To address the problems associated with shared secrets among large groups of people, the card associations came up with the concept of a security code (CV2), a three- or four-digit number printed on the card. This is used as a pseudo-second factor for authentication, attempting to prove the purchaser has the card in her possession.

There are two weaknesses in this patch to the system. First, the security code becomes an additional shared secret. There are specific rules around handling security codes for merchants and service providers, but again we rely on the weakest link in the purchase path. Second, not all banks currently support this code, nor is it required in all cases. This means there is little incentive for the merchant or acquirer to reject a purchase based on a failed check of this code. Thus, the security code offers minimal improvement to the anti-fraud system.

While CV2 attempts to authenticate the consumer, we still lack authentication for the merchant. How does the purchaser know the merchant is legitimate? What prevents consumers from being socially engineered or phished out of their payment data?

The card associations and third-party payment providers have created additional security programs to authenticate and authorize payments in card-not-present situations. Let’s analyze a few of the more common processes in place today in order to assess what is working and any areas that may be flawed.