Talk:Card security code

I do not quite understand the security model underlying the CVV2. Isn't it the case that credit card numbers are typically obtained by making the user enter them on forged websites or by sniffing network traffic? Now what additional security do I gain if all such transactions will soon require to give the CVV2 as well? The same online methods used for stealing the credit card number can also be used to steal the CVV2.

I am just dealing with a transaction that requires me to send my credit card number and CVV2 via fax. The fax machine on the other side may stand in a crowded office and even the cleaning staff may be able to reprint the received faxes in the evening. How can the CVV2 verify that someone holds the card physically if its eventually printed out on some random paper sheets in offices all over the world? --Markus Krötzsch 07:54, 11 August 2005 (UTC)Reply

The value of this system of security may be disputed. Anybody who can look at the card or recive payment orders with this validation code can know its value. For this reason it can not be anymore consider that the only person who know the code is the legittate owner of the card after the card is used the first time (or even before that, if anybody can look at the card). Morover the value is also known by the credit card society. AnyFile 14:21, 19 August 2005 (UTC)Reply

There are some cases where a possible attacker has access to the credit card number, but not the CVV2. For instance, an employee at a store that takes credit cards may be able to make copies of large numbers of receipts, and the credit card number. In this case a person could make a large number of relatively small purchases on-line in a short period of time. Without the physical credit card or the CVV2, it is difficult to do this.

Of course, an employee would be able to record the CVV2 for any card that they physically handled, but in this case sales records would be able to identify the employee.

This is a guess, but it seems reasonable.