As card-not-present fraud plagues the payments industry, dynamic CVVs could become a more important fraud-fighting tool.
Instead of a static three- or four-digit card verification value on the back or front of a payment card, dynamic CVV technology creates a new code periodically, making the card harder to steal. This helps offer greater protection against unauthorized purchases.
"It makes it almost as secure as EMV [chip cards], if not the same," said Itai Sela, president and chief executive of B2 Payment Solutions and an officer on the U.S. Payments Forum's Steering Committee.
Here's what banks need to know about dynamic CVVs.
How does the technology work?
Vendors have taken different approaches to dynamic CVVs. Technology from Ellipse World integrates a chip into a debit or credit card, allowing a new security code to be generated each time a card is tapped, dipped or triggered with a mobile app. Combined with additional authentication, this renders any compromised card data unusable for future purchases with each change of the code. This option requires issuers to upgrade their physical cards, which can be used anywhere traditional credit and debit cards are used.
Another option is from Keyno, which requires cardholders to download and use a mobile app to obtain a dynamic code for online and in-app purchases. The dynamic code is valid for a short time and changes continually, protecting consumers' card details from online thieves. Once dynamic codes are enabled, the static CVV printed on a consumer's card can no longer be used. Keyno's technology works with already issued credit, debit and prepaid cards.
Why might banks consider dynamic CVV technology?
Banks are always in the market for effective fraud-fighting tactics, and dynamic CVVs are one option.
"Any dynamic data is inherently more secure than static data," according to a 2022 blog from Chargebacks911. Imagine a fraudster gains access to a cardholder's information. If that card information includes a static CVV, the fraudster only needs to know that one code. However, if the CVV changes every 30 to 60 minutes or changes after each use, it will be much more difficult for the fraudster to commit fraud, according to the blog.
Banks might want to consider adopting the technology for high-risk accounts. This could include customers with very high CNP transactions, said Brian Riley, co-head of payments at Javelin Strategy & Research. Corporate virtual cards could be another viable use case, he said.
While they don't have liability for CNP fraud, some banks might be interested in the dynamic CVV option as a way to avoid the cost and hassle of card re-issuance, Sela said. In the case of card compromise, consumers may not be able to use their card until a new one is shipped. This could result in them using a different card for purchases, raising the possibility that the bank would lose top-of-wallet status, he said.
Who is using the technology?
While it's been slow to take off with banks in the U.S., the technology is gaining some traction around the world. In Europe, some banks are considering dynamic CVV because it could potentially fit nicely in their EMV 3DS requirements, potentially creating less friction for customers, Sela said.
Last year, Wisecard Technology announced a partnership with Ellipse in Asia, and General Plastic Corp. made the technology available in Argentina, Chile, Paraguay and Uruguay. Thames Technology has also partnered with Ellipse to offer the additional layer of advanced protection for its banking cards.
National Bank of Fujairah said in January 2023 that it was using Keyno's technology to improve cybersecurity and protect customers from fraud and other online threats. Michigan State University Federal Credit Union has also partnered with Keyno to offer the technology to its members. The partnership between Keyno and the credit union led to a 24% increase in the number of cards enrolled, according to a May press release.
Apple also offers a feature called "Advanced Fraud Protection," which users can turn on. This feature means the three-digit Apple Card security code will change periodically after it's been viewed in the Wallet app or after it's been auto-filled from Safari.
What are the barriers to entry?
Cost could be an issue for dynamic CVV adoption, especially if banks have to roll out new cards. With billions of cards on the market, it can run into a very high expense, Riley said.
The idea of an app, though, could be more appealing, since it doesn't require replacing existing card stock. Whatever the solution, it "needs to be the least impactful for the consumer and the issuer," Sela said.
"The question going forward will be: How much benefit do banks see in this?" Sela said. "Is this cheap enough, good enough and does it solve the problem they are looking to solve?"
