EMV Chip Adoption Will Push Scammers Into Other Types of Credit Fraud
He also noted that some merchants actually enter the number in a transaction where the card is present, and store it in their records, which opens it up for fraudulent use if the merchant's computer records are compromised. In addition, Russo noted that in many cases the CCV isn't passed along to the e-commerce provider even if the customer provides it, since it may go straight to the financial institution. Because of this he said that e-commerce providers need to conduct additional verifications to confirm that a card being used for payment is actually legitimate. Accomplishing the necessary verification requires that the merchant, or the e-commerce provider, check a variety of details about the card being presented and about the user. For example, he said that it's important to make sure that the purchaser is actually located where they say they are, so if a purchaser ostensibly located in the United States has an IP address for China, there's probably a problem. But it's also important that the merchant pay attention to details. For example, if a credit card number and its related details such as the expiration date, or CCV number don't match, it's a good idea to ask for further confirmation that the purchaser is legitimate, or even to decline the charge.This means that online merchants will need to take all available steps, including the proper use of CCV numbers as well as other means of identity confirmation, to avoid being held responsible for fraud. This in turn means that the online merchant's employees need to be aware of the increased risk of fraud. To accomplish all of that requires education and training. "You have to train your people," Russo said. "You have to empower them to make decisions." Those decisions may include declining to accept a suspicious charge, even if it annoys a customer. It is, after all, for the customer's protection in addition to yours.
Russo said that some merchants are reluctant to use verification such as CCV checking because they feel that it gets in the way of the sale. However, there will be a liability shift in the credit card industry in October 2015 in which merchants who don't use available security measures, including chip and PIN, and CCV confirmation for online sales, will be held responsible for fraudulent charges, rather than the banks as it is now.