Most merchants mistakenly believe that processing a cardholder’s three or four digit CVV2 value for a ‘card not present’ transaction (e.g. ecommerce) will help qualify for lower credit card rates. The CVV2 value is only valuable to protect against credit card fraud and has nothing to do with rate qualification. CVV2 is most often confused with Address Verification Service (AVS) which can be used to qualify for lower credit card rates.

CVV2 stands for Card Verification Value and was introduced by MasterCard in 1997 and Visa in 2001. For ‘swiped’ transactions, the value is referred to as CVV1. Each of the card brands has its own acronym:

Visa: CVV2 - Card Verification Value
MasterCard: CVC2 - Card Validation Code
American Express: CID – Unique Card Code (and 4 digits)
Discover: CID – Card Identification Number

Merchants are able to configure payment processing systems to accept or decline transaction requests based upon the match or mismatch of CVV2 information. So for example, if a merchant creates a rule to decline all transactions where the CVV2 value does not match, the authorization request could be successful with the issuing bank, but the transaction will be denied by the merchant. Even though the transaction was denied by the merchant, the consumer’s card will still be authorized.

PCI DSS Compliance prohibits merchants from storing the CVV2 code. For recurring billing, merchants can accept and validate the CVV2 value during the initial authorization but cannot store it for additional transactions. After the initial validation, there really is no value in storing it.

Other Related Blog Posts
PCI Prohibits the Storage of CVV2 Data
PCI DSS Compliance Basics
Where do Credit Card Fees Come From?

In this month’s issue of the Harvard Business Review, Eric McNulty writes an article Boss, I Think Someone Store Our Customer Data. This is a must ready for any executive or business owner whose company accepts credit cards. Mr. McNulty does a great job at clearly framing out PCI Compliance, data security, and potential responses and ramifications of a security breach.He

The author included in the article four expert opinions regarding the case study. It includes James Lee, SVP of ChoicePoint, Bill Boni, Corporate Information Security Officer at Motorola, John Coghlan, former President and CEO of Visa USA, and Jay Foley, Executive Director for Identity Theft Resource Center. All offer valuable insights.

Here are some helpful hints on how you can reduce the number of fraudulent transactions in your business. These suggestions are more geared towards smaller businesses that don’t have more robust fraud and risk solutions. Larger companies implement much more sophosticated rule based fraud and risk managment tools that automate a lot of this and detect suspecious activity in many more ways.

1. Train operators to pay particular attention to anything suspicious in the way the caller speaks or responds to questions. One simple tip-off is a long pause or a hesitant answer. Make it a policy to request the name of the credit card issuing bank for any sale over a pre-set amount. If the caller doesn’t know the bank’s name, chances are he or she is using a stolen credit card number.
2. Always ask for the cardholder’s billing address. Ask for the cardholder’s day and evening telephone numbers “in case there’s a question.” Orders with a “ship to” address that is different from the cardholder’s billing address can be a danger sign. If you are suspicious, attempt to contact the cardholder on a second phone to verify the order. If your system lets you, compare the “ship to” and “bill to” addresses with the catalog’s “mail to” address.
3. Develop and maintain a “negative file” of fraudulent names, addresses, zip codes, credit card numbers and companies you come across. Compile a zip code listing that spotlights areas in which you’ve experienced high fraud. An ongoing good rule of thumb is to decline “ship to” to prisons.
4. If the address is a P.O. box in a large city, further checking is suggested, especially if the order is from a new customer. Mail delivery services require a street address and will not ship to P.O. boxes.
5. Carefully examine a “rush” order request from a new customer. Be especially alert when the caller appears ready to order whatever merchandise is in stock, regardless of size or style.
6. Carefully examine any order with an unusually high dollar amount or which involves an out-of-the-ordinary situation.
7. For American Express® and Optima® customers, ask for the 4-digit, non-embossed CID number printed on the front of the card (on the right border of all American Express Cards; on the left border of Optima Cards).
8. For Discover Card® customers, ask the name of the bank on the back of the card. It should always be Greenwood Trust Company. If the customer can’t identify the bank, chances are the customer is attempting a fraudulent purchase.
9. For Visa® cards, ask for the non-embossed number which appears above the first 4 digits. It should match the first 4 digits of the credit card number. Ask the caller to describe the embossed symbol (CV on Visa Classic, BV on Visa Business and PV on Visa Gold cards) to the right of the expiration date. Also, ask about the repetitive pattern of the Visa wordmark throughout the signature panel.
10. For MasterCard®, ask for a non-embossed 3-digit code on the back of the card following the card number. It should match the card validation code (CVC2). Also, ask for a description of the security character — a stylized MC embossed on the line next to the valid dates on the face of the card.

Verified by Visa is a payer authentication program that allows cardholders to sign up at their issuing banks website and create a password to be used for online transactions. Once enrolled, when buying items online, buyers will be prompted to enter their password prior to completing the transaction. The merchant has to also be participating in the program otherwise you won’t be prompted for your password. It’s designed to be a consumer’s digital signature and help curb fraud losses.

I’ve always found this program interesting because in the first place, since 2002, Visa card holders get automatic fraud protection. From Visa’s site: “Use your Visa card to shop online, in a store, or anywhere, and you’re protected from unauthorized use of your card or account information. With Visa’s Zero Liability policy¹, your liability for unauthorized transactions is $0-you pay nothing.” So without any downside, why sign up?

Visa’s effort to get both merchants and consumers to sign up has been very unsuccessful to date despite trying to offer fraud protection incentives to merchants who use it and marketing it to consumers. Online merchants have been reluctant to add any more steps to the checkout process and jeopardize a sale.

Visa has been trying to tweak the rules and incentives to generate interest but I wouldn’t hold my breath. Buyer authentication is a hot area right now and there are a lot of promising technologies. I just don’t think that password authenication is going to cut it.