BACK

wutzkohphoto/Shutterstock

Innovations and Payment Systems

Will dynamic CVVs become the ultimate in credit card security?

This technology that battles card-not-present fraud could be just the ticket

Summary

With credit card thieves shifting to online fraud, companies have to up their security games. Will shifting CVVs be the next big thing? Find out what experts think about the future of this new technology.

The content on this page is accurate as of the posting date; however, some of our partner offers may have expired. Please review our list of best credit cards, or use our CardMatch™ tool to find cards matched to your needs.

Online shopping with a credit card is not 100 percent safe, but businesses are working to change that.

In November 2018, Pittsburgh-based PNC Bank began piloting a new technology that might take fraud protection to new heights.

Keep reading to find out more about CVVs, which are card verification values that establish your identity and minimize the risk of fraud.

Then, discover why we might need shifting CVVs — those that change at regular daily intervals — and what the pros think about how effective the new technology will be.

Why chip-enabled codes aren’t completely stopping fraud

Although chip-based cards create a unique code for each customer transaction, if your actual card is stolen — or if, say, a merchant’s chip reader isn’t working and you have to swipe — you’re out of luck as far as fraud protection goes.

And, although a fixed CVV does give you some protection when you make online purchases, some hackers are so “talented” they can access your CVV number along with your card number.

PNC’s program details

PNC’s pilot program involves a number of medium- and large-sized companies using its motion-code enabled corporate cards. So far, PNC has not announced when it will extend the technology to its consumer cards.

“We’re constantly looking for ways to reduce fraud,” said Christopher Ward, executive vice president and head of product management for PNC’s treasury management unit.

“It’s harder for [crooks] to make counterfeit cards now because of chips … so fraud has moved to the card-not-present space.”

See related:  How to find your credit card security code

What the technology aims to do

Shifting CVV technology was created to fight card-not-present fraud, which has been on the rise since chip-enabled cards replaced the less-secure magnetic stripe models, crippling crooks’ counterfeiting efforts.

In fact, according to the U.S. Payments Forum, counterfeit card fraud has taken a nose-dive to the tune of 80 percent at brick-and-mortar businesses that accept chipped cards.

Now, thieves are turning to the web to look for new opportunities, because online credit card fraud is an entirely different animal.

See related: New technology, analytics help fight card-not-present fraud

How the technology works

Called dynamic card verification, the technology replaces a credit card’s static CVV — the three- or four-digit card verification value — with an electronic ink display screen that generates a new CVV number at regular daily intervals, which card issuers can customize.

The dynamic CVV shows on the back of the card in e-ink and changes according to a Visa-supplied algorithm. The actual cards come from a company called Idemia, which has been making them since 2016.

The kind of fraud this technology would thwart is when a card number — along with its CVV and expiration date — is compromised via a variety of means and the criminal simply uses the card along with the compromised CVV and valid expiration date until the card expires and a new one is issued, said Robert Siciliano, security awareness expert and CEO of Safr.Me.

By the time the hacker tries to make an online purchase with the number of a dynamic CVV card he or she stole, the store will decline the transaction because the CVV code will have changed by then.

All of this sounds great in theory, but there are issues surrounding shifting CVVs.

Finding the ideal frequency to change the CVVs can be problematic.

If they change too often, a customer might not have enough time to finish a legitimate, online purchase before it happens.

And replacing the CVVs too often cuts down on the lifespan of the lithium batteries that power the cards.

These new cards are also more expensive to make than chip cards — a chip card typically costs from $2 to $4 to make, according to PNC, while a motion card could run about $15. But by reducing fraud, PNC expects to more than make up for the higher cost of the motion cards.

Dynamic CVVs will present a whole new set of hurdles for thieves

Nathan Grant, credit industry analyst at Credit Card Insider, feels the technology carries the potential to further help against fraud.

“As it stands currently, CVV numbers are designed to prevent fraud during online or phone transactions,” Grant said, “and fraudsters steal this data from illegal web server applications like Trojan or through phishing.”

Certain Bank of America, Capital One and Citi credit cards offer customers virtual credit card numbers, which provide another layer of security for online transactions since they expire, which eliminates the opportunity for fraud even if scammers do get access to the number, Grant added.

“But using virtual credit cards in tandem with rotating CVVs — in addition to the heightened security of things like contactless cards — can create a whole new set of hurdles in the future for fraudsters to get by before getting your information,” Grant said.

Dynamic CVVs have a long way to go

Chris Ligan, vice president of acquisition at the credit card processing company Auric, thinks it’s too early to tell if shifting CVVs will work.

“Since EMV chips on credit cards were standardized in U.S. in 2016, the bad guys have moved to online fraud because it bypasses the security features of face-to-face transactions,” Ligan said.

An EMV chip creates a unique transaction ID shared with the issuing bank during each transaction and matches it with a credit card number.

So, if a transaction occurs with a duplicate ID (from cloning a card) the transaction will be rejected.

The dynamic CVV code is trying to emulate what the EMV security feature does, but for online transactions — and that won’t be a walk in the park, according to Ligan.

“Finding a solution for online card verification with the same effect that EMV has had for face-to-face transactions would save trillions over the next decade,” Ligan pointed out, “But the jury is still out for dynamic CVV codes because of their challenges.”

Ligan said that there are a lot of details that must be worked out.

In addition to the optimal changing frequency being hard to pin down, many people have their cards on file for subscriptions and monthly bills, which would be a real problem with shifting CVVs.

Ligan also mentioned it would be tough to come up with enough combinations for three numbers and that thieves might have a decent chance if they guess them.

Still, Ligan is in favor of the technology.

“Either way, despite its potential challenges, having dynamic CVVs is better than what we have now, which is nothing. I’d rather have any old deadbolt on a back door than no deadbolt at all,” he said.

Shifting CVVs will add another layer of protection

If the new cards are ever deployed, they will serve as an additional layer of protection against fraud, Siciliano said.

“Consider the rotating CVV as a form of multi-layer authentication, similar to how a user might get an additional, one-time pass code via text when they enter into a critical website,” he added.

Credit cards generally have an expiration date of around four years, which means the card number, its CVV and its expiration date are all valid in that time frame, he pointed out.

But, Siciliano said, a revolving CVV would make that information useless to a thief due to the dynamic CVV card’s shorter time frame.

Stopping fraud one step at a time

There are so many types of credit card fraud — stealing a card, using a card someone lost, taking over an account, making counterfeit cards, intercepting cards in the mail and stealing via the card-not-present method — that there might always be ways for the thieves to rip off consumers.

But if with each new technology we get closer to shutting down one more avenue fraudsters use to steal your card information, that’s a step in the right direction.

Editorial Disclaimer

The editorial content on this page is based solely on the objective assessment of our writers and is not driven by advertising dollars. It has not been provided or commissioned by the credit card issuers. However, we may receive compensation when you click on links to products from our partners.

What’s up next?

In Innovations and Payment Systems

Virtual account numbers grow as a way to cut fraud risk

Virtual account numbers have been around for years, but they’re being used more now in the wake of the massive Equifax hack.

See more stories
Credit Card Rate Report Updated: April 1st, 2020
Business
14.07%
Airline
15.85%
Cash Back
16.16%
Reward
16.06%
Student
15.87%

Questions or comments?

Contact us

Editorial corrections policies

Learn more

Join the Discussion

We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, do not disclose confidential or personal information such as bank account numbers or social security numbers. Anything you post may be disclosed, published, transmitted or reused.

The editorial content on CreditCards.com is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company’s business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.