Talk:Card Security Code

From Wikipedia, the free encyclopedia

	Business and economics Portal This article is within the scope of the Business and Economics WikiProject.
Start	rated as start-Class on the assessment scale
Mid	rated as mid-importance on the assessment scale

This article about Exonumia is part of the WikiProject Numismatics, which is an attempt to facilitate the categorization and creation of accurate and formal Numismatism-related articles on Wikipedia. If you would like to participate please visit the project page, where you can join and see a list of open tasks to help with.

Contents 1 Related to actual number? 2 Security model 3 Is it really sure? 4 Imprints 5 Retention is possible 6 Location of CVV2 7 History 8 What do the acronyms stand for?

[edit] Related to actual number?

Q. Is the CVV2 number related to the actual credit card number? Is it a random number? Or is there some other way that the card issuer selects the CVV2 number to put on a card? —Preceding unsigned comment added by 207.233.79.134 (talk • contribs) 23:27, 4 August 2005

A. I don't think MC or Visa require a particular algorithm, so it can be a random number stored in a secure lookup table, or it can be a derived number based on card data using a secret issuer key. —Preceding unsigned comment added by 38.112.4.254 (talk • contribs) 21:02, 31 March 2006

The CVV2 is an encryption of the card number and expiry date, under a key known only to the issuing bank. The CVV on the magstripe is similar but the encryption also covers the service code, a value on the magnetic stripe. Zaian 10:46, 18 June 2006 (UTC)

This isn't an encryption, although it may be a hash. The bank can't recover the card number, no matter how many keys they have, from a mere 3 digits! Andy Dingley (talk) 16:52, 10 June 2008 (UTC)

[edit] Security model

I do not quite understand the security model underlying the CVV2. Isn't it the case that credit card numbers are typically obtained by making the user enter them on forged websites or by sniffing network traffic? Now what additional security do I gain if all such transactions will soon require to give the CVV2 as well? The same online methods used for stealing the credit card number can also be used to steal the CVV2.

I am just dealing with a transaction that requires me to send my credit card number and CVV2 via fax. The fax machine on the other side may stand in a crowded office and even the cleaning staff may be able to reprint the received faxes in the evening. How can the CVV2 verify that someone holds the card physically if its eventually printed out on some random paper sheets in offices all over the world? --Markus Krötzsch 07:54, 11 August 2005 (UTC)

I agree. When I call up my telco to pay my bill, and they ask me "and now sir, can I have the last three digits from the back of the card", how do I know they won't use it in conjunction with the credit card number I just provided them to buy lots of stuff? I suppose it might help for things like dumpster-diving receipts etc, where the CVC is not printed... but I think it's less useful than people give it credit for (no pun intended :-) StephenFalken 00:05, 2 May 2006 (UTC)

See, that is why I just use bill pay services from my bank, no need to talk to a person by phone and provide them with that number, I personally try to avoid giving out my credit card to a company except for a secure website, and I would prefer the companies to not store my credit card as a permanent record and just use it for that one transaction Quazywabbit 06:28, 20 May 2006 (UTC)

[edit] Is it really sure?

The value of this system of security may be disputed. Anybody who can look at the card or recive payment orders with this validation code can know its value. For this reason it can not be anymore consider that the only person who know the code is the legittate owner of the card after the card is used the first time (or even before that, if anybody can look at the card). Morover the value is also known by the credit card society. AnyFile 14:21, 19 August 2005 (UTC)

On your last point, the value is not known (i.e. is not stored) by the issuing bank. The value is obtained by encrypting some card details. The validation process is that the transaction details are sent to a secure cryptographic device called a Hardware Security Module (HSM) which internally derives the CVV2 for the card and returns a "Yes/No" response indicating whether the CVV2 supplied was correct or not. It's a "black box" - the software can ask the HSM "was this CVV2 right?" but not "what is the CVV2 for this card?". This is similar to the process for validating PINs. Zaian 10:46, 18 June 2006 (UTC)

[edit] Imprints

There are some cases where a possible attacker has access to the credit card number, but not the CVV2. For instance, an employee at a store that takes credit cards may be able to make copies of large numbers of receipts, and the credit card number. In this case a person could make a large number of relatively small purchases on-line in a short period of time. Without the physical credit card or the CVV2, it is difficult to do this.

Of course, an employee would be able to record the CVV2 for any card that they physically handled, but in this case sales records would be able to identify the employee.

This is a guess, but it seems reasonable. —Preceding unsigned comment added by 82.93.59.73 (talk • contribs) 18:18, 21 August 2005

Well, it is not so dificcult for an employer of a shop (or for the owner of the shop too) to look at the secutity code without being seen as suspicious. On some cards the security code is on the front and in other cases is next to the signaure box on the back of the card (which the merchant has contract right and duty to check at). The code is enought small to be memorized, so there no need to write it down immidiately rising suspicious. Morover in many case I see the teller write down on the credit card recipes many informations (the number of the day selling, and so on). The security code could be written among the same datas without rising souspicious, or it can even be written in a encripten form. if the fraud is made some time later (even months since the card is usually valid for 2 years and all the information needed, including the security code, do not change in the meantime) it would very difficult to track down all the place it was used in the time. And unless the teller is so silly to buy things online and have them sent to his/her postal address, it is very difficult to link among the use of the credit card and a specific sale, when the card was use.

I have to say that my opinion is that this, so called, security code only add a very little protection, and this addictional small protection is completely void when you reveal the CCV2 data. It is difficult to have a really safe system when the card is used at distance. All the datas sent can be read by at leat someone and if the exactly same datas is all is needed to make another transaction, the protection is rather low. In my opinion the only way to solve this issue is that among the datas trasmited should be only know by the owner and that this data change at any time of use (and optionally depends also on the name or on the code of the merchant). AnyFile 13:45, 9 July 2006 (UTC)

[edit] Retention is possible

I'm not sure how to phrase this in the article, but since the CVV2 can be stored prior to the completion of a transaction, in the case of a time-delayed transaction this storage period may in fact be very lengthy. I am currently working with a client that requires up to six months between collection and charging, and for technical reasons verification of the card is not possible at time of collection. I realize this sounds stupid, but it is allowed (though discouraged) in the specs. I'm not sure if this should be listed as a "drawback," since it seems to be a problem with a particular system's business requirements rather than the number itself. But that could be arguable about most of the drawbacks, so I'm not sure.

12.205.149.45 22:54, 3 August 2007 (UTC)

[edit] Location of CVV2

There is an incorrect statement in this article: "The CVV2 is a 3- or 4-digit value printed on the card or signature strip, but not encoded on the magnetic stripe."

In this article, it is stated that the magnetic strip may include CVV:

http://en.wikipedia.org/wiki/Magnetic_stripe

Financial cards Discretionary data — may include Pin Verification Key Indicator (PVKI, 1 character), Pin Verification Value (PVV, 4 characters), Card Verification Value or Card Verification Code (CVV or CVK, 3 characters)

Jimmied999 14:19, 14 August 2007 (UTC) http://www.ded.co.uk/magnetic-stripe-card-details.html

CVV1 is stored on the card. CVV2 is not. I think the statement is accurate Talyian 16:07, 14 September 2007 (UTC)

[edit] History

When did this whole CSC thing get started? I think it would be nice to have a "History" section in this article. I know that 10 or 20 years ago, cards didn't have this. Westwind273 17:30, 17 September 2007 (UTC)

[edit] What do the acronyms stand for?

It seems like the article should say... —Preceding unsigned comment added by 206.168.188.130 (talk) 19:02, 26 October 2007 (UTC)