Should You Use the Card Security Codes: CVV2, CVC 2 and CID?

Credit card security codes are used by all four major U.S. payment card brands to help their merchants prevent e-commerce fraud. The underlying idea is that, by being able to provide the security number that is printed on the card she is using to make a payment online, the customer proves that she is in physical possession of the card at the time the transaction is taking place. As these numbers are not encoded into the card’s magnetic stripe and merchants are not allowed to store them into their transaction logs, criminals are having a much harder time getting their hands on them, which is what makes using them so valuable. And that’s why you should ask your customers to provide their cards’ security codes at your own website’s checkout.

Now, there is no universal standard governing the use of card security codes and each payment network maintains its own set of rules. However, these are all quite straightforward and anyway, they have more things in common than differences as will become evident if you keep reading. Many merchants still refuse to include a security code field in their online checkout forms, because they believe that doing so may confuse some of their customers or otherwise put them off and lead to lost sales. I believe that this fear is unfounded and that a merchant stands to lose more from not asking for the code than she stands to gain from it. Hopefully, by the end of this post, you will have come to agree with me.

What Are the Card Security Codes?

Once again, the security codes are used to help verify that a customer is in a physical possession of her credit or debit card during a non-face-to-face transaction. As these numbers are not to be found in the card’s magnetic stripe, they cannot be “read” by a point-of-sale (POS) terminal and are therefore not used in face-to-face transactions.

The security codes are given different names and abbreviations by the various payment networks and are placed at different locations within their cards, as noted in the table below:

Now let’s look into each individual brand. First, here is Visa’s CVV2:

Here is MasterCard’s CVC 2:

Here is American Express’ CID:

And finally, here is Discover’s CID:

How to Use the Card Security Codes?

As already noted, each brand maintains its own security standards, but for the sake of simplicity, I will now give you an outline of a card transaction process, which will broadly apply to each one of them. If you look hard enough, you may find some inaccuracies when my process is applied to any given network, but these will be insignificant and, at any rate, they will not change anything when it comes to the way card security codes are used for fraud prevention purposes. Look at this as just a simplified model, not necessarily a point-by-point description, of how the transaction process works.

It is best, I think, to outline the basic fraud prevention guidelines and best practices for card-not-present transactions as a whole, as it is difficult to separate one element from the others. So here they are:

1. Authorize all card-not-present transactions. Authorization is required on all non-face-to-face transactions, without exception, as they are considered “zero-floor-limit” sales. An authorization approval should be obtained before any merchandise is shipped or service performed.

2. Ask for the expiration date. Although it is not as absolutely mandatory as the authorization requirement, you should ask your customers for their card’s expiration, or “Good Thru”, date and include it in your authorization requests.?á Including the expiration date helps verify that both the card and transaction are legitimate. An e-commerce or MO / TO order containing an invalid or missing expiration date may indicate a counterfeit card or an unauthorized use.

3. Ask for the security code. This is the item in which we are particularly interested right now, so I will spend some more time on it. Here is how security codes should be used in the transaction process:

1. Ask your customer for her security code. Do not use any of the abbreviations in the table above, as she may or may not know what they mean. Instead, your websites should offer help locating the code on the card for the different brands or, if taking a phone order, just tell your customer where she should be looking for it.
2. Include the code into the authorization request. This should be an automated process, but check with your processor to make sure it is part of it, along with all other transaction data (the account number, card expiration date, cardholder name and address, etc.).
3. Include a code indicator. One of the following indicators should be included in your authorization request, whether or not you are submitting a security code as part of it:

   
   

   Security Code Presence in Authorization Request	Indicator
   You have not included the code	0
   You have included the code	1
   Customer has stated code is illegible	2
   Customer has stated code is not on the card	9

   
   

4. Examine the response and take action. After you’ve received an authorization approval, examine the security code response and take action based on all transaction characteristics. Here is a list of possible responses and recommendations of how to proceed.

   
   

   Response Code	Recommended Action
   M — Match	Proceed with the transaction (as long as no other transaction characteristic raises suspicions).
   N — No Match*	This response code should be seen as a sign of possible fraud. Hold the order for further verification and examine all other potentially suspicious transaction characteristics.
   P — Not Processed	This response indicates a technical problem or the request did not provide all the information needed to validate the code. Resubmit your authorization request.
   S — Security code should be on the card	Follow up with your customer and make sure that she checked the correct location for the code (see above).
   U — The issuer does not participate in CVV2 or CVC 2	Specific for Visa and MasterCard, as both American Express and Discover issue their own cards and therefore cannot possibly not participate in their own programs. Evaluate all available information and decide whether to complete the transaction or investigate further.

   *If your authorization request is approved, but the code response is a “No Match”, you are protected against fraud-related chargebacks.

   
   

5. Check with your acquirer. Your acquirer may be using a different set of response codes, so make sure you have the relevant information.

4. Use the Address Verification Service (AVS). AVS allows e-commerce and MO / TO merchants to check a cardholder’s billing address with the card issuer. An AVS request includes the cardholder’s billing address (street address and / or ZIP or postal code) and can be transmitted in one of two ways: as part of an authorization request, or by itself. AVS checks the address information and provides a result code to the merchant, which indicates whether the address given by the cardholder matches the address on file with the card issuer.

AVS can only be used to confirm addresses in the U.S. and Canada. In other countries, card issuers are not required to participate. Whether an AVS request is processed as part of an authorization request or without it, the process is as follows:

1. When a customer is placing an order:
   1. Confirm the usual order information.
   2. Ask your customer for her billing address for the card being used: the street address and / or ZIP or postal code. Make it clear that the billing address is where the customer’s monthly statement is sent.
   3. Enter the billing address and the transaction information into your authorization request and process both requests at the same time.
2. The card issuer will make an authorization decision separately from the AVS request and will compare the cardholder billing address as provided with the one on file for that account. The issuer will then return both the authorization response and an AVS response code result that indicates whether the address given by the cardholder matches the address on file or not. Just as is the case with the responses to your security code request, you should carefully examine the AVS response and take appropriate actions, as suggested in the table below:

   
   

   AVS Response Code		Explanation
   U.S.	International
   X — Match (MasterCard only)	D, M	The address and nine-digit ZIP code match — if no other fraud services raise any suspicions, you should process the transaction.
   Y — Match		The address and five-digit ZIP code match — follow the above instructions.
   A — Partial Match	B	The address matches, but the ZIP code does not — a sign of potential fraud. You may want to investigate further before making a decision.
   Z — Partial Match	P	The ZIP code matches, but the address does not — a sign of potential fraud; follow the above instructions.
   N — No Match	N	Neither the address nor the ZIP code match — a strong sign of fraud. You should take additional steps to investigate the transaction.
   U — Unavailable	G, I	The card issuer’s system is unavailable and the address cannot be verified. You need to make a decision on whether to process the transaction without AVS or not.
   R — Retry	R	The card issuer’s system is unavailable — you should try again later.
   S — No AVS Support	U	If the card issuer does not support AVS you will have to make a decision on whether to process the transaction or not based on other criteria.
   	C — Non-Compatible	The street address and postal code were not verified due to incompatible formats. (The acquirer sent both the street address and postal code.)

   
   

Should You Go through All the Hoops?

Now, you may argue, as many do, that this is too complicated a way to process a credit card transaction. Requesting so much information and using so many fraud prevention services, you may say, can do more harm than good.?á And I’ve talked to merchants who’ve told me that they’ve experimented with turning those services on and off to see how that affects the rate of completed payments. What they’ve found, perhaps unsurprisingly, is that the more information you request from a customer, the less likely it is that she would go through the process and make a payment.

So there seems to be a trade-off between sales conversion and fraud protection. Some of the merchants I’ve talked to have concluded that, by taking out one or more of the security checks out of their transaction process, they’ve increased the sales conversion rate sufficiently enough to more than make up for potential losses from fraudulent transactions. Consequently, they’ve decided to keep those additional checks out of their systems.

Well, I guess this would be a decision you alone should make. It is true that, in the end, it is all a numbers game and, as long as you are willing to tolerate otherwise preventable chargeback- and fraud-related losses, well, that is your prerogative. Of course, it would become a real issue if you can’t keep chargebacks under control and your acquirer takes notice, but, apart from that, you are free to do whatever you want.

The Takeaway

I should add that there are studies, which have shown that e-commerce and MO / TO merchants who do include security code validation in their authorization requests generally reduce their fraud-related chargeback rates. And by now, I think, cardholders have become comfortable enough with using security codes, so as not to become put off by such requests. In fact, I’d go a step further and suggest that, unless your sales strategy revolves around generating impulse sales, where you might be afraid that any extra layer of information you request is increasing the likelihood that your customer would reconsider her buying decision, asking for the card’s security code can do no harm.

Now, I’m not saying that there is anything wrong with relying on impulse sales, quite the contrary. What I’m suggesting, instead, is that there is no one-size-fits-all solution and you should make your decision based on your particular circumstances. What is good for, say, Amazon, may not necessarily be good for you and vice versa.

Image credit: Flickr / Images_of_Money.