Ecommerce transactions are not as secure as in-person transactions. But in a world where not offering ecommerce options to customers is simply not acceptable, merchants have to be as careful as possible when accepting online payments. One common method of ecommerce fraud prevention that merchants can use is to require the card security code at checkout.
The requirement for a security code at an ecommerce checkout is a normal practice for ecommerce merchants. There is a good reason for this. The security code helps merchants prevent unnecessary fraud losses and disputes.
What is Card Security Codes?
A card security code, a card verification code (CVC) or card verification value (CVV), is the three digits printed on the side of the signature strip of a credit or debit card. For American Express cards it is usually the four number code on the front of the card. Online merchants use this code as a way to verify that the customer actually has the physical card.
Depending on the card network, security codes have different names:
Visa – CVV2
Mastercard – CVC2
American Express – CID
Why Use Card Security Codes at Checkout?
Preventing credit card fraud from ecommerce transactions should be a priority for merchants. If a credit card transaction is made by someone that has stolen that credit card number, the true cardholder or issuing bank can initiate a dispute. This results in a true fraud dispute, also known as identity theft. As a result of true fraud, the card account will be closed and a new account number and card will be issued to the true cardholder.
On the merchant side, you receive a dispute that can not be won. Which means merchants lose the revenue from the transaction, have to pay an additional fee, and lose merchandise or services. The reason that true fraud disputes cannot be won, is it is seen as the merchant’s liability only accept card payments from the true cardholder. Therefore, it is the merchants responsible to filter out and prevent purchases from fraudsters.
As you can see accepting a fraudulent transaction can be painful and costly for merchants. But there are ways to prevent true fraud disputes from happening. One way is to require card security codes at checkout.
Since most fraudulent transactions result from stolen card numbers rather than the actual theft of the card, a customer that gives this number is much more likely to be in possession of the physical credit card. Visa claims that the use of AVS with CVV2 validation for card-not-present transactions can reduce disputes by as much as 26%.
Authorize.net explains, merchants that accept ecommerce, mail-order, and telephone orders must be prepared to request the verification code when the cardholder is not present to help validate a transaction. Even if a merchant cannot confirm the card security number, they can still ask for it, or provide a space for the number at checkout. If the fraudster does not have the number, they could look somewhere else to commit their fraud.
When Should I Require Card Security Codes?
For card present or in-store transaction, it is not necessary to require card security codes. The ability to perform an EMV chip transaction is validation for the physical card. Any time there is a card-not-present transaction is when you should ask for the card security code. This can include online, mail-order, and phone transactions. Most cardholders are familiar with this practice and will not questions why you are asking for this information. In fact, they may become suspicious of a site that does not ask for the code.
Balancing Friction and Security
Merchants have to walk a fine line between making a secure checkout process and make an easy check out process. It is important to find a balance between protecting yourself from fraudulent charges and accidentally turning away legitimate customers with too strict of fraud filters or too lengthy of a check out process. Luckily, asking for the card security code is normal for most cardholders and is a simple way to prevent fraudulent transactions.
Friendly Fraud and Chargeback Fraud
Earlier in the post, I talked about true fraud. It is important to take the necessary steps (like asking for the card security code) to prevent true fraud because those disputes are not winnable. But a dispute with a fraud reason code may not always be what they appear. Some merchants instinctively assume that a fraud dispute results in guaranteed revenue loss because it is a true fraud dispute. But that is not always the case, and merchants should always respond to fraud disputes.
Friendly fraud is when a cardholder simply forgets that they made the purchase or gave authorization to a family member to make the purchase. This can result in them issuing a dispute claiming the charge is fraudulent, even though they did authorize the purchase.
Chargeback fraud is when a customer maliciously disputes a charge to regain the money from the transaction while keeping the merchandise.
Friendly fraud, chargeback fraud, and true fraud may all be filed as a “fraud” dispute. Although true fraud disputes are not winnable, friendly fraud and chargeback fraud dispute are. So it is important to respond to all disputes.
Prevent True Fraud with Card Security Codes
By adding a requirement for a card security code at checkout merchants can prevent true fraud from happening. Adding a card security code adds little friction to the checkout process because most cardholders have come to expect it at checkout.