UK banks considering dynamic CVV code technology to combat CNP fraud
Tiny screen on the back of cards to display a new CVV code every hour
Could reduce CNP losses and increase interchange revenue in Australia
Source: This is Money
Point of View
In response to rising card-not-present fraud (CNP) major banks in the UK are considering using new ‘dynamic cryptogram’ technology, which is supported by the UK National Audit Office, as noted in its Online Fraud report published in June 2017. CNP fraud losses were £432 million in 2016, up 9 per cent since 2015, and made up 70 per cent of all card fraud in the UK, according to a report by Financial Fraud Action UK.
The new technology – Motion Code, created by Oberthur Technologies – uses a tiny battery-powered screen on the back of a payment card to display a dynamic CVV code. A new code is automatically generated every hour for the three-year life of the battery. The solution is designed to render stolen card details useless within an hour of theft.
To implement the solution, an issuer must use a specific server, which is synchronised with the algorithm that is used to generate the dynamic codes. As well as supplying the cards, Oberthur installs the server on the issuer’s premises with its offering.
Cardholders and online merchants, on the other hand, do not need to make any changes to make or accept a Motion Code card transaction. Moreover, other than an additional layer of security, the dynamic CVV code cards works just like a regular card: it can be used to make purchases both online and at the point of sale.
Nonetheless, a couple of inconveniences do arise with the new technology. Customers who memorise their CVV will now need to refer to their card each time they make a purchase. Similarly, customers who have their card details stored with an online merchant will no longer be able to make ‘one-click purchases’. While these inconveniences are fairly minor, customers who have direct debit arrangements with billers will not be able to continue paying in this manner.
The technology is already in use or being trialled in a number of other jurisdictions (although reports on the effectiveness of the technology to reduce CNP fraud are not forthcoming):
In November 2016, Société Générale offered Motion Code cards to its customers in France, on an opt-in basis for an annual fee of €12 per year. The bank has since issued 150,000 cards.
Oberthur announced in December 2016 that it had partnered with payments processor, PROSA, to trial Motion Code in Mexico.
In Japan, Oberthur and Toppan, supplier of payment cards to most major Japanese issuers, partnered in mid-2016 to provide cards enabled with Motion Code to the market.
The technology is also being trialled in the Middle East and Africa, in a partnership announced in May 2016 between Oberthur and local payment solutions provider, Network International.
In the second half of 2015, Polish Getin Bank introduced Motion Code, in response to the Polish Financial Supervision Authority's recommendation to increase the level of security of online payments.
In 2016, CNP fraud made up 78 per cent of all fraud on Australian cards, totalling $418 million in losses, up 15 per cent since 2015. Of this, $176 million was perpetrated in Australia.
In May 2017, the Office of the Australian Information Commissioner (OAIC) published results of its community attitudes to privacy survey. The OAIC found that only 19 per cent of respondents trust the ‘e-commerce industry’ to look after their personal information. Accordingly, could the new technology have the potential to improve customer trust in the online purchasing process?
The dynamic CVV technology seems promising, in theory at least. Nonetheless, viability of the product in Australia would depend on a number of factors, including its potential to reduce fraud, the cost of rolling out the technology and how cardholders might be affected.
Furthermore, if it became available in Australia, would the technology need to comply with standards, and if so what might standards look like?