However, the bank’s response was not satisfactory. They told him that the CVV or card verification value had not been validated because his card was tokenized. According to the card network’s guidelines, the CVV (a three-digit number that appears on the back of the card) Debit and credit cards–Payments with tokenized cards no longer need to be validated, the bank said.
Card tokenization occurs when cardholders store their cards online on e-commerce sites or mobile apps. Customers store their cards on apps or sites where they frequently transact to avoid having to enter their full card details every time they make a payment. Consumers mostly store their card details on e-commerce sites like Amazon and Flipkart, food delivery apps like Zomato and Swiggy, and fast commerce apps like Blinkit and Zepto.
View full image
This tokenization replaces card data, such as the card number and expiration date, with encrypted tokens, making it harder for cybercriminals to steal card information. However, the CVV cannot be encrypted. Therefore, payments with saved cards are completed by entering the card’s CVV and a one-time password (OTP).
According to ICICI’s response to Jain, payment networks have told banks that the CVV is no longer a mandatory field for stored cards.
A cause for concern
Jain is now concerned about the security of such cards, especially in situations where phones are lost or stolen. “If someone loses their phone, payments can be made on apps or websites where the cards are stored by anyone who has the phone. The OTP required to authenticate the payment will also be sent to the same phone,” he said.
To confirm the bank statement, we tried making payments using HDFC Bank, Kotak Mahindra Bank and ICICI Bank debit cards saved on Amazon by entering the incorrect CVV. All payments were completed successfully. This indicates that most major banks seem to have disabled the CVV for authentication.
These payments are now authenticated solely by the OTP sent to the cardholder’s registered mobile number.
Emails sent to ICICI Bank, HDFC Bank and Kotak Bank questioning the security implications of removing the CVV went unanswered.
According to ICICI’s response to Jain, the bank validates the CVV in cases where the payment network transmits the CVV value to the bank. To understand what this means, let’s first understand the flow of a card payment saved online.
Card payment flow
When a payment is initiated, the merchant’s acquiring bank sends a request to the card network (Visa, Mastercard, Rupay) along with the tokenized card number and expiration date, and the CVV, which is not encrypted. The card network sends the request along with the card details to the card issuing bank, seeking approval of the payment. At this stage, the issuing bank validates the card details sent to it and authenticates the payment with OTP.
The number and expiration date are tokenized, while the CVV is not.
According to ICICI Bank’s response to a customer query, card networks and the merchant’s bank no longer pass the CVV to the cardholder’s bank for validation. This is why banks do not decline payments using stored cards even when the CVV entered is incorrect.
“Card tokenisation ensures that card data is stored securely. The CVV is a static value linked to the physical card and is not relevant for transactions using registered credential tokens,” ICICI Bank said in its response.
“Transactions in India are also done with two-factor authentication for added security. Based on the tokenization feature, the CVV is not a mandatory field to be verified… We clarify that transactions processed without validation of the CVV and other parameters mentioned above are done as per the guidelines,” he added.
In response to queries sent byMint,Visa said it introduced CVV-less domestic online transactions on tokenized cards last year for the convenience of customers. “We worked closely with the regulator and the ecosystem to strengthen payment security and accelerate the adoption of tokenization,” the card network said.
Following Visa, Mastercard and Rupay have also launched CVV-less payment features for tokenized cards. The card networks claim that the aim is to make domestic transactions with tokenized card-not-present (CNP) cards faster and smoother.
Of course, the CVV is still mandatory for card payments that are not stored online. In addition, the CVV must be provided at the time of storing a card in order to be able to correctly tokenize it.
What you should do
Cybersecurity expert Ritesh Bhatia said the only way to protect cards from potential fraud in such cases is by adding biometric authentication to the phone. Adding password-based security to the apps where cards are stored will also help.
Experts also advise keeping only those online cards that are linked to secondary bank accounts with a low balance. Another alternative is to set daily transaction limits for ₹10,000 or less, especially on credit cards.
Read also: What you need to know about secured credit cards
One could argue that even UPI payments are susceptible to fraud when phones are stolen or lost. Still, all major UPI apps require biometrics or a PIN to complete payment at the checkout.
Visa, in its statement, indicated that in the event of a stolen device, consumers are advised to immediately report the incident to their respective banks, including through their online channels, in order to block their cards. “This allows banks to take prompt action to prevent potential fraud by blocking the affected cards and implementing other integrated security measures.”
Read also: Credit Card Debt: Pitfalls to Avoid and Strategies to Pay Off Faster
Disclaimer:
The information contained in this post is for general information purposes only. We make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the post for any purpose.
We respect the intellectual property rights of content creators. If you are the owner of any material featured on our website and have concerns about its use, please contact us. We are committed to addressing any copyright issues promptly and will remove any material within 2 days of receiving a request from the rightful owner.