In an unusual tactic to thwart credit card fraud, Wal-Mart Stores Inc. nearly a year ago quietly implemented a policy in which its point-of-sale terminals prompt some cardholders to enter their card’s verification number, a code normally used for card-not-present transactions such as mail-order/telephone order (MOTO) and Internet purchases.
The policy is now in force in nearly 4,900 U.S. Wal-Mart and Sam’s Club Stores, according to a spokesperson for Bentonville, Ark.-based Wal-Mart, the nation’s largest retailer. It only applies to credit cards issued by four firms: JPMorgan Chase & Co., Citigroup Inc., American Express Co. and a fourth that the spokesperson could not identify Tuesday afternoon. Sales above certain undisclosed thresholds trigger the POS-terminal prompts.
Chase, Citi and AmEx rank among the largest U.S. issuers and undoubtedly would account for a large number of Wal-Mart credit card transactions. It is unclear if Wal-Mart approached the issuers about asking for the prompts or if the issuers approached Wal-Mart.
Card verification numbers have different formal names depending on the card network, although they all serve the same purpose of authenticating the card in a transaction where it is not actually present. Visa Inc. calls its number the Card Verification Value 2 (CVV2) while MasterCard Inc.’s term is Card Validation Code 2 (CVC 2). The Visa and MasterCard numbers are three-digit codes printed on the back of the card; AmEx uses a four-digit code on the front.
While stolen primary account numbers (PANs) and card expiration dates obtained through data breaches are abundant in underground Internet markets, verification numbers are less so. Visa and MasterCard prohibit banks from encoding CVV 2 and CVC 2 numbers into magnetic stripes. That means that a fraudster trying to use a counterfeit bank credit card at Wal-Mart could be thwarted if he couldn’t produce a CVV 2 or CVC 2.
The Wal-Mart spokesperson says the policy has produced results, although she could not quantify how much. “We are seeing a reduction in fraudulent transactions, according to the information that we’ve received from the card issuers,” she says.
Asked if the policy has resulted in longer transaction times, the spokesperson says a customer complaint in a story broadcast Monday by Houston television station KPRC, which apparently broke the story, was the first negative comment she had heard about the policy. Wal-Mart says the policy will be discontinued once Europay-MasterCard-Visa (EMV) chip cards replace magnetic-stripe payment card in the U.S.
Al Pascual, senior analyst for fraud and security at Pleasanton, Calif.-based Javelin Strategy & Research, says he hasn’t heard about other retailers asking for the printed verification values at the point of sale. “I think this change on the part of Wal-Mart kind of makes sense in the existing environment,” he says, noting the recent data breaches at Target Corp. and other merchants.
Wal-Mart, however, is taking on some extra risk by employing a verification number, either while it is in transit, in use or at rest. “It potentially could be gleaned,” he says. “No system is 100% secure.”
In debit card transactions, Wal-Mart’s POS terminals typically prompt the customer to enter the card’s four-digit PIN.