In order to remain compliant with Payment Card Industry rules, the merchants must ensure cardholders security and keep themselves abreast with the latest technologies and features introduced by credit and debit card issuing companies to enhance security and minimise card frauds. Merchants often find understanding payment security a bit challenging. So, here is a quick guide on the credit card security code.
Card Verification Value (CVV) is a three or four-digit code printed on the front or back of the card. A CVV code aims to authenticate the identity and prevent unauthorised use of the credit/debit card in card-not-present transactions. The CVV number acts as an anti-fraud security feature while making transactions.
Alternative Names for Credit Card Security Codes
Card issuing brands use different terms for CVV code, but they all mean the same. These are:
- CID – Card Identification Number
- CVV2 – Card Verification Value 2
- CSC – Card Security Code
- CVC2 – Card Validation Code
Why do You Need a CVV Code?
For merchants who accept payments through mobile payment processing, the CVV code acts as an additional way to verify that the authorised cardholder is the one purchasing.
Asking people to submit CVV number while making online purchases helps small business merchant services and big merchants to mitigate frauds as the person needs to have the card in their physical possession to submit the CVV code.
Another reason merchants need a CVV code is to avoid a chargeback. A chargeback is the return/reverse of money to the customer in case of unauthorised or fraudulent payments. Suppose the customer disputes a charge, the bank then chargeback the merchant. At that time, you can use the CVV code as evidence to prove the customer authorised the sale. High risk merchant services can be set apart from low-risk merchants based on chargebacks.
So, asking customers to input the CVV number while making online transactions allows merchants a way to mitigate fraud.
CVV Checks for Merchants: What You Need to Know to Accept Payments
The card-present transactions or in-person transactions with a card reader or terminal does not require a CVV code. When the customer physically swipes, taps or dips the card, then you do not need a CVV number to complete the transaction. If the data is entered manually through a POS system, virtual terminal or mPOS app, you need to get the CVC to complete the transaction.
When a card-not-present transaction is conducted that is payment is received online, then you need the CVV code to authenticate the identity to avoid frauds.
Entering CVV Numbers for Manually-Entered Transactions
According to PCI compliance requirements, you need to enter a CVV number if credit card information is manually entered. A PCI compliant payment processing company will require a CVV number for all card-not-present transactions.
CVV Code Entry for E-commerce
All e-commerce companies should have a PCI compliant processor and payment gateway to avoid frauds. As transactions that occur on e-commerce platforms are card-not-present transactions, the company must ask customers to provide CVV code to mitigate risks.
CVV as a Part of Anti-Fraud Strategy for Merchants
With the rise in the number of online frauds, the merchants need to have a solid anti-fraud strategy. CVV code is one of the ways a merchant can avoid scams. The other ways a merchant can avoid fraud are AVS and 3D Secure. Address Verification System (AVS) is the method when the processor authenticates the customer’s address during checkout. AVS significantly mitigates risk.
Merchants use 3D secure, also known as, payer authentication for extra fraud protection. The customers are required to complete an additional verification step with the card issuer while making online payments. CVV number, AVS and 3D secure together make online shopping safer.
Why Merchants Cannot Store Credit Card Security Codes
CVV code is an authentication procedure to minimise fraud in card-not-present transactions. The CVV code is a three or four digit number that merchants ask customers to provide to screen fraudulent transactions.
According to PCI Standards, storing cardholders’ data is prohibited. The PCI DSS requirement 3.2 states that sensitive authentication data of cardholders cannot be stored after the completion of authorisation. PCI DSS does not restrict the collection of cardholder data before authorisation of a specific transaction but prohibits storing CVV code after a particular purchase has been authorised.
For merchants who have to charge their customers on a recurring basis can use CVV number for initial transaction but are not allowed to store them for future transactions.
CVV codes give merchant an additional way to scan fraudulent transactions and verify customers’ identity in card-not-present transactions.