Information on Merchant Accounts,
Ecommerce and Credit Card Processing

November 18th, 2008 by Jamie Estep

Why CVV is worthless, and why it’s not!

Filed in: Fraud, Merchant Accounts | 5 comments

CVV or card verification, (also known as CVV2, CVC2, CID) is that small 3 or 4 digit number on the back of your credit card (front for AMEX) that is not encoded on the magnetic stripe, and is designed to help prevent fraud.

CVV

CVV offers a little protection against fraud, but nonetheless should be used whenever possible.

Why CVV is worthless

CVV cannot be written down, ever:

Avoid CVV2 Storage. All merchants are prohibited from storing CVV2 data. When asking a cardholder for CVV2, merchants must not document this information on any kind of paper order form or store it on any database.

CVV can only be used in call centers where the card is directly keyed into a processing system that instantly authorizes the transaction. It can be used on a website where an automatic authorization is made. Other than those two circumstances, it really can’t be used. The fines for storing a CVV number are steep and could easily cost a merchant hundreds of thousands of dollars, not to mention loosing your ability to process credit cards forever.

Just to clarify CVV must not be written down, sent in an email, stored in a database, saved for later in any way, at any time, for any reason!

CVV wears off:
It’s almost like they printed the CVV number in some special fast-fading ink. CVV numbers wear off quickly, and are often unreadable after a month or two. This creates an unnecessary burden for customers who are forced to use their CVV number for a payment. No wonder why 50% of the top 100 retailers don’t use CVV.

The CVV system isn’t always available:
If you’ve ever looked at an error log of an active payment gateway, you you see a mess of CVV not available, not supported, and other non-mismatch errors. The CVV system is definitely not rock-solid at this point, and there’s a potential to lose legitimate business due to these erroneous errors.

It doesn’t guarantee anything:
My biggest complaint, a positive CVV match doesn’t guarantee anything except that whoever placed the order had the card in hand (or wrote down the CVV number). It doesn’t automatically win chargebacks, and it doesn’t remove any accountability for a transaction from the merchant. It is strictly a preventive measure to combat fraud.

Why CVV is still a good system

It’s FREE:
That’s right. Unlike the AVS system, there is no additional fee for using CVV. At the very least, there’s no reason at all not to use CVV for online processing. Whether you want to actually decline transactions based on a CVV response is a different story.

I’ll come straight out and say, I don’t recommend requiring a positive CVV match to approve a transaction. However, if you decide not to require it, I strongly recommend implementing a transaction flagging system forcing transactions with a CVV mismatch to be manually reviewed before shipping. You can easily implement your own system using the response from a payment gateway. Most payment gateways also have additional fraud prevention tools, that will automatically flag these transactions.

It protects against skimming:
It is signifigantly more complicated for a card skimmer to record the CVV number in addition to the magnetic stripe data. In almost all cases, using CVV will prevent fraudulent transactions from skimmed cards.

It works, when it works:
CVV does actually deter and prevent fraud for unattended situations. It can completely eliminate card testing (carding), and does ensure that your customer had the physical card in their hand at some point. The same thing goes for call centers, where there are high fraud percentages because customers still can’t be verified.

The bottom line is that using CVV and requiring it, or flagging mismatch transactions will save you money and will prevent fraud. Use it, if you have the option to!

5 Responses to “Why CVV is worthless, and why it’s not!”

  1. Kyle Howard November 23, 2008 at 7:41 pm

    I wonder how many transactions I really lose by requiring CVV match. I doubt it is many, and to me it is worth it to eliminate the headache and expense of fraudulent charges and chargebacks. I am going to stick with the CVV.

    Cheers!

  2. Eric Oakland November 25, 2008 at 2:35 pm

    Great article, I’m not sure if I lose to many people either on requiring a CVV match, however, I would much rather have it as well, better save then sorry on not using it.

  3. Adedeji Ojuade November 27, 2008 at 5:42 pm

    i dont think cvv2 is a safe method

  4. Merchant Accounts December 9, 2008 at 4:32 pm

    People who have the CVV wear off are using their credit cards WAY too much, lol.

    Personally, I always feel better about doing an online transaction if the site asks for the number on the back of the card. Is it more secure? Maybe not, but it certainly FEELS more secure (I suppose).

    Vic

  5. Marbella Property January 15, 2009 at 5:52 am

    i dont think that cvv2 is a safe!!..