Preventing Payments Fraud with Dynamic Verification

In the payments industry one of the major ongoing concerns for both issuers and merchants has been fighting fraudulent transactions.

Historically the most known types of fraud for Card-Present transactions (Contact and Contactless) are Counterfeit (cloning a card’s magnetic stripe information onto another) and Lost-stolen (using a valid card without requiring a PIN).

The merchants and issuers, along with the payment brands, have tried to mitigate the fraud risk by enabling EMV (Contact and Contactless) on their terminals and cards, but we know that fraudsters go one step beyond, and they have used Fallback and PIN Bypass to continue doing their “work”.

However, as technology continues to evolve, driving more Contactless and CNP transactions (Card Not Present) new alternatives to verify cardholder transactions have become available, some yielding more success than the others.

Dynamic CVV / CVC

If you have ever paid for something online, you know that most, not all, merchants request customers to enter the following payment card information for credit and debit card transactions:

  • Account Number
  • Expiration Date
  • Cardholder Name
  • Verification Code (CVV2, CVC2, CSC, CVN, CVVC are some of the acronyms used)

The purpose of prompting the cardholder for that verification code is to ensure the person who is trying to pay has physical evidence of possession the card.

Of course, the bad guys realized they needed this info and started copying those verification codes from cards, so card issuers created Dynamic CVV cards.

Card manufacturing companies first began thinking about this technology in the early-2000s, when they invented technology that incorporated a clock (pulse generator), a battery, a secure element (besides the one in the EMV chip) and a tiny electronic display which would show a three to four digit code, depending on card type.  This code would be regenerated every one to two minutes, making card data captures useless.

Why do we not all have these cards in our wallets today? The problem was cost. A card with such technology would elevate the cost of the cards so considerably that many banks would rather forgo the implementation of this technology and live with the counterfeit fraud risk.

Biometrics on a card

Merchants and issuers must react to fraud schemes and methodologies. For instance, PIN has become more vulnerable as recording devices on ATMs, sniffers, and key hit capturing have all become prevalent for fraudsters.  As part of ongoing attempts to innovate, some card manufacturing companies started developing new technologies for cardholder verification, the most advanced of which has been a fingerprint reader on the card.

Similar to cards with a Dynamic CVV display, the card construction would have a few additional technology elements with the primary addition of a fingerprint reader and a biometric engine, which would enable the cardholder to complete a secure, contactless transaction in less than a second.

But (there is always a but), it is not that easily implemented.

The main obstacle, again, is the cost. Implementing this technology on payment cards is not inexpensive, and even when technology prices continue to decrease, adding only a few cents to the per card cost, it becomes an enormous amount of spend when you multiply by the many millions of cards in the market.

(Biometric card construction. www.zwipe.com/product)

Besides that big obstacle, issuers would have to deal with the slow process of fingerprint capture for all cardholders who would be willing to share their biometrics with a big-centralized bank’s database- which is a herculean challenge both in scope, and in getting cardholders to overcome privacy concerns.

There have been similar efforts in the past: Banco Azteca, in Mexico in 2005, launched an EMV product which had biometric information personalized in the chip and allowed cardholders to perform transactions at branches of the bank using a reader held by cashiers. The project was very ambitious and had succeeded locally, even adding the fingerprint readers to ATMs. One important point to mention is that the cost for this card was likely low, as EMV cards had the same materials and construction, with the investment made locally by bank branches. 

The mobile phone finger snap

Have you recently left home without your mobile phone?

Thinking of implementing Dynamic CVV? Many banks around the world have enabled a virtual card that can be used for online purchases with a virtual account number, a different expiration date, and a dynamic CVV for each transaction- all that without issuing a single new card.

As far as biometrics on our mobile devices, it has been several years since the most popular mobile phone brands enabled fingerprint readers on their products, and since that initial foray, they have gone one step beyond and have also enabled iris and face detectors. When you do a contactless transaction with your phone (using Apple® Pay or Google® Pay), the terminal will prompt you to check your mobile device and authenticate yourself, and the biometrics option will always be there, without even pulling your wallet out of your purse or pocket.

What is the best option?

Whenever you have to make a decision as a user, business owner, investor, issuer, or merchant, you must think of what option is best for you. Sometimes, being the “best” does not mean being the most popular.

Many solutions are robust and secure but might be expensive if you are planning to enable them at a large scale. Sometimes cheap for a single unit cost is expensive for wide deployment.

Weigh all your options and select the combination of factors which will be safe, quick, and comfortable for your internal and external clients.

If you are interested on learning more about EMV, cardholder verification and payment products, do not hesitate to contact Victor Madera (vmadera@wcapra.com).