Card security code

Last updated

The card security code is located on the back of Mastercard, Visa, Discover, Diners Club, and JCB credit or debit cards and is typically a separate group of three digits to the right of the signature strip CVC2SampleVisaNew.png
The card security code is located on the back of Mastercard, Visa, Discover, Diners Club, and JCB credit or debit cards and is typically a separate group of three digits to the right of the signature strip
On American Express cards, the card security code is a printed, not embossed, group of four digits on the front towards the right CIDSampleAmex.png
On American Express cards, the card security code is a printed, not embossed, group of four digits on the front towards the right

A card security code (CSC; also known as CVC, CVV, or several other names) is a series of numbers that, in addition to the bank card number, is printed (but not embossed) on a credit or debit card. The CSC is used as a security feature for card not present transactions, where a personal identification number (PIN) cannot be manually entered by the cardholder (as they would during point-of-sale or card present transactions). It was instituted to reduce the incidence of credit card fraud. Unlike the card number, the CSC is deliberately not embossed, so that it is not read when using a mechanical credit card imprinter which will only pick up embossed numbers.

Contents

These codes are in slightly different places for different card issuers. The CSC for Visa, Mastercard, and Discover credit cards is a three-digit number on the back of the card, to the right of the signature box. The CSC for American Express is a four-digit code on the front of the card above the account number. See the figures to the right for examples.

CSC was originally developed in the UK as an eleven-character alphanumeric code by Equifax employee Michael Stone in 1995. After testing with the Littlewoods Home Shopping group and NatWest bank, the concept was adopted by the UK Association for Payment Clearing Services (APACS) and streamlined to the three-digit code known today. Mastercard started issuing CVC2 numbers in 1997 and Visa in the United States issued them by 2001. American Express started to use the CSC in 1999, in response to growing Internet transactions and card member complaints of spending interruptions when the security of a card has been brought into question.

Contactless card and chip cards may electronically generate their own code, such as iCVV or a dynamic CVV.366

Naming

The codes have different names:

Types

There are several types of security codes and PVV (all generated from DES key in the bank in HSM modules using PAN, expiration date and service code):

Location

The card security code is typically the last three or four digits printed, not embossed like the card number, on the signature strip on the back of the card. On American Express cards, however, the card security code is the four digits printed (not embossed) on the front towards the right. The card security code is not encoded on the magnetic stripe but is printed flat.

Generation

The CSC for each card (form 1 and 2) is generated by the card issuer when the card is issued. It is calculated by encrypting the bank card number and expiration date (two fields printed on the card) with encryption keys known only to the card issuer, and decimalising the result (in a similar manner to a hash function). [9] [10] [11]

Benefits and limitations

As a security measure, merchants who require the CVV2 for "card not present" transactions are required by the card issuer not to store the CVV2 once the individual transaction is authorized. [12] This way, if a database of transactions is compromised, the CVV2 is not present and the stolen card numbers are less useful. Virtual terminals and payment gateways do not store the CVV2 code; therefore, employees and customer service representatives with access to these web-based payment interfaces, who otherwise have access to complete card numbers, expiration dates, and other information, still lack the CVV2 code.

The Payment Card Industry Data Security Standard (PCI DSS) also prohibits the storage of CSC (and other sensitive authorisation data) post transaction authorisation. This applies globally to anyone who stores, processes or transmits card holder data. [13] Since the CSC is not contained on the magnetic stripe of the card, it is not typically included in the transaction when the card is used face to face at a merchant. However, some merchants in North America, such as Sears and Staples, require the code. For American Express cards, this has been an invariable practice (for "card not present" transactions) in European Union (EU) countries like Ireland and the United Kingdom since the start of 2005. This provides a level of protection to the bank/cardholder, in that a fraudulent merchant or employee cannot simply capture the magnetic stripe details of a card and use them later for "card not present" purchases over the phone, mail order or Internet. To do this, a merchant or its employee would also have to note the CVV2 visually and record it, which is more likely to arouse the cardholder's suspicion.

Supplying the CSC code in a transaction is intended to verify that the customer has the card in their possession. Knowledge of the code proves that the customer has seen the card, or has seen a record made by somebody who saw the card.

Limitations include:

See also

Related Research Articles

<span class="mw-page-title-main">Debit card</span> Card used for financial transactions, usually without a credit line

A debit card, also known as a check card or bank card, is a payment card that can be used in place of cash to make purchases. The card usually consists of the bank's name, a card number, the cardholder's name, and an expiration date, on either the front or the back. Many new cards now have a chip on them, which allows people to use their card by touch (contactless), or by inserting the card and keying in a PIN as with swiping the magnetic stripe. Debit cards are similar to a credit card, but the money for the purchase must be in the cardholder's bank account at the time of the purchase and is immediately transferred directly from that account to the merchant's account to pay for the purchase.

<span class="mw-page-title-main">EMV</span> Smart payment card standard

EMV is a payment method based on a technical standard for smart payment cards and for payment terminals and automated teller machines which can accept them. EMV stands for "Europay, Mastercard, and Visa", the three companies that created the standard.

Secure Electronic Transaction (SET) is a communications protocol standard for securing credit card transactions over networks, specifically, the Internet. SET was not itself a payment system, but rather a set of security protocols and formats that enabled users to employ the existing credit card payment infrastructure on an open network in a secure fashion. However, it failed to gain attraction in the market. Visa now promotes the 3-D Secure scheme.

<span class="mw-page-title-main">Maestro (debit card)</span> Debit card from Mastercard

Mastercard Maestro is a brand of debit cards and prepaid cards owned by Mastercard that was introduced in 1991. Maestro is accepted at around fifteen million point of sale outlets in 93 countries.

An e-commerce payment system facilitates the acceptance of electronic payment for offline transfer, also known as a subcomponent of electronic data interchange (EDI), e-commerce payment systems have become increasingly popular due to the widespread use of the internet-based shopping and banking.

ISO 8583 is an international standard for financial transaction card originated interchange messaging. It is the International Organization for Standardization standard for systems that exchange electronic transactions initiated by cardholders using payment cards.

An address verification service (AVS) is a service provided by major credit card processors to enable merchants to authenticate ownership of a credit or debit card used by a customer. AVS is done as part of the merchant's request for authorization in a non-face-to-face credit card transaction. The credit card company or issuing bank automatically checks the billing address provided by the customer to the merchant against the billing address in its records, and reports back to the merchant who has the ultimate responsibility to determine whether or not to go ahead with a transaction. AVS can be used in addition to other security features of a credit card, such as the CVV2 number.

<span class="mw-page-title-main">Payment card</span> Card issued by a financial institution that can be used to make a payment

Payment cards are part of a payment system issued by financial institutions, such as a bank, to a customer that enables its owner to access the funds in the customer's designated bank accounts, or through a credit account and make payments by electronic transfer with a payment terminal and access automated teller machines (ATMs). Such cards are known by a variety of names, including bank cards, ATM cards, client cards, key cards or cash cards.

3-D Secure is a protocol designed to be an additional security layer for online credit and debit card transactions. The name refers to the "three domains" which interact using the protocol: the merchant/acquirer domain, the issuer domain, and the interoperability domain.

<span class="mw-page-title-main">Dankort</span>

The Dankort is the national debit card of Denmark. Today it is often combined with a Visa card or Mastercard and functions as a Visa or Mastercard debit card abroad and in stores that don't accept Dankort.

The payment card industry (PCI) denotes the debit, credit, prepaid, e-purse, ATM, and POS cards and associated businesses.

A controlled payment number, disposable credit card or virtual credit card is an alias for a credit card number, with a limited number of transactions, and an expiration date between two and twelve months from the issue date. This "alias" number is indistinguishable from an ordinary credit card number, and the user's actual credit card number is never revealed to the merchant.

A payment card number, primary account number (PAN), or simply a card number, is the card identifier found on payment cards, such as credit cards and debit cards, as well as stored-value cards, gift cards and other similar cards. In some situations the card number is referred to as a bank card number. The card number is primarily a card identifier and may not directly identify the bank account number(s) to which the card is/are linked by the issuing entity. The card number prefix identifies the issuer of the card, and the digits that follow are used by the issuing entity to identify the cardholder as a customer and which is then associated by the issuing entity with the customer's designated bank accounts. In the case of stored-value type cards, the association with a particular customer is only made if the prepaid card is reloadable. Card numbers are allocated in accordance with ISO/IEC 7812. The card number is typically embossed on the front of a payment card, and is encoded on the magnetic stripe and chip, but may also be imprinted on the back of the card.

<span class="mw-page-title-main">Credit card fraud</span> Financial crime

Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard is the data security standard created to help financial institutions process card payments securely and reduce card fraud.

<span class="mw-page-title-main">Credit card</span> Card for financial transactions on credit

A credit card is a payment card, usually issued by a bank, allowing its users to purchase goods or services, or withdraw cash, on credit. Using the card thus accrues debt that has to be repaid later. Credit cards are one of the most widely used forms of payment across the world.

Card schemes are payment networks linked to payment cards, such as debit or credit cards, of which a bank or any other eligible financial institution can become a member. By becoming a member of gets the possibility to issue cards or acquire merchants operating on the network of that card scheme. UnionPay, Visa and MasterCard are three of the largest global brands, known as card schemes, or card brands. Billions of transactions go through their cards on a yearly basis.

A card-not-present transaction is a payment card transaction made where the cardholder does not or cannot physically present the card for a merchant's visual examination at the time that an order is given and payment effected. It is most commonly used for payments made over the Internet, but can also be used with mail-order transactions by mail or fax, or over the telephone.

The term digital card can refer to a physical item, such as a memory card on a camera, or, increasingly since 2017, to the digital content hosted as a virtual card or cloud card, as a digital virtual representation of a physical card. They share a common purpose: identity management, credit card, debit card or driver's license. A non-physical digital card, unlike a magnetic stripe card, can emulate (imitate) any kind of card.

<span class="mw-page-title-main">Google Pay (payment method)</span> Mobile payments platform developed by Google

Google Pay is a mobile payment service developed by Google to power in-app, online, and in-person contactless purchases on mobile devices, enabling users to make payments with Android phones, tablets, or watches. Users can authenticate via a PIN, passcode, or biometrics such as 3D face scanning or fingerprint recognition.

The Four Corners model, often referred to as the Four Party Scheme is the most used card scheme in card payment systems worldwide. This model was introduced in the 1990s. It is a user-friendly card payment system based on an interbank clearing system and economic model established on multilateral interchange fees (MIF) paid between banks or other payment institutions.

References

  1. "SafeKey Frequently Asked Questions | American Express Canada". www.americanexpress.com. Retrieved 4 May 2021.
  2. "American Express® Card security features" (PDF). www.americanexpress.com. Archived (PDF) from the original on 27 November 2020. Retrieved 4 May 2021.
  3. "Card verification number (CVN)" . Retrieved 2 July 2023.
  4. "CIBC MasterCard - MasterCard SecureCode". Archived from the original on 24 April 2014. Retrieved 12 July 2012.
  5. "Apple Pay £20 limit in the UK will 'change over time'". Wired UK. 24 June 2015. Retrieved 24 June 2022.
  6. "Breakthrough for mobile payments? Google Pay launched in Germany". Avira . 17 July 2018. Retrieved 24 June 2022.
  7. "Samsung Pay now allows Australian users to make high-value purchases without PIN". SamMobile. 22 September 2020. Retrieved 24 June 2022.
  8. "Card Security Features" (PDF). Visa. Archived from the original (PDF) on 16 February 2012.
  9. "VISA PIN Algorithms". www.ibm.com. 18 September 2012. Retrieved 18 June 2021.
  10. "z/OS Integrated Cryptographic Service Facility Application Programmer's Guide". IBM. March 2002. p. 209.[ dead link ]
  11. "z/OS Integrated Cryptographic Service Facility Application Programmer's Guide". IBM. March 2002. p. 258.[ dead link ]
  12. 1 2 "Rules for Visa Merchants". p. 1. Archived from the original (doc) on 24 February 2014. Retrieved 26 February 2013.
  13. "Official Source of PCI DSS Data Security Standards Documents and Payment Card Compliance Guidelines". Pcisecuritystandards.org. Retrieved 25 December 2011.
  14. "Urban Legends Reference Pages: Visa Fraud Investigation Scam". Snopes.com. 23 December 2003. Retrieved 25 December 2011.
  15. Ducklin, Paul (5 December 2016). "How to guess credit card security codes". naked security by SOPHOS. Retrieved 8 December 2016.