As a merchant, one of your most important priorities while processing payments (if not the main one) is avoiding fraudulent transactions. Merchants can be deemed susceptible to fraud if the card is not present during the transaction, such as with online purchases, payments made over the phone, or online invoice payments.
So while it might seem like the payment and anti-fraud landscape is getting more and more complicated, it’s for a good reason. Ecommerce sales are expected to reach $632 billion, and accounts of fraudulent activity aren’t slowing down either: card-not-present (CNP) fraud is predicted to grow by 14% in the next four years.
This is why CVV codes exist, essentially. These codes act as a security measure for CNP transactions since online merchants cannot check customers’ signatures.
It’s common practice for merchants to ask for the CVV code to check and see if the buyer is the rightful owner of the credit card, and is arguably the best way to make sure the customer actually has the card in their possession.
If you’ve ever ordered something online and had the little pop-up direct you to those three digits on the back of your card, then you’ve come into contact with CVV.
Other names for a CVV code
CVV stands for "card verification value", but it’s also known as CVV2, CVD (card verification data), CVC or CVC2 (card verification code), or CCV (card code verification).
This is due to naming variability across the tech and cardmember associations that developed their own versions of the tech, but they all work effectively the same way.
The three-digit code is located on the back of a credit or debit card, by the signature strip — except for most Amex cards, where it’s on the front, and is actually four digits long.
How CVV codes prevent fraud
While skilled fraudsters have their methods to get their hands on the long number and expiry date on customers' cards through devices such as "skimmers" at ATM machines and on payment terminals, they’re out of luck when they try to use this information online without a CVV code.
The CVV is stored either in the magnetic stripe on the back of the card or in the chip of a chip-and-pin card. Merchants are not allowed to store CVV codes in any way if they want to be PCI compliant — helping protect customers from a data breach as well as making it more difficult for fraudsters to get their hands on the CVV code.
Not complying with these global PCI DSS standards could result in a hefty fine or even worse — the cancellation of the merchant facilities by the payment processor.
CVV codes help with chargebacks too
As well as fighting online fraud, CVV codes also help merchants prevent that dreaded source of lost revenue: the chargeback. Chargebacks take place when a customer requests that the funds from a payment be reversed, and can happen for a number of legitimate and illegitimate reasons such as dissatisfaction with the product or shipping, buyer’s remorse, chargeback fraud, or incorrect deliveries.
While CVV codes can’t stop all types of chargebacks in their tracks, it’s a lot easier to prove that a customer did actually authorize a payment if they entered a CVV code that only they could have entered with their card handy. This is commonly known as "friendly fraud" where a customer makes a purchase and then claims they never did — though it doesn’t sound too friendly to us!
CVV is just one component in the fight against fraud. Online mechanisms such as AVS (address verification service) and card-side fraud triggers such as repeated out-of-country order codes or high-ticket flags also help prevent fraud.
How to process CVV codes
Since CVV codes aren’t required for absolutely all credit or debit card transactions (this is dependent on the credit card association), some online merchants don’t request them at checkout to avoid losing any sales. However, this is very risky business, as CVV numbers are crucial in the online fight against fraud.
At the very least, merchants should require CVV codes the first time a customer makes a payment with them to verify that they are the rightful cardholder. And remember that merchants can be viable for some or all of the damages that result in fraud if the merchant is found negligent, and not requesting a CVV code could be an example of that.
After capturing the CVV code during a transaction (often referred to as "the last three digits on the back of the card"), the merchant sends all the card details (card number, expiration date, cardholder name and address, and the CVV code) to be authorized by the acquiring bank.
The merchant should include a number that indicates whether or not the CVV is being included together with the authorization request.
The bank then sends the request to the relevant credit card association (Visa, MasterCard, American Express, etc.), and the credit card association sends the request to the card issuer. The transaction is then either approved or declined by the card issuer, and the response is sent back the same way it arrived.
A CVV response code is also sent back when the CVV code was included in the original request. If the CVV code did not match, the merchant makes the call on whether or not to go ahead with the transaction.
The bottom line
It should now be a little clearer as to what CVV codes are, and why they are so important within merchant services — helping merchants not only to fight fraud but also reduce chargebacks.
The humble CVV code is no doubt a tool to be leveraged for any business operating online payments.