Card security code
Encyclopedia
The card security code (CSC), sometimes called Card Verification Data (CVD), Card Verification Value (CVV or CVV2), Card Verification Value Code (CVVC), Card Verification Code (CVC or CVC2), Verification Code (V-Code or V Code), or Card Code Verification (CCV) are different terms for security features for credit or debit card
transactions, providing increased protection against credit card fraud
.
These codes should not be confused with the standard card account number appearing in embossed or printed digits. (The standard card number undergoes a separate validation algorithm called the Luhn algorithm
which serves to determine whether a given card's number is appropriate.)
These codes should also not be confused with a card's PIN
or passwords associated with MasterCard SecureCode or Verified by Visa. These codes are not printed or embedded in the card but are manually entered at the time of transaction.
and Staples, require the code. For American Express
cards, this has been an invariable practice (for "card not present" transactions) in European Union (EU) states like Ireland and the United Kingdom since the start of 2005. This provides a level of protection to the bank/cardholder, in that a corrupt merchant cannot simply capture the magnetic stripe details of a card and use them later for "card not present" purchases over the phone, mail order or Internet. To do this, a merchant would also have to note the CVV2 visually and record it, which is more likely to arouse the cardholder's suspicion.
Merchants who require the CVV2 for "card not present" transactions are forbidden in the USA by Visa from storing the CVV2 once the individual transaction is authorized and completed. This way, if a database of transactions is compromised, the CVV2 is not included, and the stolen card numbers are less useful.
The Payment Card Industry Data Security Standard (PCI DSS) also prohibits the storage of CSC (and other sensitive authorisation data) post transaction authorisation. This applies globally to anyone who stores, processes or transmits card holder data.
Supplying the CSC code in a transaction is intended to verify that the customer has the card in their possession. Knowledge of the code proves that the customer has seen the card, or has seen a record made by somebody who saw the card.
(also known as the primary account number or PAN), expiration date and service code with encryption keys (often called Card Verification Key or CVK) known only to the issuing bank, and decimalising the result.
Bank card
A bank card is a plastic card issued by a bank to its clients that may perform one or more of the following services:* ATM card, card used for transactions at automatic teller machines* Debit card, card linked to a bank account and used for making purchases...
transactions, providing increased protection against credit card fraud
Credit card fraud
Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. Credit card fraud is also...
.
Types of codes
There are several types of security codes:- The first code, called CVC1 or CVV1, is encoded on the magnetic stripeMagnetic stripe cardA magnetic stripe card is a type of card capable of storing data by modifying the magnetism of tiny iron-based magnetic particles on a band of magnetic material on the card...
of the card and used for transactions in person. The purpose of the CVC1 or CVV1 is to ensure the data stored on the magnetic stripe of the card is valid and was generated by the issuing bank. This value is submitted as part of transactions and is verified by the issuing bank. A limitation of the CVC1 or CVV1 is that if the entire magnetic stripe is copied, rather than generated, the card can be duplicated. See the Skimming section for more details. - The second code, and the most cited, is CVV2 or CVC2. This CSC (also known as a CCID or Credit Card ID) is often asked for by merchants for them to secure card not present transactionCard not present transactionA card not present transaction is a credit card purchase made over the telephone or over the Internet where the physical card has not been swiped into a reader. It is a major route for credit card fraud. If a fraudulent transaction is reported, the bank that hosted the merchant account that...
s occurring over the Internet, by mail, fax or over the phone. In many countries in Western Europe, because of increased attempts at card fraud, it is now mandatory to provide this code when the cardholder is not present in person. - ContactlessContactless paymentContactless payment systems are credit cards and debit cards, key fobs, smartcards or other devices which use RFID for making secure payments. The embedded chip and antenna enable consumers to wave their card or fob over a reader at the point of sale. Some suppliers claim that transactions can be...
card and chip cards may supply their own codes generated electronically, such as iCVV or Dynamic CVV.
These codes should not be confused with the standard card account number appearing in embossed or printed digits. (The standard card number undergoes a separate validation algorithm called the Luhn algorithm
Luhn algorithm
The Luhn algorithm or Luhn formula, also known as the "modulus 10" or "mod 10" algorithm,is a simple checksum formula used to validate a variety of identification numbers, such as credit card numbers, IMEI numbers, National Provider Identifier numbers in US and Canadian Social Insurance Numbers...
which serves to determine whether a given card's number is appropriate.)
These codes should also not be confused with a card's PIN
Personal identification number
A personal identification number is a secret numeric password shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token and a confidential PIN to gain access to the system...
or passwords associated with MasterCard SecureCode or Verified by Visa. These codes are not printed or embedded in the card but are manually entered at the time of transaction.
Location of code
The CSC (the second type of code noted above) is a three- or four-digit value printed on the card or signature strip, but not encoded on the magnetic stripe.- MasterCardMasterCardMastercard Incorporated or MasterCard Worldwide is an American multinational financial services corporation with its headquarters in the MasterCard International Global Headquarters, Purchase, Harrison, New York, United States...
, VisaVISA (credit card)Visa Inc. is an American multinational financial services corporation headquartered on 595 Market Street, Financial District in San Francisco, California, United States, although much of the company's staff is based in Foster City, California. It facilitates electronic funds transfers throughout...
, Diners ClubDiners ClubDiners Club International, founded as Diners Club, is a charge card company formed in 1950 by Frank X. McNamara, Ralph Schneider and Matty Simmons...
, DiscoverDiscover CardThe Discover Card is a major credit card, issued primarily in the United States. It was originally introduced by Sears in 1985, and was part of Dean Witter, and then Morgan Stanley, until 2007, when Discover Financial Services became an independent company. Novus, a major processing center, used to...
, and JCBJapan Credit BureauJapan Credit Bureau is a credit card company based in Tokyo, Japan. Its English name is .Founded in 1961, JCB established dominance over the Japanese credit card market when it purchased Osaka Credit Bureau in 1968, and its cards are now issued in 20 different countries...
credit and debit cards have a three-digit card security code. The code is not embossed like the card number, and is always the final group of numbers printed on the back signature panel of the card. New North American MasterCard and Visa cards feature the code in a separate panel to the right of the signature strip. This has been done to prevent overwriting of the numbers by signing the card. The codes have different names:
- "CVC2" (card validation code) MasterCard,
- "CVV2" (card verification value) Visa,
- "CID" (card identification number) Discover.
- American ExpressAmerican ExpressAmerican Express Company or AmEx, is an American multinational financial services corporation headquartered in Three World Financial Center, Manhattan, New York City, New York, United States. Founded in 1850, it is one of the 30 components of the Dow Jones Industrial Average. The company is best...
cards have a four-digit code printed on the front side of the card above the number. It is printed flat, not embossed like the card number. This code is called:
- "CID" or "unique card code"
Security benefits
Since the CSC is not contained on the magnetic stripe of the card, it is not typically included in the transaction when the card is used face to face at a merchant. However, some merchants in North America, such as SearsSears, Roebuck and Company
Sears, officially named Sears, Roebuck and Co., is an American chain of department stores which was founded by Richard Warren Sears and Alvah Curtis Roebuck in the late 19th century...
and Staples, require the code. For American Express
American Express
American Express Company or AmEx, is an American multinational financial services corporation headquartered in Three World Financial Center, Manhattan, New York City, New York, United States. Founded in 1850, it is one of the 30 components of the Dow Jones Industrial Average. The company is best...
cards, this has been an invariable practice (for "card not present" transactions) in European Union (EU) states like Ireland and the United Kingdom since the start of 2005. This provides a level of protection to the bank/cardholder, in that a corrupt merchant cannot simply capture the magnetic stripe details of a card and use them later for "card not present" purchases over the phone, mail order or Internet. To do this, a merchant would also have to note the CVV2 visually and record it, which is more likely to arouse the cardholder's suspicion.
Merchants who require the CVV2 for "card not present" transactions are forbidden in the USA by Visa from storing the CVV2 once the individual transaction is authorized and completed. This way, if a database of transactions is compromised, the CVV2 is not included, and the stolen card numbers are less useful.
The Payment Card Industry Data Security Standard (PCI DSS) also prohibits the storage of CSC (and other sensitive authorisation data) post transaction authorisation. This applies globally to anyone who stores, processes or transmits card holder data.
Supplying the CSC code in a transaction is intended to verify that the customer has the card in their possession. Knowledge of the code proves that the customer has seen the card, or has seen a record made by somebody who saw the card.
Limitations
- The use of the CSC cannot protect against phishingPhishingPhishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
scams, where the cardholder is tricked into entering the CSC among other card details via a fraudulent website. The growth in phishing has reduced the real-world effectiveness of the CSC as an anti-fraud device. There is now also a scam where a phisher has already obtained the card account number (perhaps by hacking a merchant database or from a poorly designed receipt) and gives this information to the victims (lulling them into a false sense of security) before asking for the CSC (which is all that the phisher needs). - Since the CSC may not be stored by the merchant for any length of time (after the original transaction in which the CSC was quoted and then authorized and completed), a merchant who needs to regularly bill a card for a regular subscription would not be able to provide the code after the initial transaction.
- Some card issuers do not yet use the CSC - although MasterCard started in 1997 and Visa in the USA had them issued by 2001. However, transactions without CSC are likely to be subjected to more stringent fraud screening, and fraudulent transactions without CSC are more likely to be resolved in favour of the cardholder.
- It is not mandatory for a merchant to require the security code for making a transaction, hence the card is still prone to fraud even if only its number is known to phishers.
Generation of card security codes
CVC1, CVV1, CVC2 and CVV2 values are generated when the card is issued. The values are calculated by encrypting the bank card numberBank card number
A bank card number is the primary account number found on credit cards and bank cards. It has a certain amount of internal structure and shares a common numbering scheme. Credit card numbers are a special case of ISO/IEC 7812 bank card numbers....
(also known as the primary account number or PAN), expiration date and service code with encryption keys (often called Card Verification Key or CVK) known only to the issuing bank, and decimalising the result.
See also
- Credit card fraudCredit card fraudCredit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. Credit card fraud is also...
- ISO 8583ISO 8583ISO 8583 Financial transaction card originated messages — Interchange message specifications is the International Organization for Standardization standard for systems that exchange electronic transactions made by cardholders using payment cards...
(Data element #44 carries the Security Code response)