The
Card Security Code (
CSC), sometimes called
Card Verification Value (CVV or CV2),
Card Verification Value Code (CVVC),
Card Verification Code (CVC),
Verification Code (V-Code or
V Code), or
Card Code Verification (CCV) is a security feature for
credit or debit cardA credit card is part of a system of payments named after the small plastic card issued to users of the system. It is a card entitling its holder to buy goods and services based on the holder's promise to pay for these goods and services...
transactions, giving increased protection against
credit card fraudCredit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. Credit card fraud is also...
.
There are actually several types of security codes:
- The first code, called CVC1 or CVV1, is encoded on the magnetic stripe of the card and used for transactions in person.
- The second code, and the most cited, is CVV2 or CVC2.
The
Card Security Code (
CSC), sometimes called
Card Verification Value (CVV or CV2),
Card Verification Value Code (CVVC),
Card Verification Code (CVC),
Verification Code (V-Code or
V Code), or
Card Code Verification (CCV) is a security feature for
credit or debit cardA credit card is part of a system of payments named after the small plastic card issued to users of the system. It is a card entitling its holder to buy goods and services based on the holder's promise to pay for these goods and services...
transactions, giving increased protection against
credit card fraudCredit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. Credit card fraud is also...
.
There are actually several types of security codes:
- The first code, called CVC1 or CVV1, is encoded on the magnetic stripe of the card and used for transactions in person.
- The second code, and the most cited, is CVV2 or CVC2. This CSC (also known as a CCID or Credit Card ID) is often asked for by merchants for them to secure "card not present" transactions occurring over the Internet, by mail, fax or over the phone. In many countries in Western Europe, due to increased attempts at card fraud, it is now mandatory to provide this code when the cardholder is not present in person.
- Contactless Card and Chip cards may supply their own codes generated electronically, such as iCVV or Dynamic CVV.
The CVC should not be confused with the standard card account number appearing in embossed or printed digits. (The standard card number undergoes a separate validation algorithm called the
Luhn algorithmThe Luhn algorithm or Luhn formula, also known as the "modulus 10" or "mod 10" algorithm,is a simple checksum formula used to validate a variety of identification numbers, such as credit card numbers, IMEI numbers, National Provider Identification Number in US and Canadian Social Insurance Numbers...
which serves to determine whether a given card's number is appropriate.)
The CVC should not be confused with a card's
PINPIN may be an abbreviation for:*Personal identification number, password used to access an automated teller machine*Postal Index Number , often called PIN Code...
value or PINS associated with
MasterCardMasterCard Worldwide is a multinational corporation based in Purchase, New York, United States. Throughout the world, its principal business is to process payments between the banks of merchants and the banks of purchasers that use its "MasterCard" brand debit and credit cards to make purchases....
SecureCode or Visa Verified by Visa. These codes are not printed or embedded in the card but are entered at the time of transaction.
CVC / CVV
This value is calculated with a CVK as described below and is recorded on the card. The purpose of the CVC is to ensure the data stored on the magnetic stripe of the card is valid and was generated by the Issuing Bank. This value is submitted as part of online transactions and is verified by the Issuing Bank.
A limitation of the CVC is that if the entire magnetic stripe is copied, rather than generated, the card can be duplicated. See the Skimming section for more details.
Location of CVV2
The CVV2 is a 3- or 4-digit value printed on the card or signature strip, but not encoded on the magnetic stripe.
- MasterCard
MasterCard Worldwide is a multinational corporation based in Purchase, New York, United States. Throughout the world, its principal business is to process payments between the banks of merchants and the banks of purchasers that use its "MasterCard" brand debit and credit cards to make purchases....
, VisaVisa Inc. , commonly referred to as VISA , is a multinational corporation based in San Francisco, California, USA. The company operates the world's largest retail electronic payment network, managing payments among financial institutions, merchants, consumers, businesses and government entities...
, Diners ClubDiners Club International, originally founded as Diners Club, is a charge card company formed in 1950 by Frank X. McNamara, Ralph Schneider and Matty Simmons...
, DiscoverThe Discover Card is a major credit card, issued primarily in the United States. It was originally introduced by Sears in 1985, and was part of Dean Witter, and then Morgan Stanley, until 2007, when Discover Financial Services became an independent company. Novus, a major processing center, used to...
, and JCBJapan Credit Bureau, usually abbreviated as JCB, is a credit card company based in Tokyo, Japan. Its English name is . The abbreviation is sometimes thought to stand for Japan Commerce Bank, but this is incorrect...
credit and debit cards have a 3-digit code, called the "CVC2" (card validation code), "CVV2" (card verification value), "CVV", and "CID" (card identification number), respectively. It is not embossed like the card number, and is always the final group of numbers printed on the back signature panel of the card. New North American MasterCard and Visa cards feature the "CVC2" in a separate panel to the right of the signature strip. This has been done to prevent overwriting of the numbers by signing the card.
- American Express
American Express Company , sometimes known as "AmEx", is a diversified global financial services company that is headquartered in New York City. Founded in 1850, it is one of the 30 components of the Dow Jones Industrial Average. The company is best known for its credit card, charge card, and...
cards have a 4-digit code printed on the front side of the card above the number, referred to as the CID (or Unique Card Code). It is printed flat, not embossed like the card number.
Supplying the CVV2 code in a transaction is intended to verify that the customer has the card in their possession. Knowledge of the code proves that the customer has seen the card, or has seen a record made by somebody who saw the card. To date, no
cracksSoftware cracking is the modification of software to remove protection methods: copy protection, trial/demo version, serial number, hardware key, date checks, CD check or software annoyances like nag screens and adware....
for this system are known.
Security benefits of CVV2
Since the CVV2 is not contained on the magnetic stripe of the card, it is not typically included in the transaction when the card is used face to face at a merchant. However, some merchants in North America, such as
SearsSears, officially named Sears, Roebuck and Co., is an American mid-range chain of international department stores which was founded by Richard Warren Sears and Alvah Roebuck in the late 19th century...
and Staples require the code. For
American ExpressAmerican Express Company , sometimes known as "AmEx", is a diversified global financial services company that is headquartered in New York City. Founded in 1850, it is one of the 30 components of the Dow Jones Industrial Average. The company is best known for its credit card, charge card, and...
cards, this has been an invariable practice (for "card not present" transactions) in European Union (EU) states like Ireland and the United Kingdom since the start of 2005. This provides a level of protection to the bank/cardholder, in that a corrupt merchant cannot simply capture the magnetic stripe details of a card and use them later for "card not present" purchases over the phone, mail order or Internet. To do this, a merchant would also have to note the CVV2 visually and record it, which is more likely to arouse the cardholder's suspicion.
Merchants who require the CVV2 for "card not present" transactions are forbidden in the USA by Visa from storing the CVV2 once the individual transaction is authorized and completed. This way, if a database of transactions is compromised, the CVV2 is not included, and the stolen card numbers are less useful.
CVV2 limitations
- The use of the CVV2 cannot protect against phishing
In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication...
scams, where the cardholder is tricked into entering the CVV2 among other card details via a fraudulent website. The growth in phishing has reduced the real-world effectiveness of the CVV2 as an anti-fraud device. There is now also a scam where a phisher has already obtained the card account number (perhaps by hacking a merchant database or from a poorly designed receipt) and gives this information to the victims (lulling them into a false sense of security) before asking for the CVV2 (which is all that the phisher needs).
- Since the CVV2 may not be stored by the merchant for any length of time (after the original transaction in which the CVV2 was quoted and then authorized and completed), a merchant who needs to regularly bill a card for a regular subscription would not be able to provide the code after the initial transaction.
- Some card issuers do not yet use the CVV2 - although MasterCard started in 1997 and Visa in the USA had them issued by 2001. However, transactions without CVV2 are likely to be subjected to more stringent fraud screening, and fraudulent transactions without CVV2 are more likely to be resolved in favour of the cardholder.
Generation of CSC Codes
CVV, CVC CVC2 and CVV2 values are generated when the card is issued. The values are calculated by encrypting the
PANThe numbers found on credit cards and bank cards have a certain amount of internal structure, and share a common numbering scheme. Credit card numbers are a special case of ISO/IEC 7812 bank card numbers....
, expiration date and service code with encryption keys ( Often called Card Verification Key or CVK ) known only to the issuing bank, and decimalising the result.
See also
- Credit card fraud
Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. Credit card fraud is also...
- ISO 8583
ISO 8583 Standard for Financial Transaction Card Originated Messages - Interchange message specifications is the International Organization for Standardization standard for systems that exchange electronic transactions made by cardholders using payment cards....
(Data element #44 carries the Security Code response)