US-based PNC Bank is in the middle of a pilot project that aims to test out credit cards with constantly changing card verification values (or CVVs) to reduce online credit card fraud. The dynamic CVV is displayed on the back of such a card in e-ink and changes according to an algorithm supplied by Visa.
Credit card fraud has long been a problem in the US. To stop thieves from re-using credit card numbers in brick-and-mortar stores, the US has been moving to chip-based credit and debit cards, which create a unique code for each transaction (although this transition to chip cards has been less successful than was hoped). But online credit card fraud is another beast. Once a fraudster has stolen a credit card number, they often can use the static number to make online purchases without being thwarted by chip complications.
Services like Apple Pay and Google Pay try to combat online card theft by using tokenization to obscure a person’s card numbers from theft while online. But if your credit card number has already been stolen (if a cashier’s chip reader is broken and they direct you to swipe your card on a compromised point-of-sale terminal, for example) then even having a chip-based card can’t stop bad actors from buying things on your dime.
A static CVV number can provide some protection from online fraud, but sometimes CVVs can be stolen in tandem with the card number. Worse, researchers have shown that Web bots making random guesses on legitimate websites can often come up with the appropriate CVV and expiration date to pair with a card number.
A dynamic CVV should—at least in theory—be far more difficult to guess and use. The idea of a dynamic CVV isn’t new: the cards are being supplied by a company called Idemia, which announced its “Motion Code” dynamic CVV cards in 2016. Since then, Visa has detailed a specification for the dynamic CVV pairing, called dCVV2, and Visa is also a partner in getting this pilot project off the ground.
The PNC Bank pilot project started in November, with cards being distributed to unidentified small- and medium-sized businesses. It will run for 90 days. According to Idemia, “PNC Treasury Management expects to offer Dynamic CVV2 technology to current customers in early 2019, following completion of the pilot.”
Part of the pilot project will be to test how regularly the CVV needs to change to prevent fraud while also making sure that users can complete their online purchases in time before the CVV they’re working with expires, according to the Pittsburgh Post-Gazette. Card issuers like PNC can customize the interval, though the bank won’t disclose the interval it chose for the current pilot project. The e-ink display is also limited by a small lithium battery, so a 60-minute CVV refresh rate offers the card a four-year lifespan, and higher refresh rates will make that lifespan shorter.
“Another downside is that motion cards are more expensive than regular chip cards to produce,” the Post-Gazette writes. “Prices vary, but according to one estimate, they cost about $15 compared with around $2 to $4 for a regular chip card.”