July 16th, 2007 by Jamie Estep
Only half of top ecommerce sites require Card Verification
A few weeks ago Elastic Path published their Ecommerce Checkout Report which was a great breakdown of the online trends of the top 100 internet retailing websites.
One area that I found particularly interesting is that only about half of the top 100 online retailers require additional card verification (CVV2, CID, CVC, etc) information to be entered when a customer makes a purchase.
Card Code Verification is a basic fraud deterrent because the purchaser must have the card in hand, or have copied the entire number, expiration date and code from the back of the card to use it. It eliminates fraud from credit card skimming as the card verification code is not on the magnetic stripe and therefore cannot be used where CVV2 is required. It’s by no means a complete solution, nor is it acceptable as the only method of preventing fraud. It is a great tool, that costs nothing, and can save a business from a lot of unnecessary fraudulent orders.
So, why would the biggest online retailers not require this most basic information for orders that they accept.
The simple answer is money.
Conversion rates were measured to be 40% higher on the websites that were not requesting card verification information. 40% is a massive amount when you are averaging it across millions or billions in sales. I would imagine that a large well organized company would leverage whether the cost of fraud from not requiring CVV2 outweighs the cost in lost sales from requiring it. It is apparent than many businesses find it less costly to deal with any fraud that might occur from not using CVV2, than to take a hit in their conversion rate and require it. This is a completely irresponsible practice, but isn’t the least bit surprising.
So should you use CVV2?
First off, if your merchant contract states that you must use card verification on card-not-present transactions, then Yes. It is fairly common for processors to require this information, and if you’ve opened a merchant account in the past two years, there’s a good chance that it’s required with your account. You could risk getting your merchant account shut down for not using CVV2 if you’re processor requires it.
My personal recommendation for businesses who aren’t required to use it is also Yes. Especially for the case of small businesses where the cost of a few fraud related chargebacks can ruin a business. Additionally, it is much easier to fight most chargebacks when you have a valid CVV2 match. If you have a positive CVV2 response, it is proof in most cases that the person who made the purchase had the card in hand. CVV2 also is a proactive approach at helping consumers. If a person gets their card skimmed or the number gets stolen, their card cant be used anywhere that CVV2 is required. If a database with credit card numbers gets compromised, the cards cannot be used where CVV2 is required since CVV2 is never allowed to be stored by a business. Lastly, CVV2 actually works for international cards while AVS (Address Verification) does not. It is really the only built-in fraud prevention method that is internationally usable at this time.
Currently CVV2 is not required, but only because some older cards don’t have CVV2 numbers on them. As soon as every card does, it’s very likely that it will be required for all card-not-present transactions.
Even now, if everybody used CVV2 for their transactions, there wouldn’t be a huge conversion rate gap like this, card holders would be safer, and banks would eliminate some of the cost of fraud, which drives up credit card related prices for consumers and businesses alike.
Credit card verification numbers