With credit card thieves shifting to online fraud, companies have to up their security games. Will shifting CVVs be the next big thing? Find out what experts think about the future of this new technology.
Online shopping with a credit card is not 100 percent safe, but businesses are working to change that.
In November 2018, Pittsburgh-based PNC Bank began piloting a new technology that might take fraud protection to new heights.
Keep reading to find out more about CVVs, which are card verification values that establish your identity and minimize the risk of fraud.
Then, discover why we might need shifting CVVs — those that change at regular daily intervals — and what the pros think about how effective the new technology will be.
Why chip-enabled codes aren’t completely stopping fraud
Although chip-based cards create a unique code for each customer transaction, if your actual card is stolen — or if, say, a merchant’s chip reader isn’t working and you have to swipe — you’re out of luck as far as fraud protection goes.
And, although a fixed CVV does give you some protection when you make online purchases, some hackers are so “talented” they can access your CVV number along with your card number.
PNC’s program details
PNC’s pilot program involves a number of medium- and large-sized companies using its motion-code enabled corporate cards. So far, PNC has not announced when it will extend the technology to its consumer cards.
“We’re constantly looking for ways to reduce fraud,” said Christopher Ward, executive vice president and head of product management for PNC’s treasury management unit.
“It’s harder for [crooks] to make counterfeit cards now because of chips … so fraud has moved to the card-not-present space.”
See related: How to find your credit card security code
What the technology aims to do
Shifting CVV technology was created to fight card-not-present fraud, which has been on the rise since chip-enabled cards replaced the less-secure magnetic stripe models, crippling crooks’ counterfeiting efforts.
In fact, according to the U.S. Payments Forum, counterfeit card fraud has taken a nose-dive to the tune of 80 percent at brick-and-mortar businesses that accept chipped cards.
Now, thieves are turning to the web to look for new opportunities, because online credit card fraud is an entirely different animal.
How the technology works
Called dynamic card verification, the technology replaces a credit card’s static CVV — the three- or four-digit card verification value — with an electronic ink display screen that generates a new CVV number at regular daily intervals, which card issuers can customize.
The dynamic CVV shows on the back of the card in e-ink and changes according to a Visa-supplied algorithm. The actual cards come from a company called Idemia, which has been making them since 2016.
The kind of fraud this technology would thwart is when a card number — along with its CVV and expiration date — is compromised via a variety of means and the criminal simply uses the card along with the compromised CVV and valid expiration date until the card expires and a new one is issued, said Robert Siciliano, security awareness expert and CEO of Safr.Me.
By the time the hacker tries to make an online purchase with the number of a dynamic CVV card he or she stole, the store will decline the transaction because the CVV code will have changed by then.
All of this sounds great in theory, but there are issues surrounding shifting CVVs.
Finding the ideal frequency to change the CVVs can be problematic.
If they change too often, a customer might not have enough time to finish a legitimate, online purchase before it happens.
And replacing the CVVs too often cuts down on the lifespan of the lithium batteries that power the cards.
These new cards are also more expensive to make than chip cards — a chip card typically costs from $2 to $4 to make, according to PNC, while a motion card could run about $15. But by reducing fraud, PNC expects to more than make up for the higher cost of the motion cards.
Dynamic CVVs will present a whole new set of hurdles for thieves
Nathan Grant, credit industry analyst at Credit Card Insider, feels the technology carries the potential to further help against fraud.
“As it stands currently, CVV numbers are designed to prevent fraud during online or phone transactions,” Grant said, “and fraudsters steal this data from illegal web server applications like Trojan or through phishing.”
Certain Bank of America, Capital One and Citi credit cards offer customers virtual credit card numbers, which provide another layer of security for online transactions since they expire, which eliminates the opportunity for fraud even if scammers do get access to the number, Grant added.
“But using virtual credit cards in tandem with rotating CVVs — in addition to the heightened security of things like contactless cards — can create a whole new set of hurdles in the future for fraudsters to get by before getting your information,” Grant said.
Dynamic CVVs have a long way to go
Chris Ligan, vice president of acquisition at the credit card processing company Auric, thinks it’s too early to tell if shifting CVVs will work.
“Since EMV chips on credit cards were standardized in U.S. in 2016, the bad guys have moved to online fraud because it bypasses the security features of face-to-face transactions,” Ligan said.
An EMV chip creates a unique transaction ID shared with the issuing bank during each transaction and matches it with a credit card number.
So, if a transaction occurs with a duplicate ID (from cloning a card) the transaction will be rejected.
The dynamic CVV code is trying to emulate what the EMV security feature does, but for online transactions — and that won’t be a walk in the park, according to Ligan.
“Finding a solution for online card verification with the same effect that EMV has had for face-to-face transactions would save trillions over the next decade,” Ligan pointed out, “But the jury is still out for dynamic CVV codes because of their challenges.”
Ligan said that there are a lot of details that must be worked out.
In addition to the optimal changing frequency being hard to pin down, many people have their cards on file for subscriptions and monthly bills, which would be a real problem with shifting CVVs.
Ligan also mentioned it would be tough to come up with enough combinations for three numbers and that thieves might have a decent chance if they guess them.
Still, Ligan is in favor of the technology.
“Either way, despite its potential challenges, having dynamic CVVs is better than what we have now, which is nothing. I’d rather have any old deadbolt on a back door than no deadbolt at all,” he said.
Shifting CVVs will add another layer of protection
If the new cards are ever deployed, they will serve as an additional layer of protection against fraud, Siciliano said.
“Consider the rotating CVV as a form of multi-layer authentication, similar to how a user might get an additional, one-time pass code via text when they enter into a critical website,” he added.
Credit cards generally have an expiration date of around four years, which means the card number, its CVV and its expiration date are all valid in that time frame, he pointed out.
But, Siciliano said, a revolving CVV would make that information useless to a thief due to the dynamic CVV card’s shorter time frame.
Stopping fraud one step at a time
There are so many types of credit card fraud — stealing a card, using a card someone lost, taking over an account, making counterfeit cards, intercepting cards in the mail and stealing via the card-not-present method — that there might always be ways for the thieves to rip off consumers.
But if with each new technology we get closer to shutting down one more avenue fraudsters use to steal your card information, that’s a step in the right direction.