Digital Dynamic CVV Codes for Credit & Debit Cards Gaining Traction

Ever wondered what that three-digit or four-digit code on the backside of your credit or debit card is? It is called the CVV (card verification value) code. It is also commonly known as CSC (card security code) or CVC (card verification code). The CVV code is a security feature developed first in the UK, which is not surprising as Europe has always been ahead of the US in payments technology. MasterCard was one of the first card issuers to use it in 1997. CVV code is used as a replacement for PIN (personal identification number) during CNP (card not present) or online transactions to prove the possession of the card with the buyer. However, does CVV or CSC code provide enough security? It is not even mandatory for merchants to enter a CVV code to process the transaction. It has also been proven that CVV codes cannot protect against phishing scams. Once the criminal is successful in his phishing attack for a CVV code, he can make as many transactions as possible using the card details.

Dynamic card verification value (dCVV) or dynamic card verification code (dCVC) technology is the most secure version of a CVV code until now. To overcome the possible risks and fraudulent activities associated with a printed CVV code, NagraID Security (NIDS), the world leader in display card manufacturing announced dynamic card verification value (dCVV) technology in March 2011.

In partnership with NIDS, MasterCard had also announced to help banks issue cards with embedded computer screens to U.S. consumers in 2011. According to NagraID Security’s press release in 2011, this card was already used by banks in Asia and Europe and was about to be launched in the US. In August 2014, Oberthur Technologies, a French digital security company, acquired NagraID Security. In October 2014, it officially launched the first payment card that integrated dCVV technology from NagraID Security (NIDS) and called its product offering Motion Code™. The card has the CVV or CVC code on an e-ink screen on the card that refreshes the code after a specified interval of time. The e-ink technology enables a permanent display without the need to use electricity from the ultra-thin battery embedded within the plastic. Battery is used only for the auto-refresh that happens every hour. The e-ink screen readouts also provide a host of useful information like current balance, available credit, recent transactions, even special messages from banks or coupon codes from merchants to the consumers. However the availability of such additional information is possible in Europe since the cards are wired to bank networks. In US, that is yet to happen.

The good part about Oberthur’s Motion Code™ is that it doesn’t require the merchants to change anything in their system. The end users don’t have to pay differently either. The motion code is seen as a regular CVV code by payment processing networks. For issuers (or their processors), a specific server synchronized with the algorithm and refreshing rules defined in the cards will be needed, and doing so is a part of Oberthur’s offering together with its consulting services, thus enabling a quick implementation.

In September 2015, Banque Populaire and Caisse d’Epargne, one of the largest banks in France, in association with Natixis Payment Solutions and Oberthur Technologies (OT), announced the first pilot of the first payment card integrating Motion Code. Recently Oberthur also announced that BNP Paribas is running a trial of Motion Code™ with 1000 French customers. Oberthur didn’t talk about the user experience from the first pilot. It will be interesting to observe the results of this nascent financial technology in Europe and then in US. It also remains to be seem whether the extra electronics cost in the cards can be supported by the savings from reduced fraud, or whether the issuer banks will need to charge higher interchange for these cards. It is unlikely that consumers can be convinced to pick up the tab for this additional functionality.