I tried to recharge my FastTag account recently through Paytm app. Decided to make payment through a credit card. My credit card was already saved/tokenized on the app and hence did not have to enter the credit card details. That’s expected and quite convenient too. However, I was not asked to enter CVV either. The transaction went through after I entered the OTP. No CVV needed. Just the OTP received on the phone was sufficient.
While this certainly adds to convenience, this compromises card security to an extent.
By the way, this issue is not specific to Paytm app or FastTag recharge. This affects most credit cards that have been saved/tokenized on various apps.
CVV and OTP are two security features for a credit card transaction. OTP comes to your mobile. If someone has access to your mobile, then he/she automatically has access to the OTP. CVV is printed on the credit card. While CVV itself is not a strong security feature because one just needs a quick glance at your credit card to know the CVV once and for all, it does add to the card security. And multiple security features then combine and augment the overall security of the card.
For instance, if both CVV and OTP are needed, the fraudster must have access to your phone (physical or through malware) and physical access to your credit card (directly or through someone he/she knows). You may lose your phone on the metro, but your credit card is in your wallet.
Alternatively, you may forget your wallet in the nearby kirana shop, but you still have the phone where the OTP will come for any online transaction. For swipe transactions, you need to enter the card PIN that only you know. I understand your lost card can still be used for tap-and-pay or your international transactions, but you can quickly block your card. Or keep the transaction limits for such transactions low.
Why Is CVV Not Needed?
In this article in LiveMint which highlighted the same issue, for the tokenized cards, the card networks (Visa/MasterCard, Rupay) don’t send CVV to the issuing bank. If the card network does not send the CVV, the card issuing bank cannot verify it. In fact, the transaction can go through even if you enter an incorrect CVV (because no one is verifying the CVV).
RBI does not permit various apps/merchants to save your credit card details in raw form (card number, expiry date etc.). An app/merchant can only store/save your card details in tokenized form. A token is a unique identifier for any combination of:
- A Credit card
- Issuer/Card network
- Application/merchant (Amazon, Flipkart etc.)
Yes, you must enter your card details (card number, CVV, OTP) on the app the first time and share consent with merchant to tokenize the card. The merchant then passes on the request to the card network/issuing bank and saves/tokenize the card through OTP based approval. No extra work for you. You may not even notice that the same OTP has been used to approve the transaction and tokenize the card. Next time, when you make the payment on the app, you will see the card in the list of payment options.
How is card tokenization useful? Tokenization is a safety measure. In case of breach in merchant’s systems, the hackers would only get access to the tokens and won’t be able to extract your credit card details from the token alone. For more on card tokenization, refer to this post.
Note: If you have not saved/tokenized credit card on the app, you must enter the full card details (holder’s name, credit card number, CVV, and expiry date) and OTP to complete the transaction.
Why Are Card Networks Not Sending CVV to the Issuing Banks for Verification?
I don’t know. Here is the press release from Visa where it speaks about doing away with CVV for tokenized cards. All the press release speaks about it is reduced friction and greater convenience for users. Perhaps, networks believe that CVV does not add much value once the card has been tokenized. CVV was never a very robust security feature anyways. However, as I mentioned before, security features augment one another.
Visa may have thought of other practical issues as well. A credit card tokenized on Amazon app can only be used on the Amazon app. How will a fraudster use your Amazon account to order items without leaving a trail? While I can poke holes in this argument, it is what it is. No CVV for tokenized cards.
What Can You Do to Reduce Risk?
- Set an unlock PIN or biometric authentication on your mobile phone. With this, you can ensure (or at least reduce the odds) that a fraudster cannot unlock your phone without your permission. To use the tokenized card for CVV less payment, you need to open a mobile app. And to open the mobile app, you need to unlock the phone first.
- Set transaction limits on your credit card: You can set per-transaction limits on your credit card for different types of transactions (Online, physical, ATM, international). You can also set daily transaction limits. This is a way to limit your loss if your phone falls into the wrong hands.
Always remember nothing is failsafe. However, even small steps towards safety would combine and compound.
Take care of your phone and credit card. Make sure you don’t lose either.
Be proactive. Install mobile banking applications and set transaction limits for different types of transactions. For instance, if you are not planning to travel abroad soon, disable international payments on your credit card. When you find that the card is missing, block the card instantly.
Practice cyber hygiene. Do not use credit cards on websites that you cannot trust. If you notice a suspicious transaction, inform your bank immediately and block the card. This will also help reduce your liability in case of fraud.