Talk:Card security code
|This article is of interest to the following WikiProjects:|
- 1 Related to actual number?
- 2 Security model
- 3 Is it really sure?
- 4 Imprints
- 5 Retention is possible
- 6 Location of CVV2
- 7 History
- 8 What do the acronyms stand for?
- 9 Limitation - Should be obvious
- 10 What is the Spanish page for this entry?
- 11 Amex name for CVV2 is CID/4DBC
- 12 Reference (3) link is bad
- 13 CVV2 hacked!
- 14 Prohibition on recording codes on paper forms
- 15 3 digit CVV on AXP signature panel
- 16 External links modified
Related to actual number?
Q. Is the CVV2 number related to the actual credit card number? Is it a random number? Or is there some other way that the card issuer selects the CVV2 number to put on a card? —Preceding unsigned comment added by 184.108.40.206 (talk • contribs) 23:27, 4 August 2005
A. I don't think MC or Visa require a particular algorithm, so it can be a random number stored in a secure lookup table, or it can be a derived number based on card data using a secret issuer key. —Preceding unsigned comment added by 220.127.116.11 (talk • contribs) 21:02, 31 March 2006
- The CVV2 is an encryption of the card number and expiry date, under a key known only to the issuing bank. The CVV on the magstripe is similar but the encryption also covers the service code, a value on the magnetic stripe. Zaian 10:46, 18 June 2006 (UTC)
Q. I would request to provide details on how does CVV verification process work. for example when a user enters his CVV in the payment termina intertface then what verification and validation processes occur in backgroung and the user gets authorized for the transaction. such information would be most appreciated. Lavkru (talk) 09:48, 7 May 2013 (UTC)
I do not quite understand the security model underlying the CVV2. Isn't it the case that credit card numbers are typically obtained by making the user enter them on forged websites or by sniffing network traffic? Now what additional security do I gain if all such transactions will soon require to give the CVV2 as well? The same online methods used for stealing the credit card number can also be used to steal the CVV2.
I am just dealing with a transaction that requires me to send my credit card number and CVV2 via fax. The fax machine on the other side may stand in a crowded office and even the cleaning staff may be able to reprint the received faxes in the evening. How can the CVV2 verify that someone holds the card physically if its eventually printed out on some random paper sheets in offices all over the world? --Markus Krötzsch 07:54, 11 August 2005 (UTC)
- I agree. When I call up my telco to pay my bill, and they ask me "and now sir, can I have the last three digits from the back of the card", how do I know they won't use it in conjunction with the credit card number I just provided them to buy lots of stuff? I suppose it might help for things like dumpster-diving receipts etc, where the CVC is not printed... but I think it's less useful than people give it credit for (no pun intended :-) StephenFalken 00:05, 2 May 2006 (UTC)
- See, that is why I just use bill pay services from my bank, no need to talk to a person by phone and provide them with that number, I personally try to avoid giving out my credit card to a company except for a secure website, and I would prefer the companies to not store my credit card as a permanent record and just use it for that one transaction Quazywabbit 06:28, 20 May 2006 (UTC)
The CVV2 is just another layer of defence against fraud. If you have generated the card number or gained the card details by skimming you won't have access to the CVV2, reducing the potential for fraud. Dkam (talk) 07:11, 12 July 2009 (UTC)
Question: Is the use of the CVV2 actually implemented at this time? I have been entering 3 random digits for all my online transactions, and so far, they have all been accepted. (18.104.22.168 (talk) 21:36, 23 November 2010 (UTC))
Is it really sure?
The value of this system of security may be disputed. Anybody who can look at the card or recive payment orders with this validation code can know its value. For this reason it can not be anymore consider that the only person who know the code is the legittate owner of the card after the card is used the first time (or even before that, if anybody can look at the card). Morover the value is also known by the credit card society. AnyFile 14:21, 19 August 2005 (UTC)
- On your last point, the value is not known (i.e. is not stored) by the issuing bank. The value is obtained by encrypting some card details. The validation process is that the transaction details are sent to a secure cryptographic device called a Hardware Security Module (HSM) which internally derives the CVV2 for the card and returns a "Yes/No" response indicating whether the CVV2 supplied was correct or not. It's a "black box" - the software can ask the HSM "was this CVV2 right?" but not "what is the CVV2 for this card?". This is similar to the process for validating PINs. Zaian 10:46, 18 June 2006 (UTC)
There are some cases where a possible attacker has access to the credit card number, but not the CVV2. For instance, an employee at a store that takes credit cards may be able to make copies of large numbers of receipts, and the credit card number. In this case a person could make a large number of relatively small purchases on-line in a short period of time. Without the physical credit card or the CVV2, it is difficult to do this.
Of course, an employee would be able to record the CVV2 for any card that they physically handled, but in this case sales records would be able to identify the employee.
- Well, it is not so dificcult for an employer of a shop (or for the owner of the shop too) to look at the secutity code without being seen as suspicious. On some cards the security code is on the front and in other cases is next to the signaure box on the back of the card (which the merchant has contract right and duty to check at). The code is enought small to be memorized, so there no need to write it down immidiately rising suspicious. Morover in many case I see the teller write down on the credit card recipes many informations (the number of the day selling, and so on). The security code could be written among the same datas without rising souspicious, or it can even be written in a encripten form. if the fraud is made some time later (even months since the card is usually valid for 2 years and all the information needed, including the security code, do not change in the meantime) it would very difficult to track down all the place it was used in the time. And unless the teller is so silly to buy things online and have them sent to his/her postal address, it is very difficult to link among the use of the credit card and a specific sale, when the card was use.
- I have to say that my opinion is that this, so called, security code only add a very little protection, and this addictional small protection is completely void when you reveal the CCV2 data. It is difficult to have a really safe system when the card is used at distance. All the datas sent can be read by at leat someone and if the exactly same datas is all is needed to make another transaction, the protection is rather low. In my opinion the only way to solve this issue is that among the datas trasmited should be only know by the owner and that this data change at any time of use (and optionally depends also on the name or on the code of the merchant). AnyFile 13:45, 9 July 2006 (UTC)
Retention is possible
I'm not sure how to phrase this in the article, but since the CVV2 can be stored prior to the completion of a transaction, in the case of a time-delayed transaction this storage period may in fact be very lengthy. I am currently working with a client that requires up to six months between collection and charging, and for technical reasons verification of the card is not possible at time of collection. I realize this sounds stupid, but it is allowed (though discouraged) in the specs. I'm not sure if this should be listed as a "drawback," since it seems to be a problem with a particular system's business requirements rather than the number itself. But that could be arguable about most of the drawbacks, so I'm not sure.
22.214.171.124 22:54, 3 August 2007 (UTC)
Location of CVV2
There is an incorrect statement in this article: "The CVV2 is a 3- or 4-digit value printed on the card or signature strip, but not encoded on the magnetic stripe."
In this article, it is stated that the magnetic strip may include CVV:
Financial cards Discretionary data — may include Pin Verification Key Indicator (PVKI, 1 character), Pin Verification Value (PVV, 4 characters), Card Verification Value or Card Verification Code (CVV or CVK, 3 characters)
Jimmied999 14:19, 14 August 2007 (UTC) http://www.ded.co.uk/magnetic-stripe-card-details.html
- CVV1 is stored on the card. CVV2 is not. I think the statement is accurate Talyian 16:07, 14 September 2007 (UTC)
- Talyian is correct - CVV1 is on the mag stripe, CVV2 is printed on the card and is not present on the mag stripe. Dkam (talk) 12:39, 12 July 2009 (UTC)
When did this whole CSC thing get started? I think it would be nice to have a "History" section in this article. I know that 10 or 20 years ago, cards didn't have this. Westwind273 17:30, 17 September 2007 (UTC)
What do the acronyms stand for?
Limitation - Should be obvious
I understand that CVV2 is designed to verify that the person making "card not present" transactions occurring over the Internet, by mail, fax or over the phone is holding the physical card at the time of transaction. However, CVV2 code is just a 3-4 digit number. Unlike a PIN code or password, the CVV2 code can never be changed.
Anyone who can copy the 16-digit credit card number and it's expiry month, can very easily copy this short code. Once the person has copied the three details, he/she can easily make an Internet transaction or a similar "card not present" transaction even though he may not be holding the physical card. This fraud can be attempted very easily using, for example, a photograph of the back side of credit card. (The photo can be mirrored to reveal the credit card number and expiry date, eliminating the need for a photo of the front side.)
Why is this limitation not acknowledged? It is the most serious of all limitations of CVV2 and it's a 'self-defying' limitation. That means, it defeats the very purpose of CVV2, rendering it useless. I think it should be mentioned in the Limitations section.
My suggestion is, the CVV2 code should be sent as a separate document from the Bank, and the user should be requested to memorize the code and destroy the document. For current cards, a strong thin black sticker can be used to cover up the CVV2 code, after the cardholder has memorized it. This will prevent shopkeepers and store cashiers from copying down the CVV2 code.
I understand my suggestion is not fool-proof as more services are starting to require CVV2 code. However, I believe the legitimate services that require CVV2 code will discard the code and destroy all records once the transaction has been made. It protects against fraud during "card present" signature-based transactions, and against friends or significant other who are taking a look at your wallet. --ADTC (talk) 15:02, 16 December 2008 (UTC)
- Did you read the first bullet point under Card Security Code#CVV2 limitations? That addresses the limitation in detail, and has been there since at least 2006. As for your proposal, this is not the place for it. You should contact the credit card companies directly if you want anyone with a chance of changing things to see it. Anomie⚔ 17:07, 16 December 2008 (UTC)
- The first bullet point does not address the exact limitation mentioned by me, although it is similar. The point mentions that the phisher has the card number and all details except the CVV2 number, then tricks the cardholder into entering the CVV2 number. Quote: There is now also a scam where a phisher has already obtained the card account number and gives this information to the victims before asking for the CVV2.
- What I mentioned is that a thief physically present with a card does not always have to steal it as normally expected of him. He can simply copy down the card number, CVV2 and other details without the knowledge of the cardholder. Although this kind of memory-based stealing will not allow the thief to make card-swiped transactions, he can still make Internet-based transactions such as purchasing membership access to websites.
- --ADTC (talk) 03:08, 17 December 2008 (UTC)
- I have scratched my CVV off the signature strip once I was sure I'd remebered it. I know the card is now officially void but it means no one can now read the CVV without my knowledge and use it for online transactions. In what physcial cases could my card now be rejected? The cashier would have to look closely at the back of the card to see the 'void' word which now shows through from underneath the signature strip. hrf (talk) 20:59, 15 May 2009 (UTC)
What is the Spanish page for this entry?
Amex name for CVV2 is CID/4DBC
Amex name for CVV2 is CID/4DBC
4DBC stands for 4 digit batch code, recognising the fact that the security number is 4 digits on the front of the card. Would be good to insert this into the main text
http://www.zeit.de/2011/21/Kreditkarten-Sicherheit (german) —Preceding unsigned comment added by 126.96.36.199 (talk) 10:12, 21 May 2011 (UTC)
It has not remotely been hacked. They simply brute forced it by trying authorizations en masse at various websites. The fact that this was allowed to occur means that the card issuers simply were lacking in their fraud detection, I'm sure at this point the issuers simply look for a large amount of attempted authorizations and flag the card. Thus, the CVV is not weakened as a result. You can also brute force card numbers by generating all card numbers that have a valid Luhn check and attempt authorizations on those, but in cases like this the gateway provider would probably alert the store in question. Brute force methods are not a good way to do fraud on a large scale. 188.8.131.52 (talk) 15:09, 7 April 2017 (UTC)
Prohibition on recording codes on paper forms
The article is correct that security codes are often used for mail transactions, but recording the code on paper is prohibited by all of the credit card companies. Does this deserve its own section in the article? If nothing else, a clarification should be made using the AmEx language: they're for real-time card-not-present transactions.
This is definitely controversial, as it's an area where common practice stands in opposition to official policy, so I'd like to see some discussion before making any changes.
Avoid CVV2 Storage. All merchants are prohibited from storing CVV2 data. When asking a cardholder for CVV2, merchants must not document this information on any kind of paper order form or store it on any database. [Rules for Visa Merchants, 2007, page 12]
Merchants ... must not store card validation code 2 (CVC 2) data in any manner for any purpose. ... At its discretion, MasterCard may impose a noncompliance assessment of up to USD 100,000 per each individual violation of this Standard, with a maximum aggregate assessment of USD 500,000 for additional or continuing violations during any consecutive 12-month period. [Security Rules and Procedures-Merchant Edition, Section 10.2, July 2009]
- American Express
CID numbers must not be stored for any purpose. They are available for real time Transactions only. [American Express Merchant Reference Guide – U.S., section 5.10, 2009] — Preceding unsigned comment added by Coloradoauthor (talk • contribs) 22:21, 16 May 2012 (UTC)
- Its own section, no. A sentence or two summarizing (and sourced to) the above, sure. Anomie⚔ 01:11, 17 May 2012 (UTC)
3 digit CVV on AXP signature panel
Have noticed that there is a 3 digit code at the right hand end of the signature panel on my American Express cards (those from AXP itself and those from two other independent issuers). I would imagine that this is for the benefit of procedures or hardware that only allow for a 3 digit CVV. knoodelhed (talk) 17:38, 15 October 2013 (UTC)
Hello fellow Wikipedians,
I have just modified one external link on Card security code. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:
- Added archive https://web.archive.org/web/20140424011239/https://www.securesuite.net/cibc/tdsecure/spc_description.jsp?cycfg_affinity=mc to https://www.securesuite.net/cibc/tdsecure/spc_description.jsp?cycfg_affinity=mc
When you have finished reviewing my changes, please set the checked parameter below to true or failed to let others know (documentation at
You may set the
|checked=, on this template, to true or failed to let other editors know you reviewed the change. If you find any errors, please use the tools below to fix them or call an editor by setting
|needhelp= to your help request.
- If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
- If you found an error with any archives or the URLs themselves, you can fix them with this tool.
If you are unable to use these tools, you may set
|needhelp=<your help request> on this template to request help from an experienced user. Please include details about your problem, to help other editors.