Card Security Codes: A Crucial Anti-Fraud Measure for Merchants & Cardholders

You know that little numeric code on the back of your credit or debit card? Ever wonder how important that code is?

That number is called a card security code. It’s a safety feature designed to boost shoppers’ security while protecting merchants from fraud and chargebacks.

Most merchants already make it a policy to request the customer's security code for all card-not-present transactions. Some still skip this vital security check, though.

Let's have a look at how these codes work. And, even more importantly, the situations where they might not work.

What is a Card Security Code?

Card Security Code: A debit or credit card security code (sometimes known as card verification value) is a 3- or 4-digit number that helps authenticate transactions in which there is no physical card present, as in an online order. It was designed to help sellers verify that the authorized cardholder participates in a purchase, even if they can't physically see the card or the cardholder.

Card-present transactions do not require a card security code. Authenticating data is retrieved when the card is swiped, inserted into an EMV chip reader, or ‘tapped’ against a contactless payment terminal.

However, in card-not-present transactions, the purchase is being made online or via telephone. The merchant can’t authenticate the buyer’s identity in person. Therefore, CNP sellers use card security codes to try and verify that the cardholder is in possession of the card and is the person on the other end of the transaction.

Everything You Need To Know A Beginner’s Guide to Chargebacks

Chargebacks can wreak havoc on your cash flow and profitability. This FREE paperback book is your guide for preventing chargebacks and, when they happen, fighting them more effectively.

Send Me My Free Paperback Book!

Where Do I Find My Card Security Code?

Card security codes vary according to the network branded on the card. Each network has its own name for this security feature and may place the code in a different spot on the card:

The original version of the security code (CVC1/CVV1) was programmed into the magnetic stripe on the back of the card. It could be electronically read whenever the card was swiped. From the card reader's perspective, the problem is that an accurate duplicate of a stolen card was indistinguishable from the original.

The number (called a CVC2 or CVV2, depending on the card brand) is neither encoded nor embossed but printed on the card. This makes it harder for fraudsters to capture this code.

Card Brand	CSC is called…	Number of digits	Location
Visa	Card Verification Value 2 (CVV2)	3	On the back of the card, just to the right of the signature box
Mastercard	Card Validation Code 2 (CVC2)	3	On the back of the card, just to the right of the signature box
Discover	Card Security Code (CSC)	3	On the back of the card, just to the right of the signature box
American Express	Card Identification Number (CID)	4	On the front of the card, to the right of the card number.

Another option is to employ a dynamic security code, with technology built into the card that changes the security code regularly (i.e., hourly).

How Do Card Security Codes Work?

CSCs are verified using encryption technology during checkout. Although they get transmitted along with other transaction data, the merchant does not keep a copy of the CSC on file. So, even in a data breach, criminals would not get a copy of this number.

Card security codes help verify that the person on the other end of a transaction is, at least, probably in physical possession of the credit or debit card. In theory, only the cardholder would have access to the card security code.

While credit and debit card credentials are sold over the internet every day, most fraudsters lack the physical card data required to bypass this step. So, this measure helps ensure that a transaction is far less likely to be fraudulent.

However, some merchants still have not adopted this measure as mentioned above. Many of these sellers are reluctant to add additional steps to their checkout process.

Although traditional logic might encourage merchants to simplify the buyer’s journey as much as possible, card security codes are designed to protect both cardholders and merchants. The extra layer of protection that CSCs provide can make a big difference in the security of card-not-present transactions.

Cardholders sharing codes on a person-to-person basis is never a good idea. There are some instances where it’s okay to share your card security code.

For example, if you’re making an online purchase via a secured page or website, it is usually safe to share that information with the merchant. When making a purchase with a merchant directly over the phone, it is also safe to share your CSC, as the merchant won’t save the information. It’s only being used to verify your identity and will be discarded afterward.

On the other hand, fraudsters are pretty skilled at impersonating trusted parties. One may contact a cardholder, pretending to be a legitimate merchant or a representative from the bank or the card network. Phishing attacks also pose the risk of fraudsters creating dummy eCommerce sites that trick people into entering their information.

Merchants: A dynamic, multilayered strategy is the only way to stop fraud and chargebacks. Learn more today.

As we mentioned above, sometimes scammers already have credit card numbers ready to go. The only thing they lack is the card security code.

Cardholders should always try to verify who they’re speaking to or ordering from. They should never provide a card security code to someone who can’t identify themself or who operates from an unsecured website.

Another thing to note, cardholders never have to worry about fraud so long they catch it in time. Many banks offer zero-liability guarantees for credit card fraud. Merchants don’t enjoy the same protections, but we’ll delve more into that later.

Limitations of Card Security Codes

Despite their effectiveness, card security codes still have limitations. This is particularly true when it comes to protecting merchants. While requiring the CSC code for every card-not-present transaction is a good practice, it cannot eliminate the risk posed by fraud and the resulting chargebacks.

There are several situations in which a buyer can enter a credit card security code correctly, but the transaction still leads to a chargeback:

The card was lost or stolen by a bad actor:

If fraudsters gain possession of the physical card, they'll have the code in plain sight. They can use your cardholder information to make unauthorized purchases.

The cardholder is unaware of authorized purchases:

A friend or family member may have the necessary information to make unauthorized purchases. The cardholder might then dispute the transaction.

The cardholder doesn’t recognize the charge:

A user may know a legitimate transaction was made but might argue the charge isn’t their responsibility because they can’t recognize it on their statement.

The cardholder is committing chargeback fraud:

Recording the CVV might not be enough to stop a user from intentionally making a purchase and filing a chargeback later to get something for free (aka “cyber shoplifting”)

Consistent credit card security codes will almost certainly lower the overall number of chargebacks filed against a merchant. However, merchants can’t rely on this fraud protection mechanism as their sole chargeback defense.

Innovations in Card Security Code Technology

In this digital age, technology changes in the blink of an eye. New tech is soon outmoded by faster, more complex programs built to remedy failings within older systems. One example of this phenomenon is the onset of mobile wallet technology.

Virtual wallet software and apps, like Apple Pay, were designed to capitalize on preexisting EMV principles. They incorporate biometric and GPS data to verify users in real-time.

Each time a cardholder initiates a purchase with a mobile wallet, the app generates a dynamic security code (also known as a cryptogram or CVV3 token). The cryptogram is a proxy security code that operates as an on-the-go identifier. It takes the place of conventional card security code technology.

In many ways, tokenization is much more secure and up-to-date than traditional CSC technology. It provides up-to-the-moment location data that can prove even more difficult for fraudsters to mimic.

50 Insider Tips for Preventing More Chargebacks

In this exclusive guide, we outline the 50 most effective tools and strategies to reduce the overall number of chargebacks you receive.

Get the FREE guide

Best Practices for Using Credit Card Security Codes

New technologies may eventually render card security codes obsolete. In the meantime, though, CSCs should remain a vital tool in every merchant’s eCommerce fraud prevention arsenal.

So, as a well-meaning merchant, how do you bolster customer confidence in your fraud prevention efforts while maintaining a palatable shopping experience? Here are a few best practices that can ensure that cardholders feel comfortable sharing their card data without feeling hassled by the added security:

Secure Your Site

The number one way to help fight fraud and protect your customers is to operate from a secured website. Make sure that your eCommerce platform utilizes an HTTPS interface. Never manually enter customer data into an unsecured terminal or computer.

Don’t Store CSC Data

Whatever CRM or marketing software you use should be limited only to the most general data about your customers. Never save private security information like passwords or card security codes.

Use Additional Fraud Tools

Merchants should never rely on one method for fraud prevention. Card security codes are best used in conjunction with other fraud prevention tools like AVS (Address Verification Service), velocity limits, geolocation, and more. These tools should be backed by fraud scoring to allow for quick and easy decisioning. When in doubt, double up.

Keep Software Up-to-Date

This bears mentioning because it’s an easy one to forget, yet is crucial to your overall fraud prevention efforts. New threats develop constantly, and you can’t secure software that isn’t up to date. It’s imperative that you watch your systems like a hawk and keep them current.

Provide Excellent Customer Service

This may not seem like it belongs here…but we assure you that it does. Making solutions available to your customers at all times goes a long way to diversifying your fraud and chargeback prevention efforts. If a customer feels they can reach out and ask about your security measures, they are more likely to purchase from you with confidence.

Cardholders should also take card security codes seriously. For instance, merchants that don’t require the code may be less secure than others, so buyers should be more wary of these sellers.

It’s important to keep in mind that the extra layer of protection swings both ways. Entering a card security code should be viewed as a positive step, rather than an added hassle. Additionally, it is very important that cardholders never give out their CSC outside the context of a CNP transaction.

Expert Guidance for CSC Transactions

These codes are an important criminal fraud protection mechanism, as well as part of a larger, multi-tiered chargeback management strategy.

A policy of requesting credit card security codes for card-not-present transactions is a significant step towards detecting and preventing fraud. Of course, this should still be combined with other fraud prevention techniques, as well as a consistent chargeback representment plan to maximize your efforts.

If you’d like to take your chargeback defense to the next level, we can help. Talk to us about a custom ROI analysis.

Card Security Code