Fraud protection limitations of CVC for online merchant
The card security code (CSC) cannot protect against phishing scams. This scam is where the cardholder is tricked into entering the CSC among other card details via a fraudulent website interface. This type of fraud has grown and has the reduced the effectiveness of the CSC as an anti-fraud device. The growth of this type of scam has seen growth since building legitimate-looking websites has become easier and quicker to deploy.
Another scam is where an individual has hacked a merchant database and has obtained the card account information and then uses this information to provide proof of authenticity when asking the victims for this missing information for online transaction frauds.
Since the Payment Card Industry Data Security Standard (PCI DSS) does not allow to store the CSC to be stored by the merchant for any length of time, a merchant who needs to bill a card regularly would not be able to provide the code on each transaction following the initial transaction. In order to accommodate these payment gateways, an added "periodic billing" feature is a part of the initial payment authorization process information data.
Since It is not mandatory for a merchant to require the security code for making a transaction some card issuers will generally charge merchants higher card processing rates where the CSC not validated and when any fraudulent transactions without CSC validation investigations are more likely to be resolved in favor of the cardholder at the cost of the merchant.