Card security code

HOME

TheInfoList

Click Here for Items Related To - Card security code

OR:

Card security code on: [Wikipedia] [Google] [Amazon]

The card security code is located on the back of Visa,_Discover_Card.html" "title="Visa_Inc..html" ;"title="Mastercard, Visa Inc.">Visa, Discover Card">Discover Discover may refer to: Art, entertainment, and media * ''Discover'' (album), a Cactus Jack album * ''Discover'' (magazine), an American science magazine Businesses and brands * DISCover, the ''Digital Interactive Systems Corporation'' * D ...

Diners Club A diner is a small, inexpensive restaurant found across the United States, as well as in Canada and parts of Western Europe. Diners offer a wide range of foods, mostly American cuisine, a casual atmosphere, and, characteristically, a com ...

, and JCB credit or debit cards and is typically a separate group of three digits to the right of the signature strip file:CIDSampleAmex.png, On

American Express American Express Company (Amex) is an American multinational corporation, multinational corporation specialized in payment card industry, payment card services headquartered at 200 Vesey Street in the Battery Park City neighborhood of Lower Man ...

cards, the card security code is a printed, not embossed, group of four digits on the front towards the right A card security code (CSC; also known as CVC, CVV, or #Naming, several other names) is a series of numbers that, in addition to the

bank card number A payment card number, primary account number (PAN), or simply a card number, is the card identifier found on payment cards, such as credit cards and debit cards, as well as stored-value cards, gift cards and other similar cards. In some situat ...

, is printed (not embossed) on a card. The CSC is used as a security feature for

card not present transaction A card-not-present transaction (CNP, mail order / telephone order, MO/TO) is a payment card transaction made where the cardholder does not or cannot physically present the card for a merchant's visual examination at the time that an order is given ...

s, where a

personal identification number A personal identification number (PIN), or sometimes redundantly a PIN number or PIN code, is a numeric (sometimes alpha-numeric) passcode used in the process of authenticating a user accessing a system. The PIN has been the key to facilitati ...

(PIN) cannot be manually entered by the cardholder (as they would during

point-of-sale The point of sale (POS) or point of purchase (POP) is the time and place at which a retail transaction is completed. At the point of sale, the merchant calculates the amount owed by the customer, indicates that amount, may prepare an invoice ...

or card present transactions). It was instituted to reduce the incidence of

credit card fraud Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The ...

. These codes are in slightly different places for different card issuers. The CSC for Visa, Mastercard, and

Discover Discover may refer to: Art, entertainment, and media * ''Discover'' (album), a Cactus Jack album * ''Discover'' (magazine), an American science magazine Businesses and brands * DISCover, the ''Digital Interactive Systems Corporation'' * D ...

credit cards is a three-digit number on the back of the card, to the right of the signature box. The CSC for

is a four-digit code on the front of the card above the account number. See the figures to the right for examples. CSC was originally developed in the UK as an eleven-character alphanumeric code by

Equifax Equifax Inc. is an American multinational consumer credit reporting agency headquartered in Atlanta, Georgia and is one of the three largest consumer credit reporting agencies, along with Experian and TransUnion (together known as the "Big Th ...

employee Michael Stone in 1995. After testing with the

Littlewoods Littlewoods was a retail and football betting company founded in Liverpool, England, by John Moores in 1923. By the 1980s, it had grown to become the largest private company in Europe, but subsequently declined in the face of increased com ...

Home Shopping group and

NatWest National Westminster Bank, commonly known as NatWest, is a major retail and commercial bank in the United Kingdom based in London, England. It was established in 1968 by the merger of National Provincial Bank and Westminster Bank. In 2000, i ...

bank, the concept was adopted by the UK

Association for Payment Clearing Services The UK Payments Administration Ltd (UKPA) is a United Kingdom service company that provides people, facilities and expertise to the UK payments industry. UKPA was created on 6 July 2009, as a successor of the Association for Payment Clearing Ser ...

(APACS) and streamlined to the three-digit code known today. Mastercard started issuing CVC2 numbers in 1997 and Visa in the United States issued them by 2001.

started to use the CSC in 1999, in response to growing Internet transactions and card member complaints of spending interruptions when the security of a card has been brought into question. Contactless card and chip cards may electronically generate their own code, such as iCVV or a ''dynamic'' CVV.

Naming

The codes have different names: * "CSC" or "card security code":

debit card A debit card, also known as a check card or bank card is a payment card that can be used in place of cash to make purchases. The term '' plastic card'' includes the above and as an identity document. These are similar to a credit card, but ...

s, American Express (three digits on back of card, also referred to as 3CSC) * "CVC" or "card validation code": Mastercard * "CVV" or "card verification value": Visa * "CAV" or "card authentication value": JCB * "CID": "card ID", "card identification number", or "card identification code":

(four digits on front of card). American Express usually uses the four-digit code on the front of the card, referred to as the card identification code (CID), but also has a three-digit code on the back of the card, referred to as the card security code (CSC). American Express also sometimes refers to a "unique card code". * "CVD" or "card verification data":

* "CVE" or "Elo verification code":

Elo Elo or ELO may refer to: Music * Electric Light Orchestra, a British rock music group ** ''The Electric Light Orchestra'' (album), the group's debut album ** ''ELO 2'', the group's second album * ELO Part II, an offshoot band of Electric Light ...

Brazil Brazil ( pt, Brasil; ), officially the Federative Republic of Brazil (Portuguese: ), is the largest country in both South America and Latin America. At and with over 217 million people, Brazil is the world's fifth-largest country by area ...

* "CVN" or "card validation number":

China UnionPay UnionPay (), also known as China UnionPay () or by its abbreviation, CUP or UPI internationally, is a Chinese state-owned financial services corporation headquartered in Shanghai, China. It provides bank card services and a major card sc ...

* "SPC" or "signature panel code"

Types

There are several types of security codes and PVV (all generated from DES key in the bank in HSM modules using PAN, expiration date and service code): * The first code, 3 numbers, called CVC1 or CVV1, is encoded on track one and two of the

magnetic stripe The term digital card can refer to a physical item, such as a memory card on a camera, or, increasingly since 2017, to the digital content hosted as a virtual card or cloud card, as a digital virtual representation of a physical card. They share ...

of the card and used for card present transactions, with signature (second track also contains pin verification value, PVV, but now it is usually all zeroed out and service code). The purpose of the code is to verify that a payment card is actually in the hand of the merchant (thus it should be different from CVV2). This code is automatically retrieved when the magnetic stripe of a card is read (swiped) on a

(card present) device and is verified by the issuer. A limitation is that if the entire card has been duplicated and the magnetic stripe copied, then the code is still valid, even though you usually need to sign after that. (See credit card fraud § skimming.) * The second code, and the most cited, is CVV2 or CVC2. This code is often used by merchants for

s including online purchases. In some countries in Western Europe, card issuers require a merchant to obtain the code when the cardholder is not present in person. Uses service code 000. * Contactless and/or chip EMV cards supply their own electronically generated codes, called iCVV. Uses service code 999. It is described in public standards from EMVCo. * Consumer Device Cardholder Verification Method (CDCVM for short) is a type of identity verification in which the user's mobile device (such as a smartphone) is used to verify the user's identity; for example, it can use the device's

biometrics Biometrics are body measurements and calculations related to human characteristics. Biometric authentication (or realistic authentication) is used in computer science as a form of identification and access control. It is also used to identify i ...

authentication features (e.g. Touch ID or Face ID), or the device's set

passcode A password, sometimes called a passcode (for example in Apple devices), is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number o ...

. It is supported by a number of payment systems, such as

Apple Pay Apple Pay is a mobile payment service by Apple Inc. that allows users to make payments in person, in iOS apps, and on the web. It is supported on these Apple devices: iPhone, Apple Watch, iPad, and Mac. It digitizes and can replace a cred ...

, Google Pay or

Samsung Pay Samsung Pay (stylized as SΛMSUNG Pay) is a mobile payment and digital wallet service by Samsung Electronics that lets users make payments using compatible phones and other Samsung-produced devices. The service supports contactless payments usin ...

Location

The card security code is typically the last three or four digits printed, not embossed like the card number, on the signature strip on the back of the card. On American Express cards, however, the card security code is the four digits printed (not embossed) on the front towards the right. The card security code is not encoded on the magnetic stripe but is printed flat. * American Express cards have a four-digit code printed on the front side of the card above the number. *

, Discover, JCB, Mastercard, and Visa credit and debit cards have a three-digit card security code. The code is the final group of numbers printed on the back signature panel of the card. * New North American Mastercard and Visa cards feature the code in a separate panel to the right of the signature strip. This has been done to prevent overwriting of the numbers by signing the card.

Generation

The CSC for each card (form 1 and 2) is generated by the card issuer when the card is issued. It is calculated by encrypting the bank card number and expiration date (two fields printed on the card) with encryption keys known only to the card issuer, and decimalising the result (in a similar manner to a

hash function A hash function is any function that can be used to map data of arbitrary size to fixed-size values. The values returned by a hash function are called ''hash values'', ''hash codes'', ''digests'', or simply ''hashes''. The values are usually ...

Benefits and limitations

As a security measure, merchants who require the CVV2 for " card not present" transactions are required by the card issuer not to store the CVV2 once the individual transaction is authorized. This way, if a database of transactions is compromised, the CVV2 is not present and the stolen card numbers are less useful.

Virtual terminal In open systems, a virtual terminal (VT) is an application service that: # Allows host terminals on a multi-user network to interact with other hosts regardless of terminal type and characteristics, # Allows remote log-on by local area network ...

s and payment gateways do not store the CVV2 code; therefore, employees and customer service representatives with access to these web-based payment interfaces, who otherwise have access to complete card numbers, expiration dates, and other information, still lack the CVV2 code. The

Payment Card Industry Data Security Standard The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council and its use ...

(PCI DSS) also prohibits the storage of CSC (and other sensitive authorisation data) post transaction authorisation. This applies globally to anyone who stores, processes or transmits card holder data. Since the CSC is not contained on the magnetic stripe of the card, it is not typically included in the transaction when the card is used face to face at a merchant. However, some merchants in North America, such as

Sears Sears, Roebuck and Co. ( ), commonly known as Sears, is an American chain of department stores founded in 1892 by Richard Warren Sears and Alvah Curtis Roebuck and reincorporated in 1906 by Richard Sears and Julius Rosenwald, with what began a ...

and Staples, require the code. For

cards, this has been an invariable practice (for "card not present" transactions) in European Union (EU) countries like Ireland and the United Kingdom since the start of 2005. This provides a level of protection to the bank/cardholder, in that a fraudulent merchant or employee cannot simply capture the magnetic stripe details of a card and use them later for "card not present" purchases over the phone, mail order or Internet. To do this, a merchant or its employee would also have to note the CVV2 visually and record it, which is more likely to arouse the cardholder's suspicion. Supplying the CSC code in a transaction is intended to verify that the customer has the card in their possession. Knowledge of the code proves that the customer has seen the card, or has seen a record made by somebody who saw the card. Limitations include: * The use of the CSC cannot protect against

phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwa ...

scams, where the cardholder is tricked into entering the CSC among other card details via a fraudulent website. The growth in phishing has reduced the real-world effectiveness of the CSC as an anti-fraud device. There is now also a scam where a phisher has already obtained the card account number (perhaps by hacking a merchant database or from a poorly designed receipt) and gives this information ''to'' the victims (lulling them into a false sense of security) before asking for the CSC (which is all that the phisher needs and the purpose of the scam in the first place). * Since the CSC may not be stored by the merchant for any length of time (after the original transaction in which the CSC was quoted and then authorized), a merchant who needs to regularly bill a card for a regular subscription would not be able to provide the code after the initial transaction. Payment gateways, however, have responded by adding "periodic bill" features as part of the authorization process. * Some card issuers do not use the CSC. However, transactions without CSC are possibly subjected to higher card processing cost to the merchants, and fraudulent transactions without CSC are more likely to be resolved in favour of the cardholder. * It is not mandatory for a merchant to require the security code for making a transaction, so the card may still be prone to fraud even if only its number is known to phishers. For example,

Amazon Amazon most often refers to: * Amazons, a tribe of female warriors in Greek mythology * Amazon rainforest, a rainforest covering most of the Amazon basin * Amazon River, in South America * Amazon (company), an American multinational technolog ...

requires only a card number and expiration date to complete a transaction. * It is possible for a fraudster to guess the CSC by using a distributed attack.

References