Ever wonder why online merchants ask for your CVV? Now that you are a merchant yourself, it’s important to understand what the CVV is exactly and how it works.
CVV stands for Card Verification Value. It is typically a three to four-digit number located on the back of a credit card. Most major credit card companies began requiring CVVs for card-not-present transactions in 2018 because it is meant to be a two-factor authentication layer of protection against fraud.
How a CVV works
In addition to asking for a credit card number and expiration date, most merchants should ask for a CVV as a third layer of protection. CVVs are usually only found on the physical card, so if a customer can give it correctly, they most likely have physical possession of the card. If the input CVV does not match up with the card number, then the transaction will cancel.
While a CVV does not completely prevent against identity theft if one were to lose their card or a thief found another way to obtain the number, it does provide that extra layer of security. It is specifically useful in card-not-present transactions, since it is otherwise hard to verify a customer’s identity and possession of the card without swiping, chipping, or scanning it.
How the CVV helps merchants
The CVV is not only meant to be a useful tool to keep customers safe, however. It protects merchants as well. Fraudulent purchases have continued to increase, especially online, which is why credit card companies began requiring CVV usage in the first place. Currently, the cost of fraud is up 7.3 percent in 2020 from 2019 in the United States. On average, every one dollar of fraud costs retailers $3.36. This can get pretty expensive for businesses.
Asking for the CVV helps protect against such fraudulent activity. It nearly proves that the card is in the physical possession of its owner. This can lower your chances of dealing with frauds and losing money on the deal.
CVVs also help prevent chargebacks, which is the transfer of funds in the opposite direction when requested by the buyer or the card issuer. This usually happens because a purchase was unauthorized, or the issuer notices something unusual about the transaction. A CVV code can’t prevent all chargebacks since they happen for many different reasons, but it eliminates a popular one, which is fraud suspicion. It also helps protect you from “friendly fraud,” which is when the customer claims they didn’t purchase from you, but in fact did—which you can prove thanks to the CVV code.
When you should ask for the CVV
The CVV is a great security tool when it comes to safeguarding against fraud. However, it is not necessary for all transactions. Any time you have the ability to swipe, scan, or tap a credit card, you don’t need the CVV because the card is right there. The magnetic strip or the EMV chip is able to confirm the card. You’ll need the CVV in transactions called “card-not-present” transactions. There are two main types of transactions that fall under this category: manually entered transactions and eCommerce transactions.
Manually Entered Transactions
If you have to enter a person’s card information manually, one of the sections you will have to fill out is the CVV number. This will often happen if you are accepting payment over the phone. Most payment processing systems, including ours, is PCI compliant, meaning it follows the Payment Card Industry regulations. These systems will already have a spot for you to fill in the CVV code.
If you have a presence online, it is vital for you to have a PCI compliant processor that requires a CVV code. Online sales are the most common forms of card-not-present transactions, and without being able to verify the cardholder’s identity, the CVV comes in handy to protect against fraudulent activity. Small businesses in particular are the biggest targets of frauds and identity thieves because they look for vulnerabilities within their online presence.
What to do with the CVV once you have it
Now that you know you should be requiring a CVV code for any card-not-present purchases, it is important to note what to do with it once you acquire it from a customer—or more accurately, what not to do with it. Once a customer has provided their card information, including the CVV, you plug it into your payment processor. After that, your processor should NOT be storing the CVV code, even if it stores, or remembers, other information. This also means that you cannot write down or record someone’s CVV code, even if the customer is a returning one.
According to the Payment Card Industry-Data Security Standard regulations, businesses are prohibited from storing the CVV number at all. This even counts for card-on-file transactions. If you or your business record or store a CVV number in any way, you could be liable in a data breach.
Bottom line for business owners
While the CVV code is marketed as protection for credit and debit cardholders, it is important to acknowledge its role in protecting business owners as well. The CVV number is an added layer that can protect against fraudulent purchases that end up costing merchants a lot of money. The CVV is not entirely foolproof and frauds still have ways of obtaining information and exploiting customers and merchants, but it is one more hoop they would have to jump through. That’s why it is crucial for your business to have a PCI compliant payment processor to not only protect yourself, but also your customers. Check out our available POS software—which includes PCI compliant payment processing—to find a safe system perfect for your business.