Content deleted Content added
m →Types: Copy edit ▸ Diction modified to correct grammar (second-person tense, 𝑖.𝑒. "you"); syntax for link to section in other article repaired, and presentation (reference to aforementioned section visually augmented) Tags: Mobile edit Mobile app edit Android app edit App section source |
ClueBot NG (talk | contribs) m Reverting possible vandalism by Cute Jayden to version by VulcanSphere. Report False Positive? Thanks, ClueBot NG. (4413424) (Bot) |
||
| (7 intermediate revisions by 5 users not shown) | |||
Line 30:
There are several types of security codes and PVV (all generated from [[Data Encryption Standard|DES]] key in the bank in [[Hardware security module|HSM]] modules using [[Payment card number|PAN]], expiration date and service code):
* The first code, 3 numbers, called CVC1 or CVV1, is encoded on track one and two of the [[Magnetic stripe card|magnetic stripe]] of the card and used for card present transactions, with signature (second track also contains pin verification value, PVV, but now it is usually all zeroed out and service code). The purpose of the code is to verify that a payment card is actually in the hand of the merchant (thus it should be different from CVV2). This code is automatically retrieved when the magnetic stripe of a card is read (swiped) on a [[point-of-sale]] (card present) device and is verified by the issuer. A limitation is that if the entire card has been duplicated and the magnetic stripe copied, then the code is still valid, notwithstanding the fact that cardholder signature will still usually be required {{xref|(see: {{slink|Credit card fraud|Skimming}})}}
* The second code, and the most cited, is CVV2 or CVC2. This code is often used by merchants for [[card not present transaction]]s including online purchases. In some countries in Western Europe, card issuers require a merchant to obtain the code when the cardholder is not present in person. Uses service code 000.
* Contactless and/or chip [[EMV]] cards supply their own electronically generated codes, called {{proper name|iCVV}}. Uses service code 999. It is described in public standards from EMVCo.
Line 36:
== Location ==
[[File:Back of Bank Jago Visa Debit card.jpg|thumb|Some cards do not place card security code on the cards themselves, cardholders can look for it inside the bank's [[Online banking|mobile application]]]]
The card security code is typically the last three or four digits printed, not embossed like the card number, on the signature strip on the back of the card. On American Express cards, however, the card security code is the four digits printed (not embossed) on the front towards the right. The card security code is not encoded on the magnetic stripe but is printed flat.
* American Express cards have a four-digit code printed on the front side of the card above the number.
Line 51:
As a security measure, merchants who require the CVV2 for "[[Card not present transaction|card not present]]" transactions are required by the card issuer not to store the CVV2 once the individual transaction is authorized.<ref name="visa">{{cite web|title=Rules for Visa Merchants|url=http://usa.visa.com/download/merchants/pdra_form_dec2006.doc|format=doc|page=1|access-date=26 February 2013|archive-url=https://web.archive.org/web/20140224171209/http://usa.visa.com/download/merchants/pdra_form_dec2006.doc|archive-date=24 February 2014|url-status=dead}}</ref> This way, if a database of transactions is [[compromise#Security|compromised]], the CVV2 is not present and the stolen card numbers are less useful. [[Virtual terminal]]s and [[payment gateways]] do not store the CVV2 code; therefore, employees and customer service representatives with access to these web-based payment interfaces, who otherwise have access to complete card numbers, expiration dates, and other information, still lack the CVV2 code.
The [[Payment Card Industry Data Security Standard]] (PCI DSS) also prohibits the storage of CSC (and other sensitive authorisation data) post transaction authorisation. This applies globally to anyone who stores, processes or transmits
Since the CSC is not contained on the magnetic stripe of the card, it is not typically included in the transaction when the card is used face to face at a merchant. However, some merchants in North America, such as [[Sears, Roebuck and Company|Sears]] and [[Staples Inc.|Staples]], require the code. For [[American Express]] cards, this has been an invariable practice (for "card not present" transactions) in European Union (EU) countries like Ireland and the United Kingdom since the start of 2005. This provides a level of protection to the bank/cardholder, in that a fraudulent merchant or employee cannot simply capture the magnetic stripe details of a card and use them later for "card not present" purchases over the phone, mail order or Internet. To do this, a merchant or its employee would also have to note the CVV2 visually and record it, which is more likely to arouse the cardholder's suspicion.
| |||