As a customer, you’ll be aware of the three-digit code on the back of your Visa debit card (or the four-digit one on the front of your American Express), even if you didn’t know what it was called. Well, this number has a name – CVV (Card Verification Value).
And, as it turns out, it benefits not only customers – but merchants, too.
CVV checks can help your business detect and prevent payment fraud, avoid chargebacks, and remain compliant with the payment industry’s strict data handling standards. But how?
Read on to find out. We’ll explain what a CVV number is, how it works, when you should ask for it in an online transaction – and what you should do with the CVV when you’re done.
CVV stands for Card Verification Value. It’s a security feature that allows you to verify credit and debit card transactions you accept online, over the phone, or via mail order.
Because every CVV is unique to each customer’s card and account holder, CVV checks are an excellent way of verifying the legitimacy of a debit or credit card transaction. Essentially, CVV checks tell you that the customer actually has access to the card they’re using to make a purchase from your business – and that they’re not using stolen debit or credit card data.
There are different types of CVV, which include:
The acronym CVV is also Discover’s version of CVV2 – the code on the back of the card, not the one encoded into the magstripe – and is not to be confused with CVV1. (Confusing, we know!)
For a handy, at-a-glance guide to the different acronyms each card scheme uses, see below:
CVV is a key aspect of credit card processing – here’s how it works in a typical online transaction.
Credit and debit cards contain CVV codes for a range of reasons, which include:
A CVV’s main role is to check whether the person attempting to make a purchase is authorized to use the card they’re attempting to do so with.
This way, a CVV check helps avoid fraudsters using stolen debit or credit card details – which they may have purchased from hackers on the Dark Web, who in turn obtained them through a data breach or targeted attack – from transacting with your business. Even if a hacker has gained access to a cardholder’s card number and personal details (including your name and billing address), they’ll still struggle to use that card to transact without a CVV.
By doing this, CVV numbers help you prevent several different types of payment fraud (especially card-not-present fraud). To learn more about how to detect and prevent fraud, our comprehensive guide offers everything you need to know.
You should ask for the CVV when processing card-not-present transactions: so, those you accept over the phone or online (be that through your website or mobile app).
Do this at the checkout stage, at the same time you ask for the customer’s personal information and other credit or debit data. This will help minimize any potential friction. For phone orders, you can verbally request the CVV from your customer, before entering it directly into your virtual terminal. (If you write it down anywhere for security, be sure to securely destroy the piece of paper as soon as the transaction is complete – we’ll explain why shortly)
If you offer a subscription- or membership-based service that processes recurring payments, you should request a CVV check every time you process a new payment. Used in combination with a real-time account updater, this will help confirm the continued validity of your returning customers’ cards, and drive down the likelihood – and risks – of unauthorized charges.
Running diligent CVV checks can help your business avoid the financial and reputational losses that chargebacks – and, worse, chargeback fraud – cause.
Chargebacks happen when your customer, having made and received an order from your business, disputes the transaction with your bank. Sometimes, this can be ‘friendly’ fraud – where the customer, perusing their bank statement, simply doesn’t recognize or remember the purchase. It can also be a purposeful (and fraudulent) attempt to claim free goods or services by claiming they didn’t arrive, or that they did so in a faulty or misleading condition.
In those cases, CVV checks can’t help you, because it’s the legitimate cardholder responsible for the chargeback. However, CVV checks can help you avoid chargebacks that result from unauthorized transactions. These happen when a fraudster illegally obtains a cardholder’s details, and uses them to make a purchase from your site.
Discovering the fraud, the legitimate card owner raises an equally legitimate dispute – which, when the bank rules in their favor, will leave you out of pocket for the inventory and the purchase amount, plus a chargeback fee on top.
By confirming that the cardholder is actually in possession of the card, CVV checks can protect you from chargebacks that happen as a result of cardholder theft. Which, while not the whole battle, is at least one potent part of a complete payment fraud detection arsenal.
After a transaction is complete, you should delete your customer’s CVV information.
Under no circumstances should you hang on to CVV data – whether electronically, in paper format, or in any other logs, databases, or storage systems.
Keeping hold of CVV data isn’t permitted by the major card schemes, and doing so will cause you to run afoul of PCI DSS (Payment Card Industry Data Security Standard) regulations. These govern how merchants handle all the sensitive cardholder information bundled up in a transaction – and that includes not holding onto it once that transaction is complete.
Every single merchant processing debit and credit cards must be PCI compliant. What level of PCI compliance you must obtain depends on the extent of the involvement you have with customer data. If you use a payment processor such as Checkout.com, for instance – which has Level 1 PCI compliance, the highest possible – we’ll generally handle that for you.
This simplifies your PCI duties (which involve filling out often lengthy self-assessment questionnaires, or SAQs). And means there’s less chance of you inadvertently retaining CVV information after a transaction, thus risking fines – and the big reputational hits that come with.
CVV numbers are an integral part of accepting debit and credit cards at your business – and doing so in a way that minimizes fraud’s impact on you, and your customer.
However, CVV is just one part of a credit card processing strategy that needs to be optimized to your business’s unique needs and circumstances. This includes accepting a wide range of payment methods – including local and alternative ways to pay – and being able to do so online and via mail order/telephone order (MOTO).
You’ll also need to consider CVV alongside other fraud prevention tools – such as Address Verification Service (AVS), 3D Secure, and biometric verification – and how strategies like payment tokenization and machine learning can keep you one step ahead of the fraudsters.
Fortunately, these are all areas Checkout.com can help you in. Our Fraud Detection solution combines dynamic, AI-driven tools to boost authorization rates and reduce false declines, while constantly learning, improving, and drawing on the latest data to safeguard your business.
What’s more, we can process your transactions in over 150 currencies: helping you drive down cart abandonment rate by letting your customers pay the way they want to.
This barely scratches the surface, though. To dive deeper, get in touch with our team of payment experts today to learn more, and for a friendly, no-obligation conversation about CVV, fraud prevention – and the wealth of benefits Checkout.com can offer your business.