The bank’s response was, however, not satisfactory. He was told that the CVV or card verification value wasn’t validated because his card was tokenised. As per the card network’s guidelines, CVV–a three-digit number given on the back of debit and credit cards–is no longer required to validate tokenised card payments, the bank said.
Card tokenisation happens when cardholders save their cards online on e-commerce sites or mobile apps. Customers save their cards on apps or sites where they transact frequently to avoid typing out the full details of the card each time they make a payment. Consumers mostly save their card details on e-commerce sites like Amazon and Flipkart, food delivery apps like Zomato and Swiggy and quick commerce apps like Blinkit and Zepto.
View Full Image
This tokenisation replaces the card’s details, such as the card number and expiry date, with encrypted tokens, making it difficult for cybercriminals to steal the card’s information. However, the CVV can’t be encrypted. Hence, payments on saved cards are completed by keying in the card’s CVV and a one-time password (OTP).
As per ICICI’s response to Jain, payment networks have told banks that CVV is no longer a mandatory field for saved cards.
A matter of concern
Jain is now concerned about the safety of such cards, especially in situations where phones are lost or stolen. “If someone loses their phone, payments can be made on apps or websites where cards are saved by anyone who has the phone. The OTP required to authenticate the payment will also be sent to the same phone,” he said.
To confirm the bank’s statement, we attempted payments on HDFC Bank, Kotak Mahindra Bank and ICICI Bank debit cards saved on Amazon by keying in the wrong CVV. All payments were successfully completed. This indicates that most major banks seem to have disabled CVV for authentication.
These payments are now authenticated solely by the OTP sent to the cardholder’s registered mobile number.
Mails sent to ICICI Bank, HDFC Bank, and Kotak Bank questioning the security implications of removing CVV were not answered.
As per ICICI’s response to Jain, the bank validates the CVV for cases where the payment network passes the CVV value on to the bank. To understand what this means, let us first understand the flow of a card payment saved online.
Card payment flow
When a payment is initiated, the merchant’s acquiring bank sends a request to the card network (Visa, Mastercard, Rupay) along with the card’s tokenised number and expiry date, and CVV, which is not encrypted. The card network pushes the request along with the card details to the card issuing bank, seeking payment approval. At this stage, the issuing bank validates the details of the card sent to it and authenticates payment with OTP.
Number and expiry date are tokenised, whereas CVV is not
As per ICICI Bank’s response to its customer query, card networks and merchant’s bank no longer pass on CVV to the cardholder’s bank for validation. This is the reason why payments are not declined by banks on saved cards even when the CVV entered is wrong.
“The tokenisation of the card ensures that the card data is securely stored. CVV is a static value tied to the physical card and is not relevant for credential-on-file token transactions,” ICICI Bank’s said in its response.
“Transactions in India are also two-factor authentication for additional security. Based on the tokenization feature, CVV is not a mandatory field to be verified…We clarify that the transactions processed without the validation of CVV and basis the other parameters mentioned earlier are as per guidelines,” it added.
In response to queries sent byMint,Visa said it hadintroduced CVV-free domestic online transactions on tokenized cards last year for the convenience of customers. “We worked closely with the regulator and ecosystem to strengthen payments security and accelerate the adoption of tokenisation,” the card network said.
Following Visa, Mastercard and Rupay have also launched CVV-free payment features for tokenised cards. The card networks say the aim is to make domestic card-not-present (CNP) tokenised transactions faster and seamless.
To be sure, CVV continues to be mandatory for card payments that are not stored online. Also, CVV is to be given at the time of storing a card to successfully tokenise it.
What you should do
Cybersecurity expert Ritesh Bhatia said the only way to safeguard cards against potential fraud in such cases is by adding biometric authentication on the phone. Adding password-based security on the apps where the cards are saved will also help.
Experts also advice saving only those cards online that are linked to secondary bank accounts with a low balance. Another alternative is setting daily transaction limits to ₹10,000 or less, especially on credit cards.
Also Read: What you need to know about secured credit cards
One may argue that even UPI payments are susceptible to fraud when phones get stolen or lost. Still, all major UPI apps require biometrics or a PIN to complete the payment at checkout.
Visa, in its statement, said that in the event of device theft, consumers are advised to immediately report the incident to their respective banks, including through their online channels, to block their cards. “This enables banks to take prompt action to prevent potential fraud by blocking the affected card/s and implementing other inbuilt security measures.”
Also Read: Credit card debt: Traps to avoid and strategies to pay off faster