Card Security Code - Wikipedia, the free encyclopedia Page 1 of 2

Wikipedia is sustained by people like you. Please donate today.

Card Security Code
From Wikipedia, the free encyclopedia
(Redirected from CVV2)

The Card Security Code (CSC), sometimes called Card Verification Value or Code (CVV or
CVC), is a security feature for credit or debit card transactions, giving increased protection
against credit card fraud.

There are actually two security codes:

„ The first code, called CVC1 or CVV1, is encoded on the magnetic stripe of the card and The Card Security Code is
used for transactions in person. located on the back of
„ The second code, and the most cited, is CVV2 or CVC2. This CSC (also known as a MasterCard, Visa and
CCID or Credit Card ID) is often asked for by merchants for them to secure "card not Discover credit or debit cards
present" transactions occurring over the Internet, by mail, fax or over the phone. In many and is typically a separate
countries in Western Europe, due to increased attempts at card fraud, it is now mandatory group of 3 digits to the right of
the signature strip.
to provide this code when the cardholder is not present in person.

This latter CSC should not be confused with the standard card account number appearing in
embossed or printed digits. (The standard card number undergoes a separate validation
algorithm called the Luhn algorithm which serves to determine whether a given card's number is
appropriate.)

Contents
On American Express cards,
„ 1 Location of CVV2 the Card Security Code is a
„ 2 Security benefits of CVV2 printed (NOT embossed)
„ 3 CVV2 limitations group of four digits on the
front towards the right.
„ 4 See also
„ 5 References

Location of CVV2
The CVV2 is a 3- or 4-digit value printed on the card or signature strip, but not encoded on the magnetic stripe.

„ MasterCard, Visa, Discover, and JCB credit and debit cards have a 3-digit code, called the "CVC2" (card validation code),
"CVV2" (card verification value), and "CID" (card identification number), respectively. It is not embossed like the card
number, and is always the final group of numbers printed on the back signature panel of the card. New North American
MasterCard and Visa cards feature the "CVC2" in a separate panel to the right of the signature strip.[1] This has been done
to prevent overwriting of the numbers by signing the card.

„ American Express cards have a 4-digit code printed on the front side of the card above the number, referred to as the CID
(or Unique Card Code). It is printed flat, not embossed like the card number.

The number is generated when the card is issued, by encrypting the card number and expiration date under a key known only to
the issuing bank. Supplying this code in a transaction is intended to verify that the customer has the card in their physical
possession. To date, no cracks for this system are known.

Security benefits of CVV2

Since the CVV2 is not contained on the magnetic stripe of the card, it is not typically included in the transaction when the card is
used face to face at a merchant. However, some merchants in North America, such as Sears and Staples, have recently begun
requiring the code. For American Express cards, this has been an invariable practice (for "card not present" transactions) in
European Union (EU) states like Ireland and the United Kingdom since the start of 2005. This provides a level of protection to
the bank/cardholder, in that a corrupt merchant cannot simply capture the magnetic stripe details of a card and use them later for
"card not present" purchases over the phone, mail order or Internet. To do this, a merchant would also have to note the CVV2
visually and record it, which is more likely to arouse the cardholder's suspicion.

http://en.wikipedia.org/wiki/CVV2 5/12/2008
Card Security Code - Wikipedia, the free encyclopedia Page 2 of 2

Online merchants who require the CVV2 in their transactions are forbidden[2] in the USA by Visa from storing the CVV2 once
the individual transaction is authorized and completed. This way, if a database of transactions is compromised, the CVV2 is not
included, and the stolen card numbers are less useful.

CVV2 limitations
„ The use of the CVV2 cannot protect against phishing scams, where the cardholder is tricked into entering the CVV2
among other card details via a fraudulent website. The growth in phishing has reduced the real-world effectiveness of the
CVV2 as an anti-fraud device. There is now also a scam where a phisher has already obtained the card account number
(perhaps by hacking a merchant database or from a poorly designed receipt) and gives this information to the victims
(lulling them into a false sense of security) before asking for the CVV2 (which is all that the phisher needs).[3]
„ Since the CVV2 may not be stored by the merchant for any length of time[2] (after the original transaction in which the
CVV2 was quoted and then authorized and completed), a merchant who needs to regularly bill a card for a regular
subscription would not be able to provide the code after the initial transaction.
„ Some card issuers do not yet use the CVV2 - although MasterCard started in 1997 and Visa in the USA had them issued by
2001.[3] This means the use of CVV2 codes must remain optional (for merchants); however, transactions without CVV2
are likely to be subjected to more stringent fraud screening, and fraudulent transactions without CVV2 are more likely to
be resolved in favour of the cardholder. As of 2008, most mainstream online merchants refuse to complete a transaction
without CVV2, so a user who doesn't have CVV2, can't buy their services.

See also
„ Credit card fraud
„ ISO 8583 (Data element #44 carries the Security Code response)

References
1. ^ Card Security Features and Acceptance, Merchant Resources | Visa.ca
2. ^ a b http://usa.visa.com/download/merchants/rules_for_visa_merchants.pdf
3. ^ a b Urban Legends Reference Pages: Visa Fraud Investigation Scam

Retrieved from "http://en.wikipedia.org/wiki/Card_Security_Code"

Categories: Electronic commerce | Credit cards | Merchant services
Hidden categories: All articles with unsourced statements | Articles with unsourced statements since March 2008

„ This page was last modified on 28 April 2008, at 19:23.

„ All text is available under the terms of the GNU Free Documentation License. (See Copyrights for details.)
Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a U.S. registered 501(c)(3) tax-deductible
nonprofit charity.

http://en.wikipedia.org/wiki/CVV2 5/12/2008