Content deleted Content added
m fixed typo |
ClueBot NG (talk | contribs) m Reverting possible vandalism by Cute Jayden to version by VulcanSphere. Report False Positive? Thanks, ClueBot NG. (4413424) (Bot) |
||
| (887 intermediate revisions by more than 100 users not shown) | |||
Line 1:
{{short description|Security feature on payment cards}}
{{redirect|CVC2|the airport in Ontario, Canada|Voyageur Channel Water Aerodrome}}
{{Use dmy dates|date=December 2020}}
[[file:CVC2SampleVisaNew.png|thumb|The card security code is located on the back of [[Mastercard]], [[Visa Inc.|Visa]], [[Discover Card|Discover]], [[Diners Club]], and [[JCB (credit card company)|JCB]] credit or debit cards and is typically a separate group of three digits to the right of the signature strip]]
[[file:CIDSampleAmex.png|thumb|On [[American Express]] cards, the card security code is a printed, not embossed, group of four digits on the front towards the right]]
A '''card security code''' ('''CSC'''; also known as '''CVC''', '''CVV''', or [[#Naming|several other names]]) is a series of numbers that, in addition to the [[bank card number]], is printed (but not [[Paper embossing|embossed]]) on a [[credit card|credit]] or [[debit card]]. The CSC is used as a security feature for [[card not present transaction]]s, where a [[personal identification number]] (PIN) cannot be manually entered by the cardholder (as they would during [[payment terminal|point-of-sale]] or card present transactions). It was instituted to reduce the incidence of [[credit card fraud]]. Unlike the card number, the CSC is deliberately not embossed, so that it is not read when using a mechanical [[credit card imprinter]] which will only pick up embossed numbers.
These codes are in slightly different places for different card issuers. The CSC for [[Visa Inc.|Visa]], [[Mastercard]], and [[Discover Card|Discover]] credit cards is a three-digit number on the back of the card, to the right of the signature box. The CSC for [[American Express]] is a four-digit code on the front of the card above the account number. See the figures to the right for examples.
CSC was originally developed in the UK as an eleven-character alphanumeric code by [[Equifax]] employee Michael Stone in 1995. After testing with the [[Littlewoods]] Home Shopping group and [[NatWest]] bank, the concept was adopted by the UK [[Association for Payment Clearing Services]] (APACS) and streamlined to the three-digit code known today. [[Mastercard]] started issuing CVC2 numbers in 1997 and [[Visa Inc.|Visa]] in the United States issued them by 2001. [[American Express]] started to use the CSC in 1999, in response to growing [[e-commerce|Internet transactions]] and card member complaints of spending interruptions when the security of a card has been brought into question.
[[Contactless payment|Contactless]] card and chip cards may electronically generate their own code, such as {{proper name|iCVV}} or a ''dynamic'' CVV.366
* [[American Express]] cards have a 4 digit code printed on the front side of the card above the number, referred to as the "CID", or Card Identification Number. It is printed flat, not embossed like the card number.▼
== Naming ==
The codes have different names:
* "CSC" or "card security code": [[debit card]]s,{{which|date=November 2015}} American Express (three digits on back of card, also referred to as 3CSC)<ref>{{cite web|title=SafeKey Frequently Asked Questions {{!}} American Express Canada|url=https://www.americanexpress.com/ca/en/security/safekey/faqs/|access-date=2021-05-04|website=www.americanexpress.com}}</ref>
* "CVC" or "card validation code": [[Mastercard]]
* "CVV" or "card verification value": [[Visa Inc.|Visa]]
* "CAV" or "card authentication value": [[JCB (credit card company)|JCB]]
* "CID": "card ID", "card identification number", or "card identification code": [[Discover Card|Discover]], [[American Express]] (four digits on front of card). American Express usually uses the four-digit code on the front of the card, referred to as the card identification code (CID), but also has a three-digit code on the back of the card, referred to as the card security code (CSC). American Express also sometimes refers to a "unique card code".<ref>{{cite web|title=American Express® Card security features|url=https://www.americanexpress.com/content/dam/amex/hk/en/staticassets/merchant/pdf/support-and-services/useful-information-and-downloads/GuidetoCheckingCardFaces.pdf|url-status=live|archive-url=https://web.archive.org/web/20201127205221/https://www.americanexpress.com/content/dam/amex/hk/en/staticassets/merchant/pdf/support-and-services/useful-information-and-downloads/GuidetoCheckingCardFaces.pdf|archive-date=2020-11-27|access-date=2021-05-04|website=www.americanexpress.com}}</ref>
* "CVD" or "card verification data": [[Discover Card|Discover]]
* "CVE" or "Elo verification code": [[Elo (card association)|Elo]] in [[Brazil]]
* "CVN" or "card validation number", also "card verification number": [[China UnionPay]], [[Google Ads]]<ref>{{cite web | url = https://support.google.com/google-ads/answer/78492 | title = Card verification number (CVN) | access-date = 2023-07-02 }}</ref>
* "SPC" or "signature panel code"<ref>{{cite web | url = https://www.securesuite.net/cibc/tdsecure/spc_description.jsp?cycfg_affinity=mc | title = CIBC MasterCard - MasterCard SecureCode | access-date = 2012-07-12 | url-status=dead | archive-url = https://web.archive.org/web/20140424011239/https://www.securesuite.net/cibc/tdsecure/spc_description.jsp?cycfg_affinity=mc | archive-date = 24 April 2014 }}</ref>
* "CCV" or "card code verification": commonly used in [[Canada]]
== Types ==
There are several types of security codes and PVV (all generated from [[Data Encryption Standard|DES]] key in the bank in [[Hardware security module|HSM]] modules using [[Payment card number|PAN]], expiration date and service code):
* The first code, 3 numbers, called CVC1 or CVV1, is encoded on track one and two of the [[Magnetic stripe card|magnetic stripe]] of the card and used for card present transactions, with signature (second track also contains pin verification value, PVV, but now it is usually all zeroed out and service code). The purpose of the code is to verify that a payment card is actually in the hand of the merchant (thus it should be different from CVV2). This code is automatically retrieved when the magnetic stripe of a card is read (swiped) on a [[point-of-sale]] (card present) device and is verified by the issuer. A limitation is that if the entire card has been duplicated and the magnetic stripe copied, then the code is still valid, notwithstanding the fact that cardholder signature will still usually be required {{xref|(see: {{slink|Credit card fraud|Skimming}})}}.
* The second code, and the most cited, is CVV2 or CVC2. This code is often used by merchants for [[card not present transaction]]s including online purchases. In some countries in Western Europe, card issuers require a merchant to obtain the code when the cardholder is not present in person. Uses service code 000.
* Contactless and/or chip [[EMV]] cards supply their own electronically generated codes, called {{proper name|iCVV}}. Uses service code 999. It is described in public standards from EMVCo.
* Consumer Device Cardholder Verification Method (CDCVM for short) is a type of identity verification in which the user's mobile device (such as a smartphone) is used to verify the user's identity; for example, it can use the device's [[biometrics]] authentication features (e.g. [[Touch ID]] or [[Face ID]]), or the device's set [[password|passcode]]. It is supported by a number of payment systems, such as [[Apple Pay]],<ref>{{cite magazine|url=https://www.wired.co.uk/article/apple-pay-uk-payments-cap|title=Apple Pay £20 limit in the UK will 'change over time'|magazine=Wired UK|date=2015-06-24|accessdate=2022-06-24}}</ref> [[Google Pay (payment method)|Google Pay]]<ref>{{cite web|url=https://www.avira.com/en/blog/breakthrough-mobile-payments-google-pay-launched-in-germany|title=Breakthrough for mobile payments? Google Pay launched in Germany|website=[[Avira]]|date=2018-07-17|accessdate=2022-06-24}}</ref> or [[Samsung Pay]].<ref>{{cite web|url=https://www.sammobile.com/news/samsung-pay-australian-users-allow-high-value-purchases-without-pin/|title=Samsung Pay now allows Australian users to make high-value purchases without PIN|website=SamMobile|date=2020-09-22|accessdate=2022-06-24}}</ref>
== Location ==
[[File:Back of Bank Jago Visa Debit card.jpg|thumb|Some cards do not place card security code on the cards themselves, cardholders can look for it inside the bank's [[Online banking|mobile application]]]]
The card security code is typically the last three or four digits printed, not embossed like the card number, on the signature strip on the back of the card. On American Express cards, however, the card security code is the four digits printed (not embossed) on the front towards the right. The card security code is not encoded on the magnetic stripe but is printed flat.
▲*
* [[Diners Club]], Discover, [[Japan Credit Bureau|JCB]], Mastercard, and Visa credit and debit cards have a three-digit card security code. The code is the final group of numbers printed on the back signature panel of the card.
* New North American Mastercard and Visa cards feature the code in a separate panel to the right of the signature strip.<ref>{{cite web|url=http://www.visa.ca/en/merchant/pdfs/security_features.pdf|title=Card Security Features |publisher= Visa|archive-url=https://web.archive.org/web/20120216145102/http://www.visa.ca/en/merchant/pdfs/security_features.pdf |archive-date=2012-02-16}}</ref> This has been done to prevent overwriting of the numbers by signing the card.
== Generation ==
The CSC for each card (form 1 and 2) is generated by the card issuer when the card is issued. It is calculated by encrypting the bank card number and expiration date (two fields printed on the card) with encryption keys known only to the card issuer, and decimalising the result (in a similar manner to a [[hash function]]).<ref>{{cite web|date=2012-09-18|title=VISA PIN Algorithms|url=https://www.ibm.com/docs/en/zos/2.1.0?topic=algorithms-visa-pin|access-date=2021-06-18|website=www.ibm.com|language=en-us}}</ref><ref>{{cite web|url=http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/CSFB4Z20/2.4.2?SHELF=&DT=20020114105428 |archive-url=https://archive.today/20120713194459/http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/CSFB4Z20/2.4.2?SHELF=&DT=20020114105428 |url-status=dead |archive-date=13 July 2012 |publisher=IBM|title=z/OS Integrated Cryptographic Service Facility Application Programmer's Guide|date=March 2002|page=209}}</ref><ref>{{cite web|url=http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/CSFB4Z20/2.4.5.16?SHELF=&DT=20020114105428 |archive-url=https://archive.today/20120717044345/http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/CSFB4Z20/2.4.5.16?SHELF=&DT=20020114105428 |url-status=dead |archive-date=17 July 2012 |publisher=IBM|title=z/OS Integrated Cryptographic Service Facility Application Programmer's Guide|date=March 2002|page=258}} </ref>
== Benefits and limitations ==
{{procon|section|date=May 2021}}
As a security measure, merchants who require the CVV2 for "[[Card not present transaction|card not present]]" transactions are required by the card issuer not to store the CVV2 once the individual transaction is authorized.<ref name="visa">{{cite web|title=Rules for Visa Merchants|url=http://usa.visa.com/download/merchants/pdra_form_dec2006.doc|format=doc|page=1|access-date=26 February 2013|archive-url=https://web.archive.org/web/20140224171209/http://usa.visa.com/download/merchants/pdra_form_dec2006.doc|archive-date=24 February 2014|url-status=dead}}</ref> This way, if a database of transactions is [[compromise#Security|compromised]], the CVV2 is not present and the stolen card numbers are less useful. [[Virtual terminal]]s and [[payment gateways]] do not store the CVV2 code; therefore, employees and customer service representatives with access to these web-based payment interfaces, who otherwise have access to complete card numbers, expiration dates, and other information, still lack the CVV2 code.
The [[Payment Card Industry Data Security Standard]] (PCI DSS) also prohibits the storage of CSC (and other sensitive authorisation data) post transaction authorisation. This applies globally to anyone who stores, processes or transmits cardholder data.<ref>{{cite web|url=https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml |title=Official Source of PCI DSS Data Security Standards Documents and Payment Card Compliance Guidelines |publisher=Pcisecuritystandards.org |access-date=2011-12-25}}</ref>
Since the CSC is not contained on the magnetic stripe of the card, it is not typically included in the transaction when the card is used face to face at a merchant. However, some merchants in North America, such as [[Sears, Roebuck and Company|Sears]] and [[Staples Inc.|Staples]], require the code. For [[American Express]] cards, this has been an invariable practice (for "card not present" transactions) in European Union (EU) countries like Ireland and the United Kingdom since the start of 2005. This provides a level of protection to the bank/cardholder, in that a fraudulent merchant or employee cannot simply capture the magnetic stripe details of a card and use them later for "card not present" purchases over the phone, mail order or Internet. To do this, a merchant or its employee would also have to note the CVV2 visually and record it, which is more likely to arouse the cardholder's suspicion.
Supplying the CSC code in a transaction is intended to verify that the customer has the card in their possession. Knowledge of the code proves that the customer has seen the card, or has seen a record made by somebody who saw the card.
Limitations include:
* The use of the CSC cannot protect against [[phishing]] scams, where the cardholder is tricked into entering the CSC among other card details via a fraudulent website. The growth in phishing has reduced the real-world effectiveness of the CSC as an anti-fraud device. There is now also a scam where a phisher has already obtained the card account number (perhaps by hacking a merchant database or from a poorly designed receipt) and gives this information ''to'' the victims (lulling them into a false sense of security) before asking for the CSC (which is all that the phisher needs and the purpose of the scam in the first place).<ref name="snopes">{{cite web|url=http://www.snopes.com/crime/warnings/creditcard.asp |title=Urban Legends Reference Pages: Visa Fraud Investigation Scam |date=23 December 2003 |publisher=Snopes.com |access-date=2011-12-25}}</ref>
* Since the CSC may not be stored by the merchant for any length of time<ref name="visa"/> (after the original transaction in which the CSC was quoted and then authorized), a merchant who needs to regularly bill a card for a regular subscription would not be able to provide the code after the initial transaction. Payment gateways, however, have responded by adding "periodic bill" features as part of the authorization process.
* Some card issuers do not use the CSC. However, transactions without CSC are possibly subjected to higher card processing cost to the merchants,{{citation needed|date=March 2014}} and fraudulent transactions without CSC are more likely to be resolved in favour of the cardholder.{{citation needed|date=June 2014}}
* It is not mandatory for a merchant to require the security code for making a transaction, so the card may still be prone to fraud even if only its number is known to phishers. For example, [[Amazon (company)|Amazon]] requires only a card number and expiration date to complete a transaction.
* It is possible for a fraudster to guess the CSC by using a distributed attack.<ref>{{cite web | url = https://nakedsecurity.sophos.com/2016/12/05/how-to-guess-credit-card-security-codes/ | title = How to guess credit card security codes | last = Ducklin | first = Paul | date = 5 December 2016 | website = naked security by SOPHOS | access-date = 8 December 2016 | archive-date = 6 December 2016 | archive-url = https://web.archive.org/web/20161206150334/https://nakedsecurity.sophos.com/2016/12/05/how-to-guess-credit-card-security-codes/ | url-status = dead }}</ref>
== See also ==
* [[3-D Secure]]
* [[Credit card fraud]]
* [[ISO 8583]]
== References ==
{{Reflist}}
{{Credit cards}}
[[Category:British inventions]]
[[Category:1995 introductions]]
[[Category:1995 establishments in the United Kingdom]]
[[Category:Credit cards]]
[[Category:Data security]]
| |||