December 18, 2020

Cardholder Verification 101

The CVM—or card verification method—is simply a way to determine whether the person presenting a card payment is the legitimate cardholder.

It all begins with card Issuers. Based on how and where the chip cards are meant to be used—and in accordance with payment network rules—they decide what methods to support, their priority for use, and set them in the card’s formulation.

A variety of factors drives the use of different CVMs. These considerations may include methods mutually supported by card and terminal, transaction parameters, or the configuration mode being used in the payment environment. Let’s review the types of Cardholder Verification methods and when they might be required or used:

  • No CVM: Some transactions may not require any specific method of cardholder verification. This classification is most commonly used to increase the transaction speed, for example, in quick service environments or for low-value contactless transactions.

  • Online PIN: Following the cardholder PIN entry on the device, the PIN block is encrypted and sent off to the host (bank or processor) as part of the online authorization request. The host verifies the PIN and returns the approved response.

  • Offline PIN: It is possible for the PIN to be verified locally, between the chip card and the terminal. This process is known as Offline PIN verification with Online Transaction Authorization. When the PIN check passes, the transaction is sent to the host without the PIN block but will indicate that the PIN check was locally completed and successful. The transaction is then approved or declined, having taken into account the offline PIN check conducted by the terminal.

  • Signature: A signature can be collected manually via the receipt or captured digitally via a device touchscreen. Historically, a very necessary CVM and more recently, playing a prominent role during the transition to EMV chip cards. With the increase of comfort and familiarity of PIN use, the importance of this CVM has continued to decline, and card brands have begun removing requirements for cardholder signatures. In most cases, merchants have the option to not capture a signature as a cardholder verification method, except when local laws or regulations require it. Talk to your card provider(s) or processor(s) to ensure you comply, should you no longer wish to support this method.

  • Consumer Device CVM (CDCVM): This CVM is used when the cardholder is verified via a consumer device—such as a smartwatch or smartphone—instead of being confirmed by the payment terminal. (Think Apple Pay or Android Pay.) The actual method used could differ depending upon the type of device but could, for example, require the cardholder to enter a code on their Apple Watch or perform a fingerprint scan on their phone. On some consumer devices, the cardholder may be required to perform CDCVM before initiating the transaction. Let’s suppose the cardholder has not already performed CDCVM when they present their “card” needed for the transaction. In this scenario, the terminal would prompt the cardholder to follow the instructions on their device in order to perform the necessary method. The cardholder would subsequently be required to represent their “card”. CDCVM may also be referred to as On-Device CVM or Mobile CVM.

CVM and Cards

Individual card verification rules are combined to create a CVM list that is personalized on the chip card. The CVM List in the chip card indicates the method(s) that apply to each Application Identifier (or AID). An AID is a value that represents each card brand by issuer, as prescribed by specific payment network standards. Each unique AID on the card can have its distinct CVM List, and chip cards can support more than one AID. One such example is with common and global AIDs on US debit, where the Common AID allows merchants and acquirers to route a transaction to any payment network available on the card, and the Global AID to be used within the US or internationally.

During a transaction, the chip card shares information about the CVM list with the terminal (such as the verification methods and any conditions and processing logic), allowing the transaction to be processed.

CVM and Terminals

Chip-enabled terminals can support more than one Application Identifier (AID). They can also support multiple CVMs by AID. (So, AID 1 may support Online Enciphered PIN for ATM use and No CVM for small value retail contactless purchase transactions, as one example.)

CVM and Middleware

The behavior for some card verification methods can be driven by configuration. For instance, ceiling limits for No CVM on contactless can be indicated by transaction value so that anything above a prescribed Dollar amount would require a CVM prompt, while any transaction below that value would not. This is a valuable feature in an environment where a focus on speed-of-service is deemed significant.

Conclusion

Overall, the payment network standards for these verification methods are both clear and robust, with Issuers setting the stage and Acquirers/hosts supporting that process. Beneath that, terminal providers ensure that their terminals can support the CVM requirements within the framework for segments including ATMs, Attended and Unattended POS environments. And within it all, middleware providers ensure that the appropriate verification methods are included in the solution(s) by segment or industry and that due diligence has been applied in accordance with all the underlying requirements.

Merchants can safely rely on these systems in place to support CVM requirements. However, they should be aware of the methods and rules in place for their environments and ensure that client-facing staff is also educated on the topic. After all, knowledge is the best way in which we can all serve our customers.

Back