Wikipedia

Card security code: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
FoH (talk | contribs)
61 edits
m What's the use of linking to a Wikipedia article that redirects to this one? :)
Rewrite; more analysis of security benefits and limitations
Line 1:
The '''Card Security Code''' ('''CSC'''), sometimes called Card Verification Value or '''Code''' ('''CVV''' or '''CVC'''), is a security feature for [[credit card]] transactions. Most credit cards have two card security codes. The first, often called CVC1 or CVV1 is encoded in the magnetic stripe of the card and is used for in-person transactions. The second card security code, known as CVV2 or CVC2 is used to secure transactions occurring over the Internet, by mail, or over the phone. It is a 3 or 4 digit value printed nowhere except on the card, and can theoretically be used to verify that the buyer has the card in their physical possession, giving merchants protection against [[credit card fraud]].
 
Most debit and credit cards have two card security codes. The first, often called CVC1 or CVV1, is encoded in the magnetic stripe of the card and is used for in-person transactions. The second, known as CVV2 or CVC2, is used to secure "card not present" transactions occurring over the Internet, by mail, or over the phone.
Cardholders do not need to worry about fraud thanks to zero-liability policies from major card issuers.
 
== CVV2 ==
Unfortunately, the primary way that criminals get credit card information for use in online (or phone) fraud is via [[phishing]] scams, which also will result in the capture of the CSC codes for the compromised credit card. This fact of life has reduced the real-world effectiveness of the CSC codes as an anti-fraud device.
The CVV2 is a 3 or 4 digit value printed on the card, but not available on the magnetic stripe. The number is generated when the card is issued, by encrypting the card number and expiry date under a key known only to the issuing bank. Supplying this code in a transaction is intended to verify that the customer has the card in their physical possession.
 
However, credit card processing companies are forbidden from storing this ID code. This way, if their databases get stolen, the code is not included, and the stolen credit card number is less useful.
 
The code is found in different places on the various families of cards, and is referred to by several different names:
Line 13 ⟶ 12:
* [[American Express]] cards have a 4 digit code printed on the front side of the card above the number, referred to as the "CID", or Card Identification Number. It is printed flat, not embossed like the card number.
 
===Security benefits===
Another potential value of CSC codes is for subscription-based services. Again theoretically, a merchant who needs to rebill a credit card would not store the CSC code after the initial transaction. That way, if the merchant's credit card database were to be compromised the thieves wouldn't get access to the CSC codes.
Since the CVV2 is not contained on the magnetic stripe of the card, it is not typically included in the transaction when the card is used face to face at a merchant. This provides a level of protection to the cardholder, in that a corrupt merchant cannot simply capture the magnetic stripe details of a card and use them later for "card not present" purchases over the phone, mail order or internet. To do this, a merchant would also have to note the CVV2 visually and record it, which is more likely to arouse the cardholder's suspicion.
 
However,Online creditmerchants cardwho processingrequire companiesthe CVV2 in their transactions are forbidden from storing thisthese IDdetails codeonce the transaction is complete. This way, if theira databasesdatabase getof stolentransactions is compromised, the codeCVV2 is not included, and the stolen credit card numbernumbers isare less useful.
 
===Limitations===
The use of the CVV2 cannot protect against [[phishing]] scams, where the cardholder is tricked into entering the CVV2 among other card details via a fraudulent website. The growth in phishing has reduced the real-world effectiveness of the CVV2 as an anti-fraud device.
 
Unfortunately,Since the onlyCVV2 waymay thisnot worksbe isstored ifby the usemerchant, of CSC codes is optional (otherwise thea merchant wouldwho need itneeds to rebill thea credit card asfor well)...a andregular ifsubscription thatwould isnot thebe caseable CSCto codesprovide aren'tthe actuallycode needed byafter the thiefinitial anywaytransaction.
This means the use of CVV2 codes must remain optional; however, transactions without CVV2 are likely to be subjected to more stringent fraud screening, and fraudulent transactions without CVV2 are more likely to be resolved in favour of the cardholder.
 
[[Category:Electronic commerce]]
Retrieved from "https://en.wikipedia.org/wiki/Card_security_code"