dCVV2Could Dynamic CVV Codes be the Solution for Card Fraud?

October 14, 2022 | 11 min read

dCVV2 dynamic cvv code

In a Nutshell

CVV codes have provided an added layer of security to CNP transactions for more than a decade… but they are far from perfect. Are dynamic CVV codes the upgrade we need? This article will explain what dCVV2 codes are, how they differ from static CVV codes, plus their benefits and shortcomings.

dCVV2: A Game-Changing Antifraud Technology or Just a Payments Industry Buzzword?

Since their introduction in 1995, card security codes (also known as a CVV or CVC) have helped protect millions of transactions worldwide.

In an increasingly digitized economy, these three- to four-digit numbers serve as an added security hurdle between fraudsters and your bottom line. They’ve proven to be a critical fraud detection tool. However, static CVV2 codes have one key weakness: they can be replicated if exposed.

This is where dynamic CVV2 (or dCVV2) technology comes into play.

Dynamic codes are randomized, with a digital display generating a new code with each use. A static code is never stored in the card or the user’s digital wallet. Thus, it’s basically impossible to steal or replicate this information. 

But, while that sounds great, there are still a few caveats to consider. So, just how effective will dCVV2 be against fraud once it finally rolls out to the market at large? Also, how might it help — or hurt — your business? 

What is a Dynamic CVV?

Dynamic CVV (dCVV) Code

[noun]/dī • nam • ik • cē • vē • vē • kōd/

dCVV2, or a dynamic CVV2 code, is a technology that allows cardholders to enter a dynamic (or changing) CVV code at the time of checkout. Rather than rely on the static 3- or 4-digit code printed on a physical card, the customer can enter a code that changes on a frequent basis. This offers greater protection against criminal fraud.

The first CVV codes were issued as a direct response to the growth in online shopping. While it was relatively easy to validate buyers in a card-present environment, merchants and cardholders never meet face-to-face in a phone or online purchase.

The inclusion of card security codes on payment cards provided an additional roadblock to stopping potential fraudsters. A buyer would need to have access to the card number, expiration date, and this additional security code to validate a transaction. While it was not foolproof, CVV codes at least introduced an additional roadblock to stop fraud.

New technologies may present new challenges. Make sure you’re ready.REQUEST A DEMO

Dynamic CVV codes seek to push the technology forward. Instead of printing a static code on the card, the user provides a CVV code that changes after each use.

Visa and other card brands explored different methods for implementing dynamic CVV codes over the last several years. The technology may actually be close to a wide rollout soon, with banks able to opt-in at the card network level.

One way is for the manufacturer to embed a small electronic screen directly onto the back of the card. The code changes every 30-60 minutes; hence, why it’s called a “dynamic” CVV code. The technology can also be used through an issuer’s mobile app, though. A user can request a dCVV2 code while shopping online.

What Do Dynamic CVVs Offer Compared to Static CVVs?

While CVV codes are a valuable anti-fraud tool, they’re not foolproof. Fraudsters can still gain access to a static security code and use the information to make purchases. A dynamic code that changes regularly, though, would be much more difficult to spoof.

Any dynamic data is inherently more secure than static data. To illustrate, let’s assume that a fraudster manages to get access to a cardholder’s information. If that card information includes a static CVV, the fraudster only needs to know that one code. However, if the CVV changes every hour, or after each use, it will be much more difficult for the fraudster to commit fraud.

Adoption of dCVV2 technology could prevent many instances of card-not-present fraud. fraud. Even better, it’s relatively easy for issuers to roll out to their customers.

dCVV2 is a bank-initiated solution implemented on the card network level. Banks and credit unions could sign up easily, with no integration required.

For merchants, there would effectively be no change. They would continue to request the CVV number at checkout, just as they always have. The difference is that the cardholder enters a unique dCVV2 at checkout in place of a static one printed on the card.

How Does dCVV Technology Work?

According to Visa, the card network will check the dCVV2 code during authorization processing. The card network then forwards the pass/fail result to the issuer, or responds to the acquirer on the issuer’s behalf. In this way, dCVV2 provides a cost-effective way for issuers to make dCVV2 codes available to their cardholders via mobile banking, SMS, or a standalone mobile app.

Like we mentioned above, it’s not necessary to have a dynamic CVV-enabled card to take advantage of the technology:

Of course, an app-based solution like this may add an additional step in the transaction process, which could make some merchants unhappy. Introducing more friction into the transaction has the potential to cause an uptick in order abandonment. The benefits of significantly reducing criminal fraud, however, should more than offset any potential losses.

We saw a massive surge in the use of mobile wallets and “click-and-collect” purchasing in 2020 as consumers looked to minimize physical contact points. It could be easy for companies to build dCVV2 into their platforms, helping acclimatize buyers to the technology in the process.

Stop fraud and chargebacks. Recover revenue today.REQUEST A DEMO

Merchant Benefits of dCVV2

The implementation of dynamic CVV2 over static CVVs offers many benefits to merchants and financial institutions alike. Along with a lowered threat of fraud and data leaks, dCVV2 could improve many aspects of the EMV experience, including:

Reduced Fraud

Using a dynamic CVV2 instead of a static CVV2 may significantly reduce the potential for fraud to occur on accounts following a data compromise.

Reduced Costs

Providing dCVV2 codes to cardholders via a mobile banking app or SMS may be a more cost-effective way to distribute them when compared to adding dCVV2 capability to the physical card.

Reduced Setup Friction

The Visa dCVV2 Generate service enables issuers to trial and launch dCVV2 capability with minimal host development costs or risks.

Reduced Oversight

Using the Visa dCVV2 Authenticate service minimizes the host developments needed to check the codes during authorization.

Additionally, because dCVV2 follows the same format as regular CVV2, no merchant or infrastructure changes are required. Cardholders are already familiar with how it works.

However, since it would be fair to consider dCVV2 the natural successor of CVV chip technology, hardware and software updates may be required. Whether or not this process will be cost-effective or prohibitive remains to be seen. 

Incorporating dCVV2 Into Your Anti-Fraud Strategy

Adoption of dCVV2 protocols will be like other new anti-fraud tools, such as 3-D Secure. It will help mitigate card-not-present risk… but it’s still not foolproof.

CVV verification has been a cornerstone of fraud management best practices for decades. That said, it’s only one part of a more expansive solution. Rather than relying on new technologies rolled out at the bank level, the best approach to stopping fraud of all kinds is for merchants to develop a dynamic, multilayer strategy.

New fraud threats emerge every day, as do new tools to help contend with these threats. We already discussed dCVV2 and 3-D Secure, but there are other widely-used fraud management tools that should be part of your strategy, including:

Address Verification Service

Issuer compares the transaction billing address to the billing address on file with the cardholder’s account, flagging mismatches as possible fraud.

Device Fingerprinting

This relies on detecting the identity of a device or system used during a transaction, which can help verify the cardholder’s identity.

Geolocation

Allows you to check the location of the cardholder on file against the current geographical location of the shopper.

Proxy Piercing

Detects activity designed to disguise a geographic location and generate false IP address information.

Fraud Scoring

Examines fraud warning signs in aggregate and assigns a simple numeric score (usually on a scale of 1 to 100) to the transaction. This facilitates simple, automated “up” or “down” decisioning to accept or reject a transaction.

Learn more about fraud best practices

These are just a few examples. As we alluded to above, an exhaustive list is next to impossible, as new technologies develop each day to contend with new threats.

The Impact of dCVV2 on Chargebacks

Presumably, if a customer has access to, and enters the CVV code from their card during checkout, this act alone could prevent a number of ‘not authorized’ disputes that could lead to chargebacks. This chargeback reason code accounts for a significant number of illegitimate chargebacks. So, it’s reasonable to think that a dynamic CVV code could further prove that the customer themselves approved any disputed transactions.

Despite this, even with dCVV2, multilayer fraud management, and fraud scoring in place, you could still see chargebacks slip through your defenses. This is where Intelligent Source Detection™ technology comes in handy.

ISD pinpoints and evaluates specific chargebacks by their source rather than their reason code. The tool then uses data to project where future chargebacks will come from and how to either prevent them or fight them through chargeback representment.

Overall, dCVV2 is a great new innovation in card-not-present fraud management. However, it should be just one part of a much broader, more comprehensive approach to the problem.

FAQs

What is a CVV?

A debit or credit card security code (sometimes known as card verification value) is a 3- or 4-digit number that helps authenticate transactions in which there is no physical card present, as in an online order. It was designed to help sellers verify that the authorized cardholder participates in a purchase, even if they can't physically see the card or the cardholder.

Why is a CVV required for online payment?

CVV numbers serve as an added security hurdle between fraudsters and completed transactions. In order for a bad actor to process a CVV-protected card, they would either need to know the 3- or 4-digit code on the card, or have the card in hand.

What is a dynamic CVV?

DCVV2, or a dynamic CVV2 code, is a technology that allows cardholders to enter a dynamic (or changing) CVV code at the time of checkout. Rather than rely on the static 3- or 4-digit code printed on a physical card, the customer can enter a code that changes on a frequent basis. This offers greater protection against criminal fraud.

How does a dynamic CVV code work?

According to Visa, the card network will check the dCVV2 code during authorization processing, then forward the result (pass/fail) to the issuer, or respond to the acquirer on the issuer’s behalf. In this way, dCVV2 provides a cost-effective way for issuers to make dCVV2 codes available to their cardholders via mobile banking, SMS, or a standalone mobile app.

Do dynamic CVV codes actually prevent fraud?

Any dynamic data is inherently more secure than static data. To illustrate, let’s assume that a fraudster manages to get access to a cardholder’s information. If that card information includes a static CVV, the fraudster only needs to know that one code. However, if the CVV changes every 30 to 60 minutes or changes after each use, it will be much more difficult for the fraudster to commit fraud.

Studies suggest that dCVV2 could prevent many instances of CNP (card-not-present) fraud. Even better, it’s relatively easy for issuers to roll out to their customers.

Like What You're Reading? Join our newsletter and stay up to date on the latest in payments and eCommerce trends.
Newsletter Signup
We’ll run the numbers; You’ll see the savings.
triangle shape background particle triangle shape background particle triangle shape background particle
Please share a few details and we'll connect with you!
Revenue Recovery icon
Over 18,000 companies recovered revenue with products from Chargebacks911
Close Form
Embed code has been copied to clipboard