No CVV for payments on tokenised cards. Is your money safe?
debit and credit cards–is no longer required to validate tokenised card payments, the bank said. Card tokenisation happens when cardholders save their cards online on e-commerce sites or mobile apps. Customers save their cards on apps or sites where they transact frequently to avoid typing out the full details of the card each time they make a payment.
Consumers mostly save their card details on e-commerce sites like Amazon and Flipkart, food delivery apps like Zomato and Swiggy and quick commerce apps like Blinkit and Zepto. This tokenisation replaces the card’s details, such as the card number and expiry date, with encrypted tokens, making it difficult for cybercriminals to steal the card's information. However, the CVV can’t be encrypted.
Hence, payments on saved cards are completed by keying in the card’s CVV and a one-time password (OTP). As per ICICI’s response to Jain, payment networks have told banks that CVV is no longer a mandatory field for saved cards. Jain is now concerned about the safety of such cards, especially in situations where phones are lost or stolen.
“If someone loses their phone, payments can be made on apps or websites where cards are saved by anyone who has the phone. The OTP required to authenticate the payment will also be sent to the same phone," he said. To confirm the bank's statement, we attempted payments on HDFC Bank, Kotak Mahindra Bank and ICICI Bank debit cards saved on Amazon by keying in the wrong CVV.
All payments were successfully completed. This indicates that most major banks seem to have disabled CVV for authentication. These payments are now authenticated solely by the OTP sent to the cardholder’s registered mobile number.
Read more on livemint.com
