From remote transaction outlier to most vital card data - the humble CVV
Issue 219 | 13 December 2021
Thanks as well to the existing subscribers that I met at these events for the positive and encouraging feedback about my newsletter (it’s much appreciated) - please share Payments:Unpacked amongst your networks - just one share makes a real difference!
This week we feature a guest blog by Cyril Lalo, Founder & CEO at ellipse inc. In his blog Cyril explores the rise of the Card Security Code - charting a journey from remote transaction outlier to most vital card data
From remote transaction outlier to most vital card data
Over the past 20 years, Card Security Codes (also known as CVC2, CVV2) usage has greatly expanded from confirming genuine cardholders to securing eCommerce transactions, eWallet enrollments, and profile management, to name just a few. The Card Security Code has become the initial verification key on which the security of recurring or future transactions depends.
This evolution has rendered the Card Security Code the most important piece of card data. Until recently, the imprinted CVV or CVC value remained identical during the entire three-to-five-year lifetime of the card.
The advent of the Dynamic Card Security Code at the card level has brought a necessary, overdue technology update.
Little known facts about the Card Security Code
The Card Security Code is a 3 or 4 digit number imprinted on the front or the back of a payment card.
As opposed to other information on the card, the effectiveness of the Card Security Code relies on the PCI-DSS rule prohibiting its storage. Merchants who require the Card Security Code for Card Non Present transactions are prohibited to store it once the individual transaction has been authorized. Therefore, if a database of transactions is compromised, the Card Security Code will not be among the compromised material and the stolen payment card numbers is rendered less useful.
Even for merchants who charge customers’ payment cards on a recurring basis, the Card Security Code is used to verify the initial transaction and the merchant may rely on this verification for future transactions for which the Card Security Code will not be required.
Increased usage & applications of the Card Security Code
As depicted in the graphic above, with the increasing reliance on the Card Security Code by the eCommerce ecosystem and the payment industry, it has come to be utilized as a nearly universal identifier, and the gatekeeper to downstream services and transactions.
The Card Security Code was originally introduced to secure Mail Orders and Telephone Orders (MOTO) where merchants were unable to physically verify the payment card. The scope of the Card Security Code soon expanded beyond this original purpose.
Initially, eMerchants collected the payment card information from the consumer and transmitted it to the issuer with every transaction and did not store any card information.
Later, merchants began storing the consumers’ payment card information without the Card Security Code and requested it for each transaction to confirm the cardholder was in possession of the card.
As the internet became the primary modality for Card Not Present transactions, customers began to store payment card information on their web browsers and were required to enter the Card Security Code for every transaction to confirm card ownership.
With the introduction of eWallets, the Card Security Code is requested from the card holder at the time of enrollment by the eWallet sponsor (Google, Apple Pay, etc.) and is then requested again when the card holder changes or replaces his/her phone or sometimes after an important phone OS update.
Today the Card Security is also used as an identity credential. If the card holder wants to modify an important element of information in his merchant profile (such as email, phone number, or physical address) the provider hosting this data may request the holder’s Card Security Code for the payment card on file as a means of authenticating his identity. For the same reason, a merchant often requires the Card Security Code during an order upon any request to change the delivery address.
The Card Security Code’s critical role in securing Card Not Present transactions its expansion into user identity verification, and resulting sharp increase in the volume of CVV verification requests led to the recent introduction of the Dynamic Card Security Code.
Refreshing the Card Security Code for the digital era
Despite their longevity as a long-time security feature of payment cards, Card Security Codes do have limitations and have become vulnerable to technological innovation. For example, the ubiquity of camera-enabled smartphones has made it easier for opportunistic fraudsters to photograph the front and back of a cardholder’s payment card and use it for fraudulent Card Not Present transactions. In most cases the cardholder has no reason to be aware of this theft of card information because the card is still in his or her possession. Moreover, because the Card Security Code is static, the stolen card information can be used and reused for fraudulent purposes until fraud is discovered by the card holder or the card issuer.
Now that the Card Security Code has evolved in the digital arena beyond securing CNP transactions to become a trusted identity credential, changing it from a static to a dynamic format at the card level greatly reduces the opportunity for unauthorized reuse. Once the Card Security Code value is updated, issuers can identify older or expired values and decline transactions accordingly.
Though it is now asked to do far more than the use case for which it was originally intended, more than two decades later the Card Security Code remains the most important data on the payment card and by migrating to a digital format, it is evolving to become even more effective at deterring compromised card data.
Payments:Unpacked is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.
Visa to pilot request to pay bill management platform in UK
The UK's Request to Pay scheme got a massive boost this week with Visa confirming their intention to launch services in Q1 2022. One exciting aspect of this launch is the involvement of Revive Management that have pre-existing relationships with some of the UK's major utility companies.
We truly believe request to pay can help revolutionise the way people pay their bills.
Geoff Boudin, Executive Director, Revive Management
Peter Cornforth over at Answer Pay has been thinking about how Visa’s request to Pay initiative fits with Open Finance. Peter’s view is that one of the aims of Open Finance is proportionate access to data, by third parties, upon customer instruction and Request to Pay is the perfect example of this: A bill payer enrols with a third party payment provider who they want to use for future bill payments; they notify their suppliers; then when the bill is due the suppliers send the third party a very limited data set (plus optionally a pdf invoice) that enables the third party to create the payment instruction for the bill payer to manage and authorise.
Never at anytime does the bill payers third party have access to the customer's account, they can only pay bills. If we recall how Open Banking started, it was because some innovative FinTechs had persuaded consumers to share usernames and passwords with them so they could screen scrape the customers account in order to provide their service. This, as we all know, is inherently insecure so APIs were mandated.
Lo and behold the same is happening in the utility sector. Wonderbill use screen scraping technology to provide customers a single interface across all of their bill payments. A great concept but relies on the sharing of usernames and password - yes, really! Hence Request to Pay and the Open Finance revolution, it is coming and this entry into the market by Visa will be a catalyst to adoption.
New Payments Architecture (NPA) regulatory framework published
The PSR have published their regulatory framework for the New Payments Architecture (NPA) central infrastructure services (CIS) following a consultation on the delivery and regulation of the NPA.
The NPA framework has been developed taking account of responses to that consultation and aims to address risks to competition and innovation in the NPA ecosystem arising from the behaviour of a provider appointed to deliver the NPA CIS.
What is the NPA and why is it important?
The NPA is one of the biggest changes happening in UK payments. It is the payment industry’s proposed way of organising the clearing and settlement of most UK interbank payments in the future. Whether paying employee wages, or transferring money to a friend using internet banking, interbank payments are a key part of everyday life for businesses and consumers alike.
Delivered well, the NPA can help realise the outcomes we want to bring about in payments and facilitate our proposed long-term strategy. By strengthening competition and innovation in payment services and between payment systems, the NPA can help provide better value and effective choice of payment options for people and businesses. The NPA can also improve the resilience of payments and, by enabling more data to be included in payment messages, help reduce fraud.
Pay.UK, the operator of Bacs and Faster Payments, is responsible for delivery of the NPA.
Our role is to monitor Pay.UK’s work to deliver the NPA and, where appropriate, use our powers to assure an outcome that supports our statutory objectives to promote competition, innovation and the interest of service users.
Payment Systems Regulator
The PSR have published a paper entitled: New Payments Architecture (NPA) regulatory framework.
The focus of the framework is:
to set out requirements on both Pay.UK and a central infrastructure services (CIS) provider that will address risks to competition and innovation in the NPA ecosystem
to provide illustrative directions published to show how framework could be implemented.
The framework is designed to reduce the likelihood of the potential competition and behaviour risks occurring and help ensure that the NPA delivers outcomes that support our statutory objectives to promote competition, innovation and the interests of service-users.
Summary of requirements on Pay.UK:
be the primary interface and decision-maker for CIS provision
set CIS user prices, and do so using a methodology that has regard to certain pricing principles and is subject to our non-objection
set the rules and standards for NPA CIS, and ensure that these facilitate competition and innovation
ensure that CIS facilitate innovation and competition
ensure that a CIS provider does not use or disclose to any other party, including its affiliates, information and data for anything other than CIS provision
in a timely manner, make available to the market, information and data concerning the provision of CIS that would help facilitate competition or innovation.
Summary of requirements on a CIS provider if it (or an affiliate) has a significant interest in another payment system or in overlay services:
If a CIS provider (or an affiliate) has a significant interest in another payment system, or in overlay services, its CIS functions must be operationally separate from other parts of its (or an affiliate’s) business.
A CIS provider that is subject to this requirement must ensure that the operational separation implemented adheres to certain principles including that provision of CIS is not unduly influenced by a CIS provider’s or an affiliate’s interest in providing services other than CIS.
The PSR have published the regulatory framework now to provide clarity for stakeholders, particularly Pay.UK and potential CIS providers, about their intentions.
How satisfied are you with the Payments:Unpacked newsletter?
I’d value your feedback - please answer three quick questions (it’ll only take a few seconds of your time) - click here:
Meta (Facebook) extends Novi payments trial to WhatsApp
Meta has extended the pilot for its Novi digital app to WhatsApp, using a stablecoin to enable participants to send and receive money from within chats.
The Novi pilot lets a small number of participants in Guatemala and the US to send money to their contacts internationally instantly, securely and fee-free.
The test uses the Pax Dollar (not the Facebook-backed Dim) for transactions, with Coinbase acting as the custody partner.
We often hear that people use WhatsApp to coordinate sending money to loved ones, and Novi enables people to do that securely, instantly and with no fees. Payments will appear directly in people’s chat.
Stephane Kasriel, Novi
To send money, users tap the paper clip icon on Android or the + sign on iOS, select "payment" and follow instructions to log into a Novi account.
Which? calls for banks to pause branch closures
UK banks shut 736 branches this year, according to consumer group Which?, which is calling on lenders to pause further closures.
For several years, banks have been steadily cutting the size of their branch networks as customers migrate to digital channels. Over half of Brits now use mobile banking.
The trend has accelerated during the pandemic, with 736 branches shut in 2021 - a 17% rise compared to the rate in the previous six years.
With 220 closures already lined up for next year, Which? says that it is concerned that lenders may be rushing to shut branches before measures are put in place to ensure customers have access to cash.
Which? is not alone in its concern about branch closures and access to cash; the government, FCA and Bank of England have all spoken out about the issue in the last two years.
Last year, the government committed to legislating to protect access to cash for as long as people need it, after warnings that the system could collapse within two years. The treasury launched a consultation this summer but, although this has concluded, the findings have yet to be published.
If access to cash cannot be ensured, banks should pause closures until it can or legislation is rolled out.
Pret Foundation teams up with Contactless Giving Week
The Pret Foundation has partnered with Contactless Giving Week this December to raise awareness and support cashless fundraising for their work towards breaking the cycle of homelessness.
Earlier this year, over 40 Pret shops were fitted with GoodBox contactless giving devices to raise funds to help to break the cycle of homelessness.
The aim of The Pret Foundation is the alleviation of poverty, hunger and homelessness and supports many charities in this sector. This Contactless Giving Week the charity is keen to maximise its fundraising by offering contactless donation points at its 40 locations.
Contactless Giving Week brings individuals, companies and not for profits across the UK together to support charitable campaigns and raise awareness of the importance of contactless giving. This year The Pret Foundation has partnered with the Contactless Giving Week to continue to raise the profile of their contactless fundraising efforts in shops around the UK running from December 6th – 12th.
To find out more search #contactlessgivingweek on social or visit the website – www.contactlessgivingweek.com
It is amazing to see the generosity of the UK public even during this difficult period and we are delighted to be able to support The Pret Foundation this Contactless Giving Week. Offering a simple contactless donation point has been proven to raise more funds as so many potential donors don’t have cash available.
GoodBox Co-Founder & Managing Director Francesca Hodgson
and Nina Allard, Head of The Pret Foundation:
At The Pret Foundation we are dedicated to helping homeless people in the UK, and around world, in the communities local to our Pret shops. We know that this year has been especially difficult for those faced with homelessness. That’s why we chose to partner with Goodbox and Contactless Giving week to encourage Pret customers to support our work through contactless giving.
Source: Contactless Giving Week
(Another) BNPL browser extension - this time its Klarna.
With BNPL is still mostly limited to online purchases Butter is innovating through the introduction of a physical card.
French and Swiss central banks hail completed wholesale CBDC trial.
The development of Irish money transfer app “Yippay” by Ireland’s high street banks to compete with digital banks has hit a snag after it was announced that the Competition and Consumer Protection Commission (CCPC) would launch an investigation.
Issue 218: Issue 218 Agency Banking: Holding customers back
Issue 216: Which country leads real-time payments?
Issue 215: Accessing our cash
The Payments Association
Congratulations to the new members of The Payments Association’s Advisory Board:
Silvia Mensdorff-Pouilly, SVP & Head of Europe Banking & Payments Solutions, FIS
Mark Nalder, Head of Payment Strategy & Service, Nationwide Building Society
Kamran Hedjri, Group CEO, PXP Financial
Manish Garg, Founder & CEO, Banksly
Mandy Lamb, Managing Director UK & Ireland, Visa
Mitch Trehan, UK Head of Compliance and MLRO, Banking Circle
More: The Payments Association.
Help grow Payments:Unpacked’s audience
If you enjoy reading Payments:Unpacked please share the word with your friends and colleagues - sharing the newsletter makes such a difference to growing the newsletters audience.
P.S. Please don’t forget to let me know what you think about Payments:Unpacked - please answer three quick questions: