According to the European Central Bank (ECB) report on card fraud (February 2012), 60% of the value of total card fraud in Europe in 2012 resulted from card-not-present (CNP) payments. Following 2012, CNP fraud percentage of the total card fraud in Europe, according to ECB 2015 Report on Card Fraud, was about the same with a slight increase to 66%.
Card Not Present – CNP transactions are validated by the Card Verification Value – CVV/CVV2 or Card Validation Code CVC/CVC2, a three digit number (for Visa, MasterCard and Discover) or a four digit number (for AMEX) printed with secure characters in the back side of the card, next to the signature panel, together with the last four – 4 – digits of the card number.
CVV2/CVC2 is used as an additional security element to secure eCommerce or mail or phone order transactions to ensure that the cardholder is actually in possession of the card. An obvious security limitation of CVV2/CVC2 is that they are constant for the full life cycle of a plastic card.
A new approach on fighting card-not-present fraud is replacing the static CVV2/CVC2 with a dynamic CVV2/CVC2 that is changing frequently.
Current plastic card manufacturing technology enables the embodiment in the plastic card body of a chip and a mini-screen and in some cases a micro-keypad. The chip generates and the mini-screen displays a code which is automatically refreshed according to an algorithm loaded to the chip. This way the static CVV2/CVC2 is replaced with a dynamic CVV2/CVC2 which is dynamically generated and periodically refreshed.
Dynamic CVV2/CVC2 technology is the same as the One Time Password – OTP technology which widely used in Internet Banking transaction validation.
New code generation refreshing time is defined by the card issuer and can be from one (1) hour down to 30 seconds, automatically generated on pushing a button on the card. Card issuers or their processors use a software application, the dynamic CVV2/CVC2 verification software, which is synchronized with the algorithm and refreshing rules defined in the chips embedded in the cards. Dynamic CVV2/CVC2 generated by the card is verified by the issuer’s dynamic CVV2/CVC2 verification software.
Dynamic Card Verification technology was first introduced by Oberthur Technologies incorporating into its product portfolio technology from acquired, display-card specialist, NagraID Security. Currently several plastic card manufacturers are producing cards incorporating Dynamic Card Verification – One Time Password technology.
VISA and MasterCard as of 2012, have executed several large scale projects in both Americas & ASPAC and recently in EU regions.
[WP] EMV Migration Forum: Near-Term Solutions to Address the Growing Threat of Card-Not-Present Fraud
[WP] Smart Card Alliance: CNP Fraud - A Primer on Trends and Authentication Processes
[Report] ECB: Report on card fraud, July 2012
[Report] ECB: Second Report on card fraud, July 2013
[Report] ECB: Third Report on card fraud, February 2014
[Report] ECB: FourthReport on card fraud, July 2015
For more information on CubeIQ solutions and services fighting financial fraud please visit www.cubeiq.gr