A Card Security Code Can Help You Protect Customers & Prevent Chargebacks
Most merchants already make it a policy to request the customer's card security code for all card-not-present transactions. However, you may be wondering why you’re supposed to ask for this number. Let’s have a look at how these codes work…and even more importantly, the situations where they might not work.
What Is a Card Security Code?
The debit or credit card security code is a 3- or 4-digit number that helps authenticate transactions where there is no physical card present, such as an online order. It was designed as a method to verify that the authorized cardholder is participating in a purchase, even if you can't see the card or the cardholder.
Card security codes were instituted in the late 1990s and early 2000s in direct response to the growth in online shopping. Mastercard was the first company to adopt them in 1997, followed by American Express in 1999 and Visa in 2001. Today, including card security codes on credit and debit cards is standard procedure for all major card issuers.
The codes vary according to the network, and each network has its own name for the security feature:
- Visa: Card Verification Value 2 (CVV2)
- Mastercard: Card Validation Code 2 (CVC2)
- Discover: Card Member ID (CMID)
- American Express: Card Identification Number (CID)
The original version of the security code (CVC1/CVV1) was programmed into the magnetic stripe on the back of the card, and electronically read whenever the card was swiped. The problem is that from the card reader's perspective, an accurate duplicate of a stolen card was indistinguishable from the original.
Now the number (CVC2/CVV2) is neither encoded nor embossed, but simply printed on the card. Mastercard, Visa, and Discover place their three-digit card security code on the signature stripe on the back of the card. American Express prints it's four-digit card security code above the embossed account number on the front of the card.
It's time to fight back against chargeback fraud. Learn how.
Fraud Protection for Consumers and Merchants
Regardless of which card a customer has, the card security code serves the same purpose: to safeguard cardholders from fraud, particularly for card-not-present transactions.
You typically collect the card security code at the time of the transaction along with the credit card number and expiration date. This information is manually entered and immediately transmitted to the card's issuing bank for authentication. If the bank doesn't approve the code, then the transaction should be instantly cancelled.
As you can see, even if a fraudster had access to other account information, it would be difficult to use without the CVV code. Cardholders are provided with an additional layer of protection against fraud, which helps them feel more secure when using a credit or debit card. In turn, you enjoy an extra layer of defense against potential losses traced back to criminal fraud.
Substantiating a transaction with a card security code greatly increases the probability that the cardholder is placing the order, which makes this security feature a great chargeback prevention tool. While you’re not required to ask for card security codes, transactions processed without verification have a higher risk of chargebacks.
Because the number is printed on the card, the individual completing a sale would be in physical possession of the card. In theory, only the cardholder would have access to the card verification value, so any transaction that is successfully completed with this information poses a lower threat of criminal fraud.
Even if a chargeback is filed, a transaction with a validated card security code offers compelling evidence that you performed due diligence before accepting the card. Verifying the CVV code can be a powerful representment tool in cases of unauthorized transaction chargebacks.
Best Practices for Using Credit Card Security Codes
Under normal conditions, you should not need to request a debit or credit card security code for card-present transactions. Particularly now that chip cards are more the rule than the exception, reading a physical card electronically should be enough to validate most transactions.
Card-not-present transactions, such as online or phone purchases, are different. Most customers expect you to ask for the CVV code these days; not doing so may even come across as shady or suspicious. Still, some customers may be uncomfortable giving out their CVV codes, even when making a legitimate purchase. You need to assure those clients that supplying the card security code is in their best interest.
Following best practices in card acceptance can help bolster confidence. It may help to remind customers that you have no way to save the card security code once the transaction is complete.
This means that the user's card is secure in the event of a data breach. While other card data may get hacked, the CVV code is not stored, so fraudsters won’t have everything they need to use the stolen information. Even if the card is kept on file for future purchases, you can only use the code for the initial transaction; it must be deleted immediately afterwards.
Limitations of Card Security Codes
Despite their effectiveness, credit card security codes still have limitations, particularly when it comes to protecting you.
While it is a good practice to require the CVV code for every card-not-present transaction, it cannot completely eliminate chargebacks. There are several situations when even a correctly entered credit card security code might not prevent a consumer from filing a dispute:
- The card was lost or stolen. If fraudsters gain possession of the physical card, they'll have the card security code in plain sight.
- The cardholder is committing friendly fraud. Recording the CVV might not be enough to stop a user from intentionally making a purchase and filing a chargeback later to get something for free (a practice known as “cyber shoplifting”).
- The cardholder is unaware of authorized purchases. A friend or family member may have the information—including the CVV code—to make an authorized purchase, but if the cardholder contests the transaction, a chargeback could still be upheld.
- The cardholder doesn’t feel obligated to pay. Users may know who made an apparently legitimate transaction, but then still file a chargeback, arguing that the charge is their responsibility because they did not make the purchase themselves.
Consistent use of credit card security codes will almost certainly lower the overall number of chargebacks, but merchants shouldn’t rely on this fraud protection mechanism as their sole chargeback defense.
Card Security Codes: One Aspect of Chargeback Management
Credit card security codes are an important criminal fraud protection mechanism, as well as part of a larger, multi-tiered chargeback management strategy.
A policy of requesting card security codes for card-not-present transactions is a significant step towards detecting and preventing fraud. Of course, this should still be combined with other fraud prevention techniques, as well as a consistent chargeback representment plan to maximize your efforts.
If you’d like to take your chargeback defense to the next level, we can help. Talk to us about a custom ROI analysis.