1. What sparked your initial interest in CVV technology, and what limitations did you observe in early implementations?
I had seen the French card issuer, Soc. Gen use a dynamic CVV, which is powered by a physical card embedded with a battery, to display a small LCD screen that randomly generates a new 3-digit number every 60 seconds. The technology was designed for commercial card users and was found to have almost zero fraud when used for CNP payments.
However, the battery had a limited lifespan, less than 2-3 years on average, and required the issuer to issue a brand-new physical card to the cardholder to replace the old static CVV-based card (3 digits embossed on the rear). The number could only rotate every 60 minutes to allow the card to provide the dynamic service for 2-3 years due to battery life limitations. The early implementation was therefore limiting, not digitally friendly, and was subject to WEE disposal of the card when the battery failed. However, the major drawback was the cost – the card was on average £10, compared to a typical card costing less than 50p. Then I saw the Visa solution in action in Australia with several banks, as Visa acted as a processor it was able to use some existing legacy technology to achieve a dynamic CVV service but it had limitations. It was challenging to have two process vendors deal with local cards (Australian only) and outside of country (Visa) and to keep them in sink and they could not prevent certain numbers from being generated like 123, 999 and 000 which cause issues to the processing community.
2. How does SafeCypher‘s CVV solution differ from existing approaches in terms of user experience and cost-effectiveness?
The solution still uses randomly displayed new code, but in the issuer’s App, and it lasts for up to 5 minutes only (configurable from 1 to 5 minutes). The existing card has been activated in the issuer’s App, so there is no need to reissue a new card. As a result, there are no new card costs, and the user simply goes to the App (first screen) to view the CVV number for payment use.Â
3. Can you walk us through how the dynamic CVV process works within the An Post banking app and the key outcomes from that trial?
Firstly, it is not a trial with An Post; they are in full-blown production and commercial use of the service, and have been for over 12 months, with a 3-year contract. The current outcome of the product is that no single CNP fraud has occurred with any activated cardholder using the technology since its inception (12 months and counting), and no wallet onboarding fraud has happened as well.
4. With Card Not Present fraud losses hitting an estimated $35.8 billion in 2024, why do you think major payment networks have been slow to adopt more robust solutions?
They have relied on sophisticated, innovative, but expensive ML and AI technology to effectively provide a real-time risk score of the likelihood that the payment being presented for authorisation by a merchant is from the correct and legitimate cardholder. There are many different providers of this technology and service, and all are better than nothing and good. Still, their weakness is that it effectively guesses, albeit in a sophisticated way, the likelihood that the real cardholder is making the payment. The weakness is that even at a 98% success rate, it still means that 2% get through. The scale of transactions means that even at low percentages, it results in significant losses.
Another issue is that the regulation, particularly in Europe, was designed to present “challenges” to identify the legitimacy of the cardholder, but that led to cardholder abandonment. Issuers and merchants hated friction, which led to abandonment, and so exemptions were introduced to make challenges less likely and, consequently, increase the likelihood of fraud. That is, no SCA will be asked below 30 euros in Europe, which means that criminals often commit small-scale fraud. Small frauds are easy as it is unlikely that you will see a chargeback being requested by the issuer as the costs of the charge back often exceeds the fraud loss.
5. What technical or regulatory challenges did you face getting SafeCypher approved and integrated by a national postal bank like An Post?
Our service and product had to meet the PCI DSS criteria and were validated accordingly and the SDK was tested and approved for insert into their App by their app vendor. That was all.
6. How are large US fintech companies testing SafeCypher differently than you did in Ireland, and what feedback have you received so far?
I am unable to answer this as we are subject to NDA and contracts in some cases. But we are deploying in the US with APIs rather than an SDK in the App. Using an API means that it so much simpler to deploy to an issuer, just two standard tested APIs that an issuer codes into their existing App and usually takes less than 2- 3 months man hrs with basic web development skills required. So in theory 3 web developers could do this in 4 weeks at a cost of less than £70,000.
7. For merchants and consumers alike, what operational impact should they expect when deploying dynamic CVV protection?
There is no effect on merchants systems or process , as they do not know whether the CVV provided by the cardholder on the merchant’s payment page is static or dynamic, and they do not care. For the consumers, they use the dynamic CVV displayed in the App, NOT the static one on the back of the card.
8. How do you measure the effectiveness of SafeCypher in reducing CNP fraud, and what early metrics have been most encouraging?
See point 3 – additionally, an 80% retention level for activation, which is just below 30% of the cardholder base. However, the Halo effect of this security means that criminals are aware they have a high chance of being rejected when using An Post’s compromised data on the merchant’s sites.
9. How do you navigate industry scepticism and persuade stakeholders to invest in anti-fraud innovation?
That is a great question – the industry is fundamentally slow to change and often wants others to take the “risk” before they do, and usually, the larger the issuer, the slower to change they are. I was recently told that their CNP fraud was within the Budget. Within Budget meant that 10 million dollars was lost to criminals each year. That was $10 million lost to the issuer’s profitability and charged to the cardholder through payment costs that were higher than necessary. It just not acceptable in my opinion.
10. Looking ahead, how do you see dynamic CVV fitting into a broader, layered approach to payment security? And what’s next for SafeCypher’s technology roadmap?
Our product is a fraud product that, instead of looking at real-time about the likelihood of the fraud taking place, stops it simply and in real time by saying if you, as the cardholder, do not have the correct dynamic code, we will reject the payment before it even starts the payment journey, by a simple decline.
Ahead of this product is a much bigger prize: cost-effective authentication of a cardholder’s identity, allowing for improved identity verification in various use cases within the payment industry and beyond. The innovation has some great potential to solve the issue of identification and verification without the need for cost and complexity of deployment.
