|Fraud and CVV|
Is CVV just a bunch of hype?
I am considering a shopping cart which will require customers to add their CVV along with their other credit card info. I have heard that CVV is supposed to help reduce fraud. Will it reduce or eliminate bogus orders, or is it just hype.
IMO, both. The CVV is harder to get (for now), but stolen card brokers will adapt. Requiring the CVV will provide another hoop that will provide more protection - for now.
Your merchant account provider has a lot of say in this. Our current provider requires the number and requires a match. No match = declined. It is not optional. I also have discount rates as good as one can ask for. We meet the highest standards, that is part of getting the best rate.
Other providers make the CVV optional. You can ask for it or not; require a match to complete the order or not. Expect to pay higher fees whether actual fraud occurs or not.
Yes, it will reduce bogus orders if required. Users of stolen numbers that do not have the CVV will move on.
IMO, the requirement is good as a temporary measure only. Stolen card numbers is a business. Lots of ways for your CVV to be breached. Just a matter of time until it is SOP for the bad guys; if not already.
I would go with the highest standard available, understanding that that isn't necessarily saying a lot. It it my understanding that the US is way behind the world on CC fraud, but do not claim expertise. Just set the highest standard that you can.
Despite massive fraud, most people still don't care much about it. Plenty of customers that won't give us an email to save their life - but don't blink at giving us access to the rest of their life.
Most of our products/niches fall outside the usual fraud target products and services, so less day-to-day concern than many people here have to deal with.
There's no massive fraud. We haven't taken a bad card in years. There are some fraud ***attempts*** which almost no one falls for.
|We meet the highest standards, that is part of getting the best rate. |
Does "highest" standards mean making perfectly good customers jump thru hoops in order to make purchases? We don't require CVV, we will ship to separate ship/bill addresses, we happily take virtually any USA email domain. Still near-zero fraud rate. Note that we only ship within the USA but even that's not primarily to reduce fraud.
I think it probably has a lot to do with what you sell... We don't have any fraud either, but we sell stuff that is so weird, I can't imagine many crooks having it be on their too-do list, if any. Now if we sold iPods and flat screens, that would probably be a whole different story.
Thanks for the great feedback.
We have not had much fraud, but when you do have fraudulent orders, it's expensive. We are also considering ip address checks as well. With Christmas shopping season coming in a few months, I just want to get everything in order ahead of time.
You have to remember that if the card is physically stolen, the thief will have the CVV number, so it won't help in those cases.
If just the number is stolen, the thief can easily find the real CVV number in a maximum of 999 tries just by brute forcing tries (try at site A with CVV of 000, site B with a CVV of 001, etc.). Once he finds the CVV, he's good to go.
If the credit card companies actually did some sort of tracking of "CVV scanning" like this and creating a fraud alert after x number of attempts and blocking ANY use of that card until verification from the card holder, THEN I might be impressed. But that would actually cost them money to implement a system like that, so it ain't gonna happen. It's much easier/cheaper for them to keep the burden/cost of fraud on the merchants.
Yep, CVV is way overrated as fraud protection. If a merchant has a fraud problem, it needs to enable other anti-fraud protection....any good gateway or processor has a host of good tools. Still, whenever possible, work with a gateway or processor that gives the merchant the choice of whether or not to enable any particular tool rather than making it required. As DBlackwell pointed out, though, not using CVV can cause transactions to downgrade and payment processing costs to be higher.
CVV info can be stolen just like any other type of information. A friend of mine used to sell jewelry online and used to get crushed on fraud orders. He found a fraud prevention company that had a system in place that would flag orders but were manually reviewed as well. If the company gave a thumbs up on the charge and the card wasn't good they would pay for the merchandise as well as the bank fees. If I sold anything high end like jewelry, electronics, etc I would use them. Relying on CVV would be way to risky for me.