Are the three-digits on the back of a payment card really relevant?

Is it time to ditch the CVV code?

There are a number of myths around the three-digit card verification value (CVV) code found on the back of a MasterCard or Visa card (four-digits on the front if paying by American Express). However, is it time to ditch the code and make contact centre card payments easier? At Encoded we believe it is.

Dispelling the myths around the three digit CVV code

Is the CVV code necessary? At Encoded we say no. It can’t be retained once a transaction has been processed, as this contravenes the Payment Card Industry Data Security Standard (PCI DSS) which prohibits the storage of a customer’s confidential card data and does it really protect the merchant?

Here are two main myths about CVV codes:


Myth One: Merchants benefit from reduced interchange fees using CVV codes

Many merchants believe they benefit from a reduced interchange fee (amount charged by card schemes such as VISA, to the acquirer for using their services) from the transaction being deemed “secure” with CVV codes.

However, in 2015 VISA capped the rate at 0.2% for debit card transactions and 0.3% for credit card transactions across the EU, irrespective of whether the transaction included the CVV or not. Telephone order transactions are deemed as non-secure.

So there is no financial benefit from requesting the CVV, except in disputes or chargebacks, when if the CVV code was included when a merchant submits a transaction for authorisation, the processor and/or card brands will reduce their fees slightly.


Myth Two: Repeat transactions need to submit the CVV for the original and subsequent transactions

This really is a myth because there are two ways to conduct repeat transactions:

  1. Use a payment service provider that supplies a reference number from the original transaction and then all subsequent transactions use the same number or token.
  2. Store the cardholder’s name, account number and expiration date securely either by encrypting or keeping physically secure for a manual system.

Staying PCI DSS Compliant

It might come as a surprise to many that the US, known for its high security, does not use CVV codes and we should follow suit. With VISA Inc having bought VISA Europe last year, we can expect the European payments market to take its lead from the US. In fact, all that is really required is the 16-digit card number and this can be stored, provided it is encrypted and “deemed” unreadable under PCI DSS requirements.

Investing in secure payment and tokenisation technology from an experienced payment service provider will help to keep you PCI DSS compliant and protect your customers against fraud and cybercrime.

There is no time to lose

Now is the time to get the right levels of security in place and ditch the three-digit CVV code. Talk to us at Encoded and be safe in the knowledge that we know what we are talking about when it comes to contact centre and online payment solutions, and PCI DSS.

As you can see it really is at least “a day in the life of a payment” if not longer. What may appear to be a simple case of an amount being taken from your card and a debit appearing on your statement the following month really involves far more than is at first evident.