Payment technology has come a long way since the advent of the credit and debit card, even further since paper checks were frequently used by the average consumer. Since the popularization of online shopping in the mid-90s, consumers have increasingly used credit and debit cards on a variety of platforms. And in the last decade, the growth of mobile payment processing and digital wallets further extended the methods customers can choose to pay.
To keep up, not only do businesses need to expand their payment options–they need to make sure each payment is verified to reduce the rate of fraud and chargebacks. Thus, payment card verification must happen quickly and seamlessly during the transaction process.
In this article, we’ll discuss what card verification is and how it works.
What is card verification?
Card verification is a collective term for the methods and data points used to confirm two things: 1. Cardholder identity (via CVM like PIN or biometric data) and 2. card validity (via security codes like CVV and address checks like AVS). Both are essential for confirming the card is authorized and mitigating fraud.
The Payment Card Industry Security Standards Council (PCI SSC) is a global network that brings together payment industry stakeholders to create and further the adoption of security standards and payment resources. Founded in 2006 by American Express, Discover, JCB International, MasterCard, and Visa, this council’s guidelines are meant to enhance global payment account data security. One of the ways the PCI SSC governs payment security is to require a card verification method (CVM) when merchants process a transaction.
The primary commercial advantage of successful CVM (especially EMV chip + PIN) is liability shift. This means that if a fraudulent transaction occurs, the financial responsibility shifts from the merchant/processor to the issuing bank, provided the merchant followed the correct CVM protocol.
There are four main types of card verification in two categories:
Card-present methods
Online PIN: This method is primarily used with debit cards in a card-present environment. The PIN is encrypted and sent to the network for authorization, confirming the cardholder’s identity and returning a transaction approved response.
Offline PIN: This is a method done locally between the payment card and terminal. When the PIN check is confirmed via the terminal, the transaction is sent to the host, indicating the PIN check was done locally and successfully, and the transaction continues to process.
Signature: Primarily used with credit cards or in lieu of a PIN, a signature can be collected on a receipt or captured digitally at the payment terminal.
Modern/digital methods
Consumer Device CDCVM (CDCVM): This verification method is used when the customer’s device is used as a payment method via a mobile wallet. Consumer Device CVM uses either a passcode or biometric authentication (fingerprint or facial recognition depending on the device) to approve the transaction, and it communicates with the payment terminal to authorize the transaction.
As the payment landscape grows and new forms of payment are popularized, so do the methods available to verify cardholder identity. For example, the use of mobile wallets created a need for a different type of card verification from debit and credit cards. That said, there are different requirements that depend on the card issuer and can also vary by transaction amount or type (such as card-present or not).
How is card verification implemented?
Debit and credit card verification is a critical part of payment processing. As such, businesses must choose a trusted payment processor for software and hardware, like Stax. To ensure proper card verification is seamless, a payment API (application programming interface) is used to manage payments.
Card verification is built in as part of the transaction at the point of sale (POS) and needs to take place quickly to avoid impeding the customer experience. The Card Verification Method (CVM) is a critical part of payment processing. Merchants must adhere to the card network rules (e.g., Visa/Mastercard) on CVMs to ensure liability for fraud shifts from the merchant to the issuing bank. This is separate from, but complementary to, PCI DSS, which governs data security.
That said, merchants can sometimes opt to forgo certain verification requirements (like PIN entry or signature) for small amounts, known as No CVM. Warning: By skipping CVM, the merchant assumes full liability for any fraudulent chargebacks, as the liability protection is forfeited.
Outside of the PIN and signature, there are some other key components of card verification. The CVV and AVS codes are used most commonly for transactions where the card is not present and, therefore, some additional information is needed to verify the cardholder and prevent fraud.
What is the CVV, and how is it used?
Card Verification Value (CVV); what is it? The industry uses different terms, but the important distinction is between CVV1 (data encoded in the magnetic stripe, used for card-present transactions) and CVV2 (the printed, three- or four-digit security code). Crucially, the printed CVV2 code is never stored by the merchant after authorization to comply with PCI DSS. The CVV is an important piece of cardholder data and is used along with the credit card number and expiration date.
One common example of using the CVV during a transaction is to use the three-digit code on the back (or four digit number on the front for American Express) for transactions when the card is not present, such as an order taken over the phone or an online transaction.
How is the address verification service (AVS) used to detect credit card fraud?
AVS cross-checks the billing address provided against the address on file with the issuing bank, returning a match code (e.g., full match, partial match, no match). This is crucial because a successful AVS check shifts some fraud liability away from the merchant and processor.
Though this method is commonly used for identity verification, it is not without its faults. Because some transactions are sent to different addresses legitimately, this could flag valid transactions inappropriately when card details appear to be mismatched. However, AVS remains an important part of the transaction authentication process and aids merchants in determining whether a card payment should be accepted during a non face-to-face transaction.
The importance of card verification
As outlined above, card verification is a fundamental part of payment processing and has certain standards integrated into the payment API.
For merchants, card verification is instrumental in preventing chargebacks and fraud. Mitigating the effects of credit card fraud costs companies time, money, and resources. By properly maintaining PCI SSC compliance and using trusted payment processing providers, businesses are able to reduce the risk of fraud by stopping unauthorized transactions.
For customers, card verification can curb fraudulent activities before they happen.
Unauthorized transactions are a headache to deal with, even more so when they actually process. Catching these transactions before they process and flagging the card in question helps customers to quickly resolve the situation.
Card verification, along with other standards and procedures for payment processing, are all meant to accomplish the PCI Security Standards Council’s mission and protect consumers.
Here at Stax, payment security is our top priority. That’s why all our solutions meet PCI standards and are designed to keep transactions secure. Contact us to learn more.
Quick FAQs about card verification
Q: What is card verification in the context of payment processing?
Card verification is the process of confirming the identity of the cardholder during a transaction. This is done using various methods such as PIN entry, signature, or biometric authentication to ensure that the person making the payment is authorized to use the card.
Q: Why is card verification important for businesses?
Card verification is crucial for businesses, as it helps in preventing fraud and chargebacks. By verifying the cardholder’s identity, merchants can reduce the risk of unauthorized transactions, protecting both the business and its customers. It also ensures compliance with Payment Card Industry Security Standards Council (PCI SSC) guidelines.
Q: What are the main types of card verification methods?
The main types of card verification methods include:
– Online PIN: The cardholder enters their PIN, which is encrypted and sent to the bank for verification.
– Offline PIN: The PIN is verified locally between the card and the terminal.
– Signature: The cardholder signs a receipt or a digital screen.
– Consumer Device Cardholder Verification Method (CDCVM): Uses passcodes or biometric data via mobile wallets.
Q: How do online and offline PIN verification differ?
Online PIN verification involves sending the cardholder’s PIN to the bank for verification, while offline PIN verification is done locally at the payment terminal without contacting the bank. Both methods aim to confirm the cardholder’s identity but differ in their execution and reliance on external networks.
Q: What is the role of CVV in card-not-present transactions?
The Card Verification Value (CVV) is a security feature used in card-not-present transactions, such as online or phone orders. It is a three-digit (or four-digit for American Express) code that helps verify the cardholder’s identity and prevent fraud by ensuring the person making the transaction has physical possession of the card.
Q: How does the address verification service (AVS) help in detecting fraud?
AVS cross-checks the billing address provided during a transaction with the address on file with the card issuer. This additional verification step helps detect potential fraud by flagging mismatched addresses, although it may sometimes incorrectly flag legitimate transactions.
Q: What is the Consumer Device Cardholder Verification Method (CDCVM)?
CDCVM is a verification method used for mobile wallet transactions. It involves using a passcode or biometric authentication (such as a fingerprint or facial recognition) on the customer’s device to authorize the transaction, adding an extra layer of security.
Q: How is card verification implemented in payment processing systems?
Card verification is integrated into payment processing systems using a payment API, which ensures that verification takes place quickly and efficiently at the point of sale. This seamless integration helps maintain PCI compliance and provides a smooth customer experience.
Q: Can merchants skip certain verification steps for small transactions?
Yes, merchants can choose to skip certain verification steps for transactions below a set dollar amount. This flexibility allows for a faster checkout process while still maintaining a level of security appropriate for the transaction size.
Q: What are the benefits of maintaining PCI SSC compliance for card verification?
Maintaining PCI SSC compliance ensures that businesses adhere to industry standards for payment security. This compliance helps protect against fraud, reduces the risk of chargebacks, and builds customer trust by demonstrating a commitment to secure payment processing.
