Now we know: CVV/CVCs ARE COMPROMISED AT THE CARD LEVEL!
Updated: Nov 10, 2022
Although 2021 is just over three months old, we are getting data about payment card fraud in 2020 and it suggests some interesting trends. For example, the number of credit cards for sale on the dark web increased to 45 million in the second half of last year. Given the increase in eCommerce during the pandemic, one would intuitively expect greater capture of card CVV/CVC codes by fraudsters.
Surprisingly, only 21%¹ of this stolen card data contained CVV/CVC card security codes, a requirement for ecommerce. This is an all-time low and a significant reduction from the historical rate of 60%¹.
The decline in CVV/CVC code theft allows us to infer that a significant amount of card data compromise is happening at the card level. This means that an individual or machine is capturing the important data elements of a payment card (including the CVV/CVC) contemporaneously as it is used for an in-person transaction. The card compromise at this Point of Collection could be as simple as a waiter opportunistically snapping a picture of the front and back of the card with their phone or a more sophisticated scheme.
What made 2020 unique was the lockdown of a significant portion of retail, brick and mortar businesses (stores, restaurants, etc.). The correlation between the mass closures, resulting surge in eCommerce, and dramatic reduction in the number of stolen CVV/CVC codes is too significant to dismiss.
The logical deduction is that CVV/CVC codes sold on the dark web are mostly captured at the card level and not hacked from databases of merchants, banks, processors, or through other methods.
Following this same logic, we can expect that stolen card data containing CVV/CVC codes will inevitably rise back to their pre-pandemic level after reopening. Therefore, it is now important to implement security measures at the card level that would disrupt CVV/CVC code theft or/and make stolen CVV/CVC codes unusable.
The most effective solution to address, both the security of the CVV/CVC and to detect and deter Points of Collection is the Dynamic CVV/CVC card.
Today, cards refresh automatically!
Historically payment card CVV/CVC codes have been static. Once imprinted on cards, they remained fixed for the entire lifetime of the cards. As such, even though it can take a month or longer for stolen card data to reach the dark web, none of this data is rendered obsolete in the interim. Consequently, cardholders and card issuers incur fraudulent losses weeks and months after the initial compromise.
The good news is that payment card technology has evolved to allow banks to issue cards with frequently changing codes known as Dynamic CVV/CVC. Dynamic CVV/CVC is frictionless for the cardholder, operate just like their static cousins, but are displayed on a digital screen on the card.
EVC, the EMV integrated² Dynamic Card Security Code solution introduced by Ellipse³ features a CVV/CVC code that is refreshed each time the card is used in payment terminals at gas stations, store or at ATMs.
If an EVC payment card is photographed or copied, the risk of resulting fraudulent transactions on that card is virtually eliminated. The continued use of the EVC card by the consumer at registers or ATMs will change the CVV/CVC, render the stolen data obsolete and cause fraudulent eCommerce transactions using the stolen CVV/CVC to be declined.
EVC can also help identify the locations where card data are collected
Since the date, time, and location of every EVC codes change are known, attempted fraudulent transactions using compromised EVC codes can be easily narrowed down to where and when the card information was copied. These Points of Collections can be accurately and reliably identified, especially if there is a pattern of fraud occurring at a specific location.
This granular level of insight into card level fraud is a powerful deterrent to CNP fraud at its source. Once the organized syndicates that traffic stolen card data understand that fraud investigators can identify specific sites of compromise, they will abandon this tactic. The elimination of Points of Collections will automatically benefit all cards including those with static CVV/CVC code.
The abrupt nature and massive scope of the pandemic lockdowns caught everyone by surprise, including the organized gangs that traffic in fraudulent payment card data. As such, the fraud data collected during the lockdown is as pure as it gets and leads inexorably to one conclusion—payment cards are being compromised at the point of payment. As brick-and-mortar businesses reopen, fraudulent card data collection with available CVV/CVC will resume. Thus, the most sensible way to combat this fraud is with a card-level security feature such as EVC dynamic card security code. It is affordable, easy to implement, generates quick results, and, most importantly, is under the issuer’s full control.