dCVV2: A Game-Changing Antifraud Technology or Just a Payments Industry Buzzword?
Since their introduction in 1995, card security codes (also known as a CVV or CVC) have helped protect millions of transactions worldwide.
In an increasingly digitized economy, these three- to four-digit numbers serve as an added security hurdle between fraudsters and your bottom line. They’ve proven to be a critical fraud detection tool. However, static CVV2 codes have one key weakness: they can be replicated if exposed.
This is where dynamic CVV2 (or dCVV2) technology comes into play.
Recommended reading
- What is EMV Bypass Cloning? Are Chip Cards Still Secure?
- Dispute Apple Pay Transaction: How Does The Process Work?
- Terminal ID Number (TID): What is it? What Does it Do?
- Visa Installments: How it Works, Benefits, & Implementation
- Electronic Funds Transfers: How EFTs Work & Examples
- How Real-Time Payments Work: Availability & Future of RTPs
What is a Dynamic CVV?
- Dynamic CVV (dCVV) Code
dCVV2, or a dynamic CVV2 code, is a technology that allows cardholders to enter a dynamic (or changing) CVV code at the time of checkout. Rather than rely on the static 3- or 4-digit code printed on a physical card, the customer can enter a code that changes on a frequent basis. This offers greater protection against criminal fraud.
[noun]/dī • nam • ik • cē • vē • vē • kōd/
Dynamic CVV codes seek to push card verification technology forward. Instead of printing a static code on the card, the user provides a CVV code that changes after each use.
Visa and other card brands explored different methods for implementing dynamic CVV codes over the last several years. The technology may actually be close to a wide rollout soon, with banks able to opt-in at the card network level.
One way is for the manufacturer to embed a small electronic screen directly onto the back of the card. The code is randomized, and changes every 30-60 minutes; hence, why it’s called a “dynamic” CVV code. The technology can also be used through an issuer’s mobile app, though. A user can request a dCVV2 code while shopping online.
Learn more about CVV codes
What Do Dynamic CVVs Offer Compared to Static CVVs?
Dynamic CVVs change over time, so they make it more difficult for fraudsters to carry out repeated unauthorized card-not-present transactions using a set of stolen payment details.
Dynamic data is inherently more secure than static data. Old-school, static CVV codes are a valuable anti-fraud tool, but they’re not foolproof. Fraudsters can still gain access to a static security code and use the information to make purchases.
A static CVV is like a single key that works for every transaction. If a fraudster steals it, they can use it repeatedly until the card is replaced.
Repeated use of the same CVV
In contrast, a dynamic CVV is like a new, unique key that is generated for every transaction, making it useless for future fraudulent attempts.
dCVV is always unique and expires quickly
Even better, it’s relatively easy to roll out. dCVV2 is a bank-initiated solution implemented on the card network level. Banks and credit unions could sign up easily, with no integration required. For merchants, there would effectively be no change. They would continue to request the CVV number at checkout, just as they always have.
How Does dCVV Technology Work?
According to Visa, the card network will check the dCVV2 code during authorization processing. They’ll forward the pass/fail result to the issuer, or respond to the acquirer on the issuer’s behalf. In this way, dCVV2 provides a cost-effective way for issuers to make dCVV2 codes available to their cardholders via mobile banking, SMS, or a standalone mobile app.
Like we mentioned above, it’s not necessary to have a dynamic CVV-enabled card to take advantage of the technology:
Benefits of dCVV2 Use for Merchants & Banks
For merchants, dynamic CVV technology can lower fraud risks, reduce distribution costs, decrease setup friction, and reduce host development time.
An app-based solution may add an additional step in the transaction process, which could make some merchants unhappy. Introducing more friction into the transaction has the potential to cause an uptick in order abandonment.
That said, the implementation of dynamic CVV2 codes offers a lot of benefits for both merchants and financial institutions. dCVV2 could mean:
dCVV2 follows the same format as regular CVV2. Cardholders are already familiar with how it works, and no merchant or infrastructure changes are required.
However, since it would be fair to consider dCVV2 the natural successor of CVV chip technology, hardware and software updates may be required. Whether or not this process will be cost-effective or prohibitive remains to be seen.
Incorporating dCVV2 Into Your Anti-Fraud Strategy
Adoption of dCVV2 protocols will be like other new anti-fraud tools, such as 3-D Secure. It will help mitigate card-not-present risk… but it’s still not foolproof.
CVV verification has been a cornerstone of fraud management best practices for decades. That said, it’s only one part of a more expansive solution. Rather than relying on new technologies rolled out at the bank level, the best approach to stopping fraud of all kinds is for merchants to develop a dynamic, multilayer strategy.
New fraud threats emerge every day, as do new tools to help contend with these threats. We already discussed dCVV2 and 3-D Secure, but there are other widely-used fraud management tools that should be part of your strategy, including:
These are just a few examples. As we alluded to above, an exhaustive list is next to impossible, as new technologies develop each day to contend with new threats.
Even with dCVV2, multilayer fraud management, and fraud scoring in place, you could still see chargebacks slip through your defenses. This is where Intelligent Source Detection™ technology comes in handy.
ISD pinpoints and evaluates specific chargebacks by their source rather than their reason code. The tool then uses data to project where future chargebacks will come from and how to either prevent them or fight them through chargeback representment.
Overall, dCVV2 is a great new innovation in card-not-present fraud management. However, it should be just one part of a much broader, more comprehensive approach to the problem.
FAQs
What is a CVV?
A debit or credit card security code (sometimes known as card verification value) is a 3- or 4-digit number that helps authenticate transactions in which there is no physical card present, as in an online order. It was designed to help sellers verify that the authorized cardholder participates in a purchase, even if they can't physically see the card or the cardholder.
Why is a CVV required for online payment?
CVV numbers serve as an added security hurdle between fraudsters and completed transactions. In order for a bad actor to process a CVV-protected card, they would either need to know the 3- or 4-digit code on the card, or have the card in hand.
What is a dynamic CVV?
DCVV2, or a dynamic CVV2 code, is a technology that allows cardholders to enter a dynamic (or changing) CVV code at the time of checkout. Rather than rely on the static 3- or 4-digit code printed on a physical card, the customer can enter a code that changes on a frequent basis. This offers greater protection against criminal fraud.
How does a dynamic CVV code work?
According to Visa, the card network will check the dCVV2 code during authorization processing, then forward the result (pass/fail) to the issuer, or respond to the acquirer on the issuer’s behalf. In this way, dCVV2 provides a cost-effective way for issuers to make dCVV2 codes available to their cardholders via mobile banking, SMS, or a standalone mobile app.
Do dynamic CVV codes actually prevent fraud?
Any dynamic data is inherently more secure than static data. To illustrate, let’s assume that a fraudster manages to get access to a cardholder’s information. If that card information includes a static CVV, the fraudster only needs to know that one code. However, if the CVV changes every 30 to 60 minutes or changes after each use, it will be much more difficult for the fraudster to commit fraud.
Studies suggest that dCVV2 could prevent many instances of CNP (card-not-present) fraud. Even better, it’s relatively easy for issuers to roll out to their customers.
