Do CVV Codes Protect Merchants?

Apply Online Now

Most internet merchants are now requiring consumers to enter the three or four digit number on the back of the credit card as part of the checkout process. The three digit code is known by several names: Card Verification Value (CVV), Card Validation Code (CVC) and Card ID (CID).

The theory is that the cardholder must physically have the card in hand in order to know what the code is. Therefore, the risk of fraud is reduced.

Remember, though, that fraudsters can acquire the numbers as well. For instance, a hacker can break into a database where credit card information is stored. The credit card information, including the code, is stolen.

AVS and code verification are a simple method of fraud protection. Yet, both can easily be compromised by a savvy fraudster. By all means, merchants ought to use both.

But, realize that used alone, AVS and codes will not protect you. Combine them with a sophisticated fraud prevention program from a payment gateway for added protection.

For more information, contact

According to Fitch Ratings July 2009 charge-off rate for prime credit card portfolios declined 10.55% or 24 basis points over June 2009.  This marked the end of five consecutive months of record highs for charge-offs.

Charge-offs often increase in the fourth quarter.  However, Fitch predicts this will be less likely this year because so many delinquencies have already occurred.

Charge-offs rose 45% from February 2009 through July 2009 and are 63% above figures for the same periods in 2008.  Accounts receivables more than 60 days past due are still at record highs but show some signs of stability.

According the Fitch managing director, Michael Dean, “We still need to see some measurable improvement in the delinquency and personal bankruptcy figures and the employment situation overall before charge-offs revert to more historical norms.  For now, we expect charge-offs to moderate at these elevated levels in the coming months.”

For information contact

Does every company have to comply with PCI DSS security regulations which protect cardholder information?

You bet they do.

Any merchant or payment provider which stores, processes, and/or transmits cardholder data must be PCI DSS compliant.  Regardless of how big or small the company is or the number or volume of payment processed.  No payment or cardholder information can be retained by merchants unless incredibly strict compliance is achieved and maintained.

But wait, there’s more.

PCI security requirements apply to more than cardholder information in a digital form.  Companies also must get rid of printed material that contains payment or cardholder information.  Disposal must be done in a responsible way which includes complete shredding of documents.

Entities that handle payment card transactions are categorized into 4 distinct levels.  The levels determine the validation processes that must be performed and maintained to ensure compliance.

  • Level 1: Merchants with more than 6 million card transactions.  Merchants which have had cardholder data compromised, regardless of size of merchant, are also included in Level 1.
  • Level 2: Merchants with card transactions between 1 and 6 million
  • Level 3: Merchants with card transaction between 20,000 and 1 million
  • Level 4: All other merchants

There are six categories of PCI compliance security standards.

  1. Build and Maintain a Secure Network
  2. Protect Cardholder Data
  3. Maintain a Vulnerability Management Program
  4. Implement Strong Access Control Measures
  5. Regularly Monitor and Test Networks
  6. Maintain an Information Security Policy

 For more information, contact

It’s sad, but true.  When it comes to chargebacks, the credit card companies are most often on the cardholders side, not the merchants.

There is a certain segment of cardholders know how to work the chargeback system in their favor.  Merchants can do everything correctly, follow all card association regulations and recommendations to the letter, and still get zinged big time for chargebacks.   Business segments classified as high risk merchants are more prone to chargebacks than others.

The card companies monitor all merchant chargeback activity on a monthly basis and alerts merchant banks in writing when any of their merchants has excessive chargebacks.  Chargebacks of 1% or higher are considered excessive.

The card companies consider the first notification of excessive chargebacks for a specific merchant a warning.  The banks impose large fines to merchants who do not take action within an appropriate period of time o return chargeback rates to acceptable levels.

Working with a high risk payment gateway can help control chargebacks.

The length of time merchants are given to comply almost never exceeds 3 months. By the 3rd month card assess escalating fines to the banks beginning at $50 per chargeback.  Additionally, The banks are accessed an initial $5,000 review fee plus spiraling additional fines.  All fines are passed on to the merchant.

The bank can be audited by the card companies and may lose their acquiring  status.  With so much at risk, it’s no wonder that the banks will almost always terminate the merchant before they complete the 3rd month of monitoring.

Once merchants are terminated, it’s very difficult for them to get another merchant account.  Any bank opening a new account for the merchant assumes the previous liability associated with that merchant.

The moral for this story is that merchants must do whatever it takes to keep chargebacks low.  A good payment gateway can help.

For more information, contact today