Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.


Rob Crutchington, Director at Encoded takes a closer look at the three digits on the back of a card and dispels two common myths around the card verification value (CVV) code

Paying for goods and services with a debit or credit card is now so commonplace that those wielding a fist full of bank notes are often regarded with suspicion. Card payments make life easy but the process behind making them happen is a lot more complex than you might think, with verification taking place every step of the way.  We’re all familiar with giving our card details by telephone or entering them online but what happens next?  There are 14 steps in card authorisation and settlement*, involving merchants, payment service providers, payment gateways, the merchant’s bank, card schemes and finally the customer’s own bank and this whole process can take a minimum one day and often far longer.

Authorisation is essential but how much information is really necessary?

For those paying online or over the telephone there is often one more step required in the authorisation process.  They are asked for the card verification value (CVV) code or three-digit number on the back of their MasterCard or Visa card (four-digits if paying by Amex).  The rationale behind the CVV code is that it is further validation that the customer physically has the card in their presence. But is this true and is it absolutely necessary?

Time to dispel the myths around CVV codes
There are several rumours in the industry which relate to why merchants seem to think the CVV code is necessary.  One thing is for sure it cannot be retained once a transaction has been processed.  Keeping it would contravene the very foundation of the Payment Card Industry Data Security Standard (PCI DSS) which prohibits the storage, hand-written or in computer files, of a customer’s confidential card data. The two most common myths around CVV codes are:

Myth One:  Merchants benefit from reduced interchange fees by using CVV codes in transactions

Many merchants believe that by insisting on CVV codes, they can benefit from a reduced interchange fee based on the transaction being deemed “secure”. The interchange fee is the amount charged by Card Schemes such as VISA to the acquirer for using their services.  However, as of the 1st of March 2015 VISA capped the rate at 0.2% for debit card transactions and 0.3% for credit card transactions across the EU irrespective of whether the transaction included the CVV or not. All mail order telephone order (MOTO) transactions are deemed as non-secure.

Therefore, it is not true that there is any financial benefit from requesting the CVV and given the huge importance PCI DSS places on the CVV, Encoded’s advice is to simply not request it in the first place.  What is true is that by including the CVV code should a dispute or chargeback occur, when a merchant submits a transaction for authorisation, the processor and/or card brands will reduce their fees on the dispute or chargeback. However this small business cost is dwarfed by the PCI DSS costs of protecting it, if accepted.

Myth Two: Merchants conducting repeat transactions need to submit the CVV for the original and all subsequent transactions

Again, this is a myth. There are two ways to conduct such recurring transactions. The easiest way is to use a payment service provider that supplies a reference number from the original transaction and then processes all subsequent transactions using the same number or token. The other option is for an organisation to store the cardholder’s name, account number and expiration date, providing, of course, these details are stored securely either by encrypting them if on a computer, or if using a manual system they are physically secure.

Is it time to ditch CVV codes?
Interestingly, in a country that is often at the forefront of data protection and security, the United State of America does not use CVV codes and we should follow suit.  Until recently VISA Europe and VISA Inc. were two separate organisations.  However in November 2015 VISA Inc. bought VISA Europe for $23.4bn.  As such we can all expect changes in the European payments market to follow the US way of handling card details. In actual fact all that is really required is the 16-digit card number and this can be stored provided it is encrypted and “deemed” unreadable as per sections 3.3 and 3.4 of v3.1 the PCI DSS requirements.

This latest development is good news because, from a PCI DSS compliance perspective, storing cards and making use of automated recurring payments will be much easier.  Eliminating the need to provide CVV codes and partnering with a technology provider which has invested in the top level of PCI DSS compliance and tokenisation technology will go a long way towards simplifying the payment process for customers and protecting them against major security threats such as fraud and cybercrime.  There really is no time to lose to get the right levels of security in place while ditching the three-digit CVV code.