequently changing CVVs seems like it would do a lot to reduce fraud, fraudsters could adapt existing data theft techniques to get around it.
For example, formjacking attacks on merchant websites can capture payment data including CVVs and send it to criminal-controlled servers. If the CVVs are good for another couple of hours, criminals could have a window to make fraudulent purchases.
DCV isn’t new technology
At least one EU-based company, Oberthur Technologies, was offering cards with dynamic CVV technology in 2014. Its cards were tested by two French banks in 2015. Going even further back, NagraID Security was offering dynamic CVV card technology in 2011, partnering with MasterCard on a plan to introduce the cards to the U.S. consumer market. It’s not clear why those early efforts didn’t lead to widespread use of DCV, but at least some of the hurdles above likely played a role.
Where DCV fits into the fraud-fighting ecosystem now
It’s too early to say with certainty if DCV will ever be widely adopted. Based on previous trial runs, plus the hurdles of cost and checkout friction, DCV might become one layer of fraud-fighting protection among many, rather than the big solution to CNP fraud.
For now, merchants should keep an eye on financial institutions’ DCV test runs and make note of cart abandonment rates as well as fraud-prevention results from those tests. If DCV can provide fraud protection without prohibitive costs and higher cart abandonment rates, it may become a practical option for thwarting CNP fraud.