Talk:Card security code
 | Business Start‑class Mid‑importance | |||||||||
| ||||||||||
 | Numismatics Unassessed | |||||||||
| ||||||||||
Related to actual number?
Q. Is the CVV2 number related to the actual credit card number? Is it a random number? Or is there some other way that the card issuer selects the CVV2 number to put on a card? — Preceding unsigned comment added by 207.233.79.134 (talk • contribs) 23:27, 4 August 2005 (UTC)
A. I don't think MC or Visa require a particular algorithm, so it can be a random number stored in a secure lookup table, or it can be a derived number based on card data using a secret issuer key. — Preceding unsigned comment added by 38.112.4.254 (talk • contribs) 21:02, 31 March 2006 (UTC)
- The CVV2 is an encryption of the card number and expiry date, under a key known only to the issuing bank. The CVV on the magstripe is similar but the encryption also covers the service code, a value on the magnetic stripe. Zaian 10:46, 18 June 2006 (UTC)
- This isn't an encryption, although it may be a hash. The bank can't recover the card number, no matter how many keys they have, from a mere 3 digits! Andy Dingley (talk) 16:52, 10 June 2008 (UTC)
Security model
I do not quite understand the security model underlying the CVV2. Isn't it the case that credit card numbers are typically obtained by making the user enter them on forged websites or by sniffing network traffic? Now what additional security do I gain if all such transactions will soon require to give the CVV2 as well? The same online methods used for stealing the credit card number can also be used to steal the CVV2.
I am just dealing with a transaction that requires me to send my credit card number and CVV2 via fax. The fax machine on the other side may stand in a crowded office and even the cleaning staff may be able to reprint the received faxes in the evening. How can the CVV2 verify that someone holds the card physically if its eventually printed out on some random paper sheets in offices all over the world? --Markus Krötzsch 07:54, 11 August 2005 (UTC)
- I agree. When I call up my telco to pay my bill, and they ask me "and now sir, can I have the last three digits from the back of the card", how do I know they won't use it in conjunction with the credit card number I just provided them to buy lots of stuff? I suppose it might help for things like dumpster-diving receipts etc, where the CVC is not printed... but I think it's less useful than people give it credit for (no pun intended :-) StephenFalken 00:05, 2 May 2006 (UTC)
- See, that is why I just use bill pay services from my bank, no need to talk to a person by phone and provide them with that number, I personally try to avoid giving out my credit card to a company except for a secure website, and I would prefer the companies to not store my credit card as a permanent record and just use it for that one transaction Quazywabbit 06:28, 20 May 2006 (UTC)
Is it really sure?
The value of this system of security may be disputed. Anybody who can look at the card or recive payment orders with this validation code can know its value. For this reason it can not be anymore consider that the only person who know the code is the legittate owner of the card after the card is used the first time (or even before that, if anybody can look at the card). Morover the value is also known by the credit card society. AnyFile 14:21, 19 August 2005 (UTC)
- On your last point, the value is not known (i.e. is not stored) by the issuing bank. The value is obtained by encrypting some card details. The validation process is that the transaction details are sent to a secure cryptographic device called a Hardware Security Module (HSM) which internally derives the CVV2 for the card and returns a "Yes/No" response indicating whether the CVV2 supplied was correct or not. It's a "black box" - the software can ask the HSM "was this CVV2 right?" but not "what is the CVV2 for this card?". This is similar to the process for validating PINs. Zaian 10:46, 18 June 2006 (UTC)
Imprints
There are some cases where a possible attacker has access to the credit card number, but not the CVV2. For instance, an employee at a store that takes credit cards may be able to make copies of large numbers of receipts, and the credit card number. In this case a person could make a large number of relatively small purchases on-line in a short period of time. Without the physical credit card or the CVV2, it is difficult to do this.
Of course, an employee would be able to record the CVV2 for any card that they physically handled, but in this case sales records would be able to identify the employee.
This is a guess, but it seems reasonable. — Preceding unsigned comment added by 82.93.59.73 (talk • contribs) 18:18, 21 August 2005 (UTC)
- Well, it is not so dificcult for an employer of a shop (or for the owner of the shop too) to look at the secutity code without being seen as suspicious. On some cards the security code is on the front and in other cases is next to the signaure box on the back of the card (which the merchant has contract right and duty to check at). The code is enought small to be memorized, so there no need to write it down immidiately rising suspicious. Morover in many case I see the teller write down on the credit card recipes many informations (the number of the day selling, and so on). The security code could be written among the same datas without rising souspicious, or it can even be written in a encripten form. if the fraud is made some time later (even months since the card is usually valid for 2 years and all the information needed, including the security code, do not change in the meantime) it would very difficult to track down all the place it was used in the time. And unless the teller is so silly to buy things online and have them sent to his/her postal address, it is very difficult to link among the use of the credit card and a specific sale, when the card was use.
- I have to say that my opinion is that this, so called, security code only add a very little protection, and this addictional small protection is completely void when you reveal the CCV2 data. It is difficult to have a really safe system when the card is used at distance. All the datas sent can be read by at leat someone and if the exactly same datas is all is needed to make another transaction, the protection is rather low. In my opinion the only way to solve this issue is that among the datas trasmited should be only know by the owner and that this data change at any time of use (and optionally depends also on the name or on the code of the merchant). AnyFile 13:45, 9 July 2006 (UTC)
Retention is possible
I'm not sure how to phrase this in the article, but since the CVV2 can be stored prior to the completion of a transaction, in the case of a time-delayed transaction this storage period may in fact be very lengthy. I am currently working with a client that requires up to six months between collection and charging, and for technical reasons verification of the card is not possible at time of collection. I realize this sounds stupid, but it is allowed (though discouraged) in the specs. I'm not sure if this should be listed as a "drawback," since it seems to be a problem with a particular system's business requirements rather than the number itself. But that could be arguable about most of the drawbacks, so I'm not sure.
12.205.149.45 22:54, 3 August 2007 (UTC)
Location of CVV2
There is an incorrect statement in this article: "The CVV2 is a 3- or 4-digit value printed on the card or signature strip, but not encoded on the magnetic stripe."
In this article, it is stated that the magnetic strip may include CVV:
http://en.wikipedia.org/wiki/Magnetic_stripe
Financial cards Discretionary data — may include Pin Verification Key Indicator (PVKI, 1 character), Pin Verification Value (PVV, 4 characters), Card Verification Value or Card Verification Code (CVV or CVK, 3 characters)
Jimmied999 14:19, 14 August 2007 (UTC) http://www.ded.co.uk/magnetic-stripe-card-details.html
- CVV1 is stored on the card. CVV2 is not. I think the statement is accurate Talyian 16:07, 14 September 2007 (UTC)
History
When did this whole CSC thing get started? I think it would be nice to have a "History" section in this article. I know that 10 or 20 years ago, cards didn't have this. Westwind273 17:30, 17 September 2007 (UTC)
What do the acronyms stand for?
It seems like the article should say... —Preceding unsigned comment added by 206.168.188.130 (talk) 19:02, 26 October 2007 (UTC)
Limitation - Should be obvious
I understand that CVV2 is designed to verify that the person making "card not present" transactions occurring over the Internet, by mail, fax or over the phone is holding the physical card at the time of transaction. However, CVV2 code is just a 3-4 digit number. Unlike a PIN code or password, the CVV2 code can never be changed.
Anyone who can copy the 16-digit credit card number and it's expiry month, can very easily copy this short code. Once the person has copied the three details, he/she can easily make an Internet transaction or a similar "card not present" transaction even though he may not be holding the physical card. This fraud can be attempted very easily using, for example, a photograph of the back side of credit card. (The photo can be mirrored to reveal the credit card number and expiry date, eliminating the need for a photo of the front side.)
Why is this limitation not acknowledged? It is the most serious of all limitations of CVV2 and it's a 'self-defying' limitation. That means, it defeats the very purpose of CVV2, rendering it useless. I think it should be mentioned in the Limitations section.
My suggestion is, the CVV2 code should be sent as a separate document from the Bank, and the user should be requested to memorize the code and destroy the document. For current cards, a strong thin black sticker can be used to cover up the CVV2 code, after the cardholder has memorized it. This will prevent shopkeepers and store cashiers from copying down the CVV2 code.
I understand my suggestion is not fool-proof as more services are starting to require CVV2 code. However, I believe the legitimate services that require CVV2 code will discard the code and destroy all records once the transaction has been made. It protects against fraud during "card present" signature-based transactions, and against friends or significant other who are taking a look at your wallet. --ADTC (talk) 15:02, 16 December 2008 (UTC)
- Did you read the first bullet point under Card Security Code#CVV2 limitations? That addresses the limitation in detail, and has been there since at least 2006. As for your proposal, this is not the place for it. You should contact the credit card companies directly if you want anyone with a chance of changing things to see it. Anomie⚔ 17:07, 16 December 2008 (UTC)
- The first bullet point does not address the exact limitation mentioned by me, although it is similar. The point mentions that the phisher has the card number and all details except the CVV2 number, then tricks the cardholder into entering the CVV2 number. Quote: There is now also a scam where a phisher has already obtained the card account number and gives this information to the victims before asking for the CVV2.
- What I mentioned is that a thief physically present with a card does not always have to steal it as normally expected of him. He can simply copy down the card number, CVV2 and other details without the knowledge of the cardholder. Although this kind of memory-based stealing will not allow the thief to make card-swiped transactions, he can still make Internet-based transactions such as purchasing membership access to websites.