Card security code: Difference between revisions

As a security measure, merchants who require the CVV2 for "[[Card not present transaction|card not present]]" transactions are required by the card issuer not to store the CVV2 once the individual transaction is authorized.<ref name="visa">{{cite web|title=Rules for Visa Merchants|url=http://usa.visa.com/download/merchants/pdra_form_dec2006.doc|format=doc|page=1|access-date=26 February 2013|archive-url=https://web.archive.org/web/20140224171209/http://usa.visa.com/download/merchants/pdra_form_dec2006.doc|archive-date=24 February 2014|url-status=dead}}</ref> This way, if a database of transactions is [[compromise#Security|compromised]], the CVV2 is not present and the stolen card numbers are less useful. [[Virtual terminal]]s and [[payment gateways]] do not store the CVV2 code; therefore, employees and customer service representatives with access to these web-based payment interfaces, who otherwise have access to complete card numbers, expiration dates, and other information, still lack the CVV2 code.

 

Since the CSC is not contained on the magnetic stripe of the card, it is not typically included in the transaction when the card is used face to face at a merchant. However, some merchants in North America, such as [[Sears, Roebuck and Company|Sears]] and [[Staples Inc.|Staples]], require the code. For [[American Express]] cards, this has been an invariable practice (for "card not present" transactions) in European Union (EU) countries like Ireland and the United Kingdom since the start of 2005. This provides a level of protection to the bank/cardholder, in that a fraudulent merchant or employee cannot simply capture the magnetic stripe details of a card and use them later for "card not present" purchases over the phone, mail order or Internet. To do this, a merchant or its employee would also have to note the CVV2 visually and record it, which is more likely to arouse the cardholder's suspicion.