dCVV2: A Game-Changing Antifraud Technology or Just a Payments Industry Buzzword?
Since their introduction in 1995, card security codes (also known as a CVV or CVC) have helped protect millions of transactions worldwide.
In an increasingly digitized economy, these three- to four-digit numbers serve as an added security hurdle between fraudsters and your bottom line. They’ve proven to be a critical fraud detection tool. However, static CVV2 codes have one key weakness: they can be replicated if exposed.
This is where dynamic CVV2 (or dCVV2) technology comes into play.
Dynamic codes are randomized, with a digital display generating a new code with each use. A static code is never stored in the card or the user’s digital wallet. Thus, it’s basically impossible to steal or replicate this information.
But, while that sounds great, there are still a few caveats to consider. So, just how effective will dCVV2 be against fraud once it finally rolls out to the market at large? Also, how might it help — or hurt — your business?
- What is an Electronic Funds Transfer (EFT)?
- What is EMV Bypass Cloning? Are Chip Cards Still Secure?
- Terminal ID Number (TID): What is it? What Does it Do?
- How Payment Gateways Work & Why Merchants Need Them
- What Are Credit Card Networks? What Do Card Networks Do?
- What is VPOS? Why Use a Virtual Payment Terminal?
What is a Dynamic CVV?
- Dynamic CVV (dCVV) Code
dCVV2, or a dynamic CVV2 code, is a technology that allows cardholders to enter a dynamic (or changing) CVV code at the time of checkout. Rather than rely on the static 3- or 4-digit code printed on a physical card, the customer can enter a code that changes on a frequent basis. This offers greater protection against criminal fraud.
[noun]/dī • nam • ik • cē • vē • vē • kōd/
The first CVV codes were issued as a direct response to the growth in online shopping. While it was relatively easy to validate buyers in a card-present environment, merchants and cardholders never meet face-to-face in a phone or online purchase.
The inclusion of card security codes on payment cards provided an additional roadblock to stopping potential fraudsters. A buyer would need to have access to the card number, expiration date, and this additional security code to validate a transaction. While it was not foolproof, CVV codes at least introduced an additional roadblock to stop fraud.
Dynamic CVV codes seek to push the technology forward. Instead of printing a static code on the card, the user provides a CVV code that changes after each use.
Visa and other card brands explored different methods for implementing dynamic CVV codes over the last several years. The technology may actually be close to a wide rollout soon, with banks able to opt-in at the card network level.
One way is for the manufacturer to embed a small electronic screen directly onto the back of the card. The code changes every 30-60 minutes; hence, why it’s called a “dynamic” CVV code. The technology can also be used through an issuer’s mobile app, though. A user can request a dCVV2 code while shopping online.
What Do Dynamic CVVs Offer Compared to Static CVVs?
While CVV codes are a valuable anti-fraud tool, they’re not foolproof. Fraudsters can still gain access to a static security code and use the information to make purchases. A dynamic code that changes regularly, though, would be much more difficult to spoof.
Any dynamic data is inherently more secure than static data. To illustrate, let’s assume that a fraudster manages to get access to a cardholder’s information. If that card information includes a static CVV, the fraudster only needs to know that one code. However, if the CVV changes every hour, or after each use, it will be much more difficult for the fraudster to commit fraud.
Adoption of dCVV2 technology could prevent many instances of card-not-present fraud. fraud. Even better, it’s relatively easy for issuers to roll out to their customers.
Based on a survey of over 400 merchants, the report presents a comprehensive, cross-vertical look at the current state of chargebacks and chargeback management.Access the FREE Report
dCVV2 is a bank-initiated solution implemented on the card network level. Banks and credit unions could sign up easily, with no integration required.
For merchants, there would effectively be no change. They would continue to request the CVV number at checkout, just as they always have. The difference is that the cardholder enters a unique dCVV2 at checkout in place of a static one printed on the card.
How Does dCVV Technology Work?
According to Visa, the card network will check the dCVV2 code during authorization processing. The card network then forwards the pass/fail result to the issuer, or responds to the acquirer on the issuer’s behalf. In this way, dCVV2 provides a cost-effective way for issuers to make dCVV2 codes available to their cardholders via mobile banking, SMS, or a standalone mobile app.
Like we mentioned above, it’s not necessary to have a dynamic CVV-enabled card to take advantage of the technology:
Of course, an app-based solution like this may add an additional step in the transaction process, which could make some merchants unhappy. Introducing more friction into the transaction has the potential to cause an uptick in order abandonment. The benefits of significantly reducing criminal fraud, however, should more than offset any potential losses.
We saw a massive surge in the use of mobile wallets and “click-and-collect” purchasing in 2020 as consumers looked to minimize physical contact points. It could be easy for companies to build dCVV2 into their platforms, helping acclimatize buyers to the technology in the process.
Merchant Benefits of dCVV2
The implementation of dynamic CVV2 over static CVVs offers many benefits to merchants and financial institutions alike. Along with a lowered threat of fraud and data leaks, dCVV2 could improve many aspects of the EMV experience, including:
Additionally, because dCVV2 follows the same format as regular CVV2, no merchant or infrastructure changes are required. Cardholders are already familiar with how it works.
However, since it would be fair to consider dCVV2 the natural successor of CVV chip technology, hardware and software updates may be required. Whether or not this process will be cost-effective or prohibitive remains to be seen.
Incorporating dCVV2 Into Your Anti-Fraud Strategy
Adoption of dCVV2 protocols will be like other new anti-fraud tools, such as 3-D Secure. It will help mitigate card-not-present risk… but it’s still not foolproof.
CVV verification has been a cornerstone of fraud management best practices for decades. That said, it’s only one part of a more expansive solution. Rather than relying on new technologies rolled out at the bank level, the best approach to stopping fraud of all kinds is for merchants to develop a dynamic, multilayer strategy.
In this exclusive guide, we outline the 50 most effective tools and strategies to reduce the overall number of chargebacks you receive.Get the FREE guide
New fraud threats emerge every day, as do new tools to help contend with these threats. We already discussed dCVV2 and 3-D Secure, but there are other widely-used fraud management tools that should be part of your strategy, including:Learn more about fraud best practices
These are just a few examples. As we alluded to above, an exhaustive list is next to impossible, as new technologies develop each day to contend with new threats.
The Impact of dCVV2 on Chargebacks
Presumably, if a customer has access to, and enters the CVV code from their card during checkout, this act alone could prevent a number of ‘not authorized’ disputes that could lead to chargebacks. This chargeback reason code accounts for a significant number of illegitimate chargebacks. So, it’s reasonable to think that a dynamic CVV code could further prove that the customer themselves approved any disputed transactions.
Despite this, even with dCVV2, multilayer fraud management, and fraud scoring in place, you could still see chargebacks slip through your defenses. This is where Intelligent Source Detection™ technology comes in handy.
ISD pinpoints and evaluates specific chargebacks by their source rather than their reason code. The tool then uses data to project where future chargebacks will come from and how to either prevent them or fight them through chargeback representment.
Overall, dCVV2 is a great new innovation in card-not-present fraud management. However, it should be just one part of a much broader, more comprehensive approach to the problem.
What is a CVV?
A debit or credit card security code (sometimes known as card verification value) is a 3- or 4-digit number that helps authenticate transactions in which there is no physical card present, as in an online order. It was designed to help sellers verify that the authorized cardholder participates in a purchase, even if they can't physically see the card or the cardholder.
Why is a CVV required for online payment?
CVV numbers serve as an added security hurdle between fraudsters and completed transactions. In order for a bad actor to process a CVV-protected card, they would either need to know the 3- or 4-digit code on the card, or have the card in hand.
What is a dynamic CVV?
DCVV2, or a dynamic CVV2 code, is a technology that allows cardholders to enter a dynamic (or changing) CVV code at the time of checkout. Rather than rely on the static 3- or 4-digit code printed on a physical card, the customer can enter a code that changes on a frequent basis. This offers greater protection against criminal fraud.
How does a dynamic CVV code work?
According to Visa, the card network will check the dCVV2 code during authorization processing, then forward the result (pass/fail) to the issuer, or respond to the acquirer on the issuer’s behalf. In this way, dCVV2 provides a cost-effective way for issuers to make dCVV2 codes available to their cardholders via mobile banking, SMS, or a standalone mobile app.
Do dynamic CVV codes actually prevent fraud?
Any dynamic data is inherently more secure than static data. To illustrate, let’s assume that a fraudster manages to get access to a cardholder’s information. If that card information includes a static CVV, the fraudster only needs to know that one code. However, if the CVV changes every 30 to 60 minutes or changes after each use, it will be much more difficult for the fraudster to commit fraud.
Studies suggest that dCVV2 could prevent many instances of CNP (card-not-present) fraud. Even better, it’s relatively easy for issuers to roll out to their customers.