Card fraud has a new home. Just a few years after the prolonged and pricey switch to EMV chip cards, fraud has migrated from purchases where the card is physically swiped to transactions where the card is not present. The shift means that U.S. banks might be on the cusp of yet another move in card technology.
EMV chips were so successful in curbing cases of fraud where the card was swiped that fraud evolved. Fraud is 81 percent more likely to occur today in “card-not-present” transactions that take place over the phone or internet rather than it is at the point of sale, according to the 2018 Identity Fraud Study by Javelin Research.
Technology has evolved to combat this theft. One new solution is to equip cards with dynamic card verification values, or CVVs. Cards with dynamic CVVs will periodically change the 3-digit code on the back of a credit or debit card, rendering stolen credentials obsolete within a short window of time. Most cards with dynamic codes automatically change after a set period of time—as often as every 20 minutes. The cards are powered by batteries that have a 3- to 4-year lifespan that coincides with the reissuance of a new card.
Several countries including France, China and Mexico have already begun adopting the technology, but the rollout in the United States has been more limited. The new Apple Card, issued by Goldman Sachs Group, boasts dynamic CVV as a key security feature. PNC Financial Services Group also launched a pilot program with Motion Code cards in late 2018.
Bankers who remember the shift to EMV might cringe at the thought of adopting another new card technology. But dynamic CVVs are different because they do not require merchants to adopt any new processes and do not create extra work for customers.
But one challenge with these more-secure cards will be their cost. A plastic card without an EMV chip cost about 39 cents. That cost rose to $2 to $3 a card with EMV. A card with the capability for a dynamic CVV could cost 5 times as much, averaging $12 to $15.
But advocates of the technology claim the benefits of eliminating card-not-present fraud more than covers the costs and could even increase revenue. French retail bank Société Générale S.A. worked with IDEMIA, formerly Oberthur Technologies, to offer cards with dynamic CVVs in fall 2016. The cards required no change in customers’ habits, which helped with their adoption, says Julien Claudon, head of card and digital services at Société Générale.
“Our customers appreciate the product and we’ve succeeded in selling it to customers because it’s easy to use.”
He adds that card-not-present fraud among bank customers using the card is “down to almost zero.”
Eliminating card-not-present fraud can also eliminate the ancillary costs of fraud, says Megan Heinze, senior vice president for financial institutions activities in North America at IDEMIA. She says card fraud is estimated to cost banks up to $25 billion by 2020.
“A lot of prime customers ask for the card the next day. The issuer then has to get the card developed—sending a file out that has to be printed—and then it's FedExed. The average FedEx cost is around $10. The call to the call center [costs] around $7.50,” she says. “So that's $17. And that doesn't even include the card.”
What’s more, dynamic CVVs could also create a revenue opportunity. Société Générale charges customers a subscription fee of $1 per month for the cards. The bank saw a more than 5 percent increase in new customers and increased revenue, according to Heinze.
Still, some are skeptical of how well a paid, consumer-based model would fare in the U.S. market.
“The U.S. rejected EMV because it was so expensive to do. It was potentially spending $2 billion to save $1 billion, and that's what you have to look at with the use case of these [dynamic CVV] cards,” says Brian Riley, director of credit advisory service for Mercator Advisory Group. “If it tends to be so expensive I might want to selectively do it with some good customers, but for the mass market there's just not a payback.”
Still, dynamic CVVs are an interesting solution to the big, expensive problem of card-not-present fraud. While some institutions may wait until another card mandate hits, adopting dynamic CVV now could be a profitable differentiator for tech-forward banks.
Potential Technology Partners
Idemia’s Motion Code technology powers cards for Société Générale and is being piloted by PNC and WorldPay.
Gemalto’s Dynamic Code Card hasn’t been publicly linked to any bank or issuer names, but the company cites its own 2015 Consumer Research Project for some impressive statistics on customer demand for dynamic CVV cards.
SurePass ID offers a Dynamic Card Security Code. The company’s founder, Mark Poidomani, is listed as the inventor of several payment-related patents.
FiTeq’s dynamic CVV requires cardholders to push a button to generate a new CVV code.
Visa and Mastercard
Visa and Mastercard are leveraging dynamic CVV codes in their contactless cards
Learn more about the technology providers in this piece by accessing their profiles in Bank Director's FinXTech Connect platform.