If a fraudster doesn't know a credit card verification value code, it creates a major hurdle in attempting a card-not-present transaction with stolen cards or credentials.
Tender Armor wants to put that hurdle in place permanently for thieves looking to get their hands on the proper three- or four-digit CVV2 for a credit card by launching CvvPlus, a real-time dual-factor fraud prevention solution that gives issuers the ability to change the CVV2 daily.
Cardholders elect a method in which to receive a new code each day, either through a text message, an e-mail, text on demand, or through the bank's website.
The Fort Lauderdale, Fla.-based Tender Armor is also developing a mobile app to make the CVV2 available to cardholders through their mobile phones.
"Many solutions are detection-oriented or merchant-oriented, our product lets the issuer be in control," said Madeline K. Aufseeser, CEO and founder of Tender Armor. Aufseeser, most recently a payments analyst and researcher for Aite Consulting Group, has more than 30 years experience in the payments industry. Robert J. Steinman serves as chief operating officer and co-founder for Tender Armor, which also offers CvcPlus, CIDPlus, CscPlus and ProtectIt Plus software.
CvvPlus protects all card-not-present transactions, including those made through a call center, as well as any card-present transactions that would require a CVV2, Aufseeser said.
The timing is right for card-not-present fraud protection because of the adoption of EMV chip cards at the physical point of sale, a move that historically has pushed card fraud to e-commerce. Plus, e-commerce grew at a 40% clip during the holidays last year and is expected to grow more this year, Aufseeser said.
"Fraud is expected to go over $11 billion in chargeoff losses in the coming year, and that's just on credit cards," Aufseeser said. Banks incur other costs with account fraud on debit cards or expenses related to fixing problems after fraud occurs, such as re-issuing cards and customer service expenses.
Tender Armor enters a security industry that has been addressing the card-not-present fraud problem with various technologies.
Oberthur Technologies has been developing its Motion Code technology, a changing code through a digital display on the back of the card, in a similar attempt to keep the CVC2 or CVV2 code away from fraudsters.Gemalto Inc. launched a similar dynamic code verification technology to coincide with the EMV chip card liability shift at the physical point of sale in October. Gemalto's product offers a code display on the back of the card that changes every 20 minutes.CvvPlus has an advantage for issuers in that the technology will work with cards currently in use in the market, eliminating any need for reissuing cards, Aufseeser said.
"Other solutions may call for the issuer to send out new cards at $6 to $10 a pop," Aufseeser added. Plus, if a cardholder loses a card protected by CvvPlus, there is still no danger a fraudster can use the card, she said. With other solutions, a stolen card can still be used until it is reported stolen.
In addition, for a consumer who has various accounts and card products with an issuing bank, Tender Armor can provide the same daily CVV2 code to cover all accounts, Aufseeser said.
Banks will find CvvPlus appealing because it won't cost much to integrate into their systems and they will save money on card issuing, said Al Pascual, senior analyst for Javelin Strategy & Research.
"All of the big issuers have re-issued EMV or are getting ready to finish that up," Pascual said. "The last thing they want to have to do is reissue again with another security feature on it."
The concept of a single daily code might be more appealing to consumers than one in which the CVV2 changes many times during the course of a day, Pascual added.
Like any other security measure against cyber fraud, CvvPlus won't be bullet proof, Pascual said.
"If you are working with a browser that might be infected by malware, a criminal could maybe get at the code on the same day," Pascual added. "But it is worlds better than what we currently have with a CVV2 that doesn't change and can be used until the card is canceled."
Tender Armor is not expecting any pushback from issuers that are interested in the product, but possibly concerned about adding new technology to authorization platforms.
"It's a lightweight integration, with a handful of API calls and a handful of store procedure calls, plus an additional table to the authorization platform," Aufseeser said. "We can work directly with the banks or direct them to their processors, who we will be working with."