As cards include more embedded technology, issuers and manufacturers face the tough question of how much card power to sacrifice for stronger fraud protection.
For example, as card giant Oberthur Technologies was recently fine-tuning a card with a liquid crystal display (LCD)-screen that displays a different card verification value (CVV) at regular intervals, it strongly recommended that banks set the refresh time to one hour.
The timeframe wasnt based primarily on fraud reduction calculations, but the limitations of the ultra-thin card-embedded battery to power both the display and the number-crunching behind it. Oberthur wished to preserve the typical 3-year lifespan of a normal payments card. With the CVV changing once an hour, the cards power should last three years, said Oberthur CEO Didier Lamouche. If banks chose 15-minute refreshes (which is a card option), Lamouche said, the card, which costs between $5 and $9, would likely run out of juice in two years.
The balance Oberthur struck between refresh time and battery life is about right, said Avivah Litan, a security analyst for Gartner. "It's a tradeoff. Every 15 minutes is better than an hour, but an hour is a lot better than nothing," she said. "Security is always a tradeoff between cost and convenience. They could have chosen to spend more on a better battery, but no would have paid for it."
Oberthur has two opportunities in card security. It's a huge seller of EMV chips, which should remove card-cloning risk and sharply reduce fraud in-store, in traditionally card-present environments. But it would do little to help with e-commerce fraud. Indeed, many security consultants are predicting that as EVM acceptance becomes widespread in the U.S., fraud could significantly shift to online payments.
Thats where Oberthurs dynamic-CVV card could find traction. It could effectively thwart using stolen payment card data to make online purchases, as that data wont have any value once the CVV changes. Secondly, the card brands could be convinced that e-commerce purchases using this kind of approach could be granted the lower card-present rate. Why? Literally, to access the current CVV, the card has to actually be present.
The risk to issuers is the difference between a 15-minute or a one-hour refresh and the window of possible fraud. If a thief steals a card that is so equipped, the thief can take advantage of two small windowsthe time that the victim discovers the card is missing, concludes that it was stolen, calls her bank to cancel; and the time until the CVV refreshes.
Cyberthief gangs can be highly organized and if a group immediately went to work placing online charges to the cardfocusing on printable gift cards and other purchases that can be liquidated quickly-- a non-trivial amount of fraud could still happen.
Where the changing-CVV could make a big difference is in protecting card data. If a thief, such as a waiter, writes down a cards detail and then tries to commit online, the 60 minute window will be a huge limiting factor.
Richard Crone, a payments consultant, said that while he "applauds the attempt," improving a card by adding a dynamic CVV display simply isn't going to improve security enough when compared with the authentication potential within a mobile device.
"You can't get rid of the risk until you get rid of the cards. Even with a dynamic CVV, you still have that card and you still that risk," he said. "The card, even if it has a dynamic CVV, has no multi-factor authentication. A phone and an app does," citing the phone's ability to consider geolocation, facial recognition, fingerprint biometrics, interactions with beacons and other digital features. "Cards are going to be around for a long time, but they are dependent on a specific chipset, the secure element. As we move to cloud-based payments, that dependency on a specific piece of hardware, a specific chip, that will quickly erode," Crone said.
Dynamic CVV cards won't help prolong the cards' existence, but will instead accelerate the cards' demise, Crone said. "It's fair to say that this dynamic CVV will really motivate people to enable mobile wallets. CVV will contribute to (e-commerce) abandonment rates" because the extreme limitations of the tiny screen on the card will incentive shoppers to want the mobile device's much larger screen.