Explore essential security practices for card payments, emphasizing CVV and CVC numbers' role in preventing unauthorized transactions
Despite the rise of more modern payment methods, like digital wallets, traditional debit and credit cards continue to reign supreme in most regions.
Forbes reports that 70% of U.S. adults prefer card payments over other options. Globally, 53% of consumers still prefer using cards for in-person purchases.
Cards aren’t going anywhere anytime soon, making it critical for merchants to keep these payment methods secure. CVV and CVC numbers are an essential part of card security, aiding in the validation of cardholder information during card-not-present transactions.
CVC (Card Validation Code) and CVV (Card Verification Value) are comprised of three to four digits used to authenticate online or over-the-phone transactions. All of the major card networks include a CVC/CVV on their cards. Visa, Mastercard, and Discover feature a three-digit number on the back of their cards, located to the right of the signature strip. American Express places a four-digit number on the front of the card, usually above the card number.
These codes act as an additional element to prevent a stolen card number (aka PAN) from being used in card not present transactions to prove that the physical card is in the possession of the consumer making the purchase. Think of it as an extra layer of protection for card not present purchases.
Customers do not have to provide their security code when completing a card present payment, as the data proving a real card is captured by the mag stripe if swiped or from the chip in a tap or insert (aka dip) transaction. In card present transactions additional factors for ownership are with a customer signature (primarily in the US) or with a PIN in global markets. Unlike other cardholder information—such as the card number, billing address, or expiration date—security codes cannot be stored in any payment system.
For one time payments or the first card on file transaction, merchants can store most customer payment information but must still request the customer’s CVV/CVC number at checkout when they use a card. After the first customer-initiated transaction (CIT), card-on-file (CoF) transactions are allowed without CVV verification on subsequent transactions. Merchants may ask for CVV as an additional security measure on CoF transactions but it does increase friction and is commonly used when the merchant suspects an account compromise and needs to confirm the actor is the real card holder.
Generally speaking, the only true difference between the two terms is which card network issued the physical card. Each network can use a slightly different form of these security codes. A CVV is most commonly associated with Visa, while a CVC is often associated with Mastercard.
For networks like Discover and American Express, the security code can sometimes be referred to as the Card Identification Number, or CID for short.
All of these codes function the same, no matter what the networks call them.
Because of the factors discussed above where CVV and CVC codes are used to prove possession of the card, regulators consider these codes to be sensitive authentication data, which the PCI DSS prohibits merchants from storing after transaction authorization.
Additionally, PCI standards require merchants to completely remove all security codes from their payment systems after the completion of a payment. According to official PCI documentation:
“Merchants and their service providers should contact their acquirer (merchant bank) or the payment brands directly, as applicable, for guidance on how to process recurring or card-on-file transactions without requiring transmission or storage of the prohibited data.”
Adhering to the PCI DSS is vital, as non-compliance can lead to strict limitations placed on a merchant’s payment system, as well as hefty regulatory fines.
As new digital threats continue to crop up every year, card fraud remains a significant concern for merchants managing payment systems. Data breaches and phishing attacks can put even the most secure systems at risk, making it a necessity to continue using CVC and CVV numbers to prevent unauthorized transactions in online environments.
For Spreedly clients, our Stored Credentials solution gives you the freedom to send stored credential data to a select number of gateways. We can handle the storage and sending of card network information on your behalf, enabling the seamless use of payment methods between different gateways. After the first customer-initiated transaction, the card scheme can return a network transaction ID that can be used for future merchant-initiated transactions.
Tokenization also exists as a viable alternative to more easily store customer information.
Tokenization enables merchants to store customer payment information securely by replacing the card’s primary account number (PAN) with a randomly generated code known as a token. The tokens require a Cryptogram for card authentication and are required only for the first CoF or subscription payment, after which it is not needed for subsequent transactions.
Network tokenization is a specific form of this technology in which the tokens are maintained and updated by the card networks themselves, ensuring all information remains up-to-date and usable with no extra intervention from the merchant or their customers.
The rise in popularity of digital wallets also gives customers a secure means to store their card payment information without having to enter it into a merchant’s payment system. Enabling digital wallet payments (i.e. Apple Pay, Google Pay, etc.) can be a good option for businesses who want to avoid the hassle of dealing with CVV and CVC codes.
At Spreedly, our open payments platform offers solutions like network tokenization and advanced vaulting to keep your stored payment information safe and compliant.
With our platform, you can connect to as many payment service providers as you need to meet customers expectations around the globe, all while keeping your online checkout environment highly secure.
Request a demo of Spreedly today.