Understanding the Role of Dynamic CVV in Digital Fraud Prevention

dynamic cvv card fraud protection
SHARE THIS ARTICLE
X LinkedIn Facebook

Contents

  1. Dynamic CVV Secures Cards From Card Not Present Fraud
  2. How Issuers Can Enable Dynamic CVV
  3. How Dynamic CVV Works
  4. Key Advantages of Dynamic CVV
  5. The Next Step for Issuers

Credit cards remain one of the most preferred and fast-growing payment methods in the US, with total credit card purchase volumes reaching $5.82 trillion in 20231. Credit cards are especially preferred for online payments, and accounted for 32% of all ecommerce payments in the US in 2023.

However, with this growth comes a pressing challenge: the exponential rise in online fraud especially Card Not Present (CNP) fraud. According to a report by the Federal Trade Commission (FTC), credit card fraud topped the list of identity theft types in 2023, with over 400,000 reported incidents of card credentials being misused2

One of the key drivers of this fraud is the reliance on static CVV codes, which can be easily compromised through data breaches, phishing, and malware attacks. Once these static codes, along with other card credentials, are stolen, fraudsters can use them to make online purchases without needing the physical card. 

Globally, CNP fraud losses are estimated to reach $28 Billion by 2026, with the number touching $12.8B for the US. 3

Understanding Static CVV and Its Limitations 

A static CVV (Card Verification Value) is a 3- or 4-digit security code found on the back of payment cards, used to verify card-not-present transactions. It remains fixed for the life of the card and is generated using the following steps: 

  • Input data preparation: The card’s Primary Account Number (PAN) and expiration date are selected as key data points. 
  • Cryptographic key selection: A secret cryptographic key (CVK), unique to the issuer, is used. 
  • Algorithm selection and encryption: The PAN, expiration date, and other data are encrypted using DES/3DES, producing a truncated 3- or 4-digit CVV. 

While static CVVs provide basic security, their fixed nature makes them vulnerable to fraud, especially Card-Not-Present fraud, if the card data is compromised. 

Dynamic CVV Secures Cards From Card Not Present Fraud

Dynamic CVV or dCVV (Card Verification Value) offers a compelling solution to this global problem. By replacing the static CVV number with a digitally renewed random number every minute or so, dCVV effectively neutralizes stolen card data, making it nearly impossible for fraudsters to execute unauthorized transactions. Unlike static CVV that is printed on physical credit and debit cards, a dynamic CVV changes periodically, making it significantly more difficult for fraudsters to exploit stolen card information.  The dynamic CVV can be accessed by the cardholder through various means, including: 

  • A small digital display on the physical card itself
  • A mobile banking app that updates with the latest CVV
  • SMS notifications sent to the cardholder’s mobile device
  • A separate hardware token or device that generates the CVV

In the following sections, we explore how Dynamic CVV works, its benefits, and its critical role in safeguarding issuers and consumers against the escalating threat of fraud.

How Issuers Can Enable Dynamic CVV

Issuers can enable dynamic CVV for their card programs by partnering with technology providers offering native support for dynamic CVVFollowing are some of the core capabilities a processing platform would require:

  • Native ability to generate a cryptographically secure dynamic CVV
  • Integration with and certification by card networks (Visa/MasterCard) and to generate Dynamic CVV
  • Ability to manage lifecycle of the dynamic CVV, including customizable expiry and refresh cycles for each cardholder
  • Ability to support user control to enable/disable dynamic CVV from their card app

One of the key capabilities issuers should consider when enabling dynamic CVV for their card programs is giving cardholders the flexibility to use it based on their preferences. Some users may prefer using static CVVs if they make frequent transactions or find logging into an app every time to get the CVV cumbersome. Giving cardholders the controls to disable/enable dynamic CVV and set refresh duration will prevent frustration while allowing them to explore and adopt the feature at their own pace.

The following illustration depicts how a cardholder can enable or disable their dCVV feature on a card issued on Zeta’s next-gen processing platform.

How Dynamic CVV Works

The generation of a dynamic CVV is a highly secure process that uses advanced cryptographic techniques and the following components:  

  • Primary Account Number (PAN): A portion of the card number, typically the last four digits. 
  • Timestamp or Counter: A value that changes periodically based on time or a preset counter, ensuring the CVV remains dynamic. 
  • Cryptographic Key: A secret key, known only to the issuer, critical to secure encryption. 
  • Algorithm: A cryptographic algorithm such as AES (Advanced Encryption Standard) or 3DES (Triple Data Encryption Standard) used to generate the dynamic CVV. 

Dynamic CVV Generation Process:  

  1. Input Preparation: The system combines part of the PAN, a timestamp or counter, and any issuer-specific data. 
  2. Encryption: This input is then encrypted using the cryptographic key and algorithm. 
  3. CVV Extraction: A subset of the encrypted output is extracted and converted into a 3 or 4-digit CVV. 
  4. Formatting: The CVV is formatted to ensure it meets standard length and formatting requirements. 

To finally see the use of the dynamic CVV in a transaction, let’s consider a user’s online purchase journey using his dynamic CVV-enabled credit card. 

Key Advantages of Dynamic CVV

Dynamic CVV offers several significant advantages over its static predecessor:  

  1. Protection against data breach and skimming:  Dynamic CVV makes it harder for fraudsters to misuse stolen card data since the CVV changes frequently. 
  2. Enhanced cardholder trust: The effective security measure can increase cardholder trust in digital transactions, driving top-of-wallet use and higher spends. 
  3. Reduced costs: Issuers can avoid the costs of replacing compromised cards by simply updating the dynamic CVV instead of issuing a new card. 
  4. Reduced fraud losses: As CNP fraud surges, issuers can drive greater acceptability for their cards by reducing fraud losses for merchants, who typically bear the costs of fraudulent CNP transactions.  

The Next Step for Issuers

Issuers need to assess their current security frameworks and take proactive steps to introduce dynamic CVV in their card programs. This isn’t just about upgrading security; it’s about positioning themselves as leaders in fraud prevention, building stronger trust, and reducing the financial impact of fraud on both businesses and consumers. 

Now is the time for financial institutions to evaluate and implement dynamic CVV as part of their offering. Contact us to know how Zeta can power secure card programs for the digital age. 

 

References:

  1.  Nilson, Largest Issuers of General Purpose Credit Cards | February 2024
  2. Federal Trade Commission, US, Consumer Sentinel Network | 2024
  3. Ethoca by Mastercard, 2024 Outlook: Strategic insights for issuers and merchants | 2024
Bharathi Shekar

Bharathi Shekar

Director, Product

About Author

Bharathi Shekar is a Director of Product at Zeta and leads a product portfolio covering payments and data. An engineer turned product manager, he has over 20 years of experience leading product and engineering teams. Bharathi is a passionate and hands-on creator and is credited with 17 patents and 4 defensive publications. Prior to Zeta, Bharathi led product management for companies like Baker Hughes, a GE company and Ola (ANI Technologies Pvt. Ltd.).