The Real Truth About Credit Card Security Code
If you always purchase items online or pay for different services with your credit card, you have probably entered your security code a couple of times. This is a short series of digits found on your physical card that’s different from your credit card number. Providing this code gives some extra assurance that the card is in your possession and that your payment information isn’t being used fraudulently.
But you might be wondering, why do you need the credit card security code, what does it work for, and what is it exactly? Read on for answers to this and many more questions.
- What is a Credit Card Security Code?
- Is it Safe to Give Out Your CVV Code?
- How Does The Credit Card Security Code Work?
- How Can I Secure my Security Code?
- How do Hackers Get Your CVV Number?
- What is The Point of The Security Code on Credit Cards?
- Should I Ever Give CVV Number Over The Phone?
- What Can I do With CVV?
What is a Credit Card Security Code?
Card Security Code (CSC) is also known as Card Validation Code (CVC). A card security code (CSC) is a series of numbers that are shown on the back of the card. This important 3-digit number is a security feature for the card that you own while doing transactions. It is not the Personal Identification Number (PIN) and cannot be given by the cardholder. To reduce credit card fraud the banks started providing security codes.
The security code is so safe that it will not be available on your online credit card account. And even when you go for a purchase and do not give your card for a transaction, (like online) the retailer may ask you for your card number and your security code.
However, even though you give them your credit card number, the retailers aren’t allowed to (nor can they) store credit card security codes after completing transactions. It is because there is a chance of hacking into a retailer’s electronic record, but your CSC/CVC number is never stored anywhere. It is only a trigger to complete the purchase, showing that you hold the card.
Credit card security codes also go by a few other names:
- CVV: Card Verification Value
- CVV2: Card Verification Value 2 (Visa)
- CVC: Card Verification Code (MasterCard)
- CVC2: Card Validation Code 2 (MasterCard)
- CVD: Card Verification Data (Discover)
- CID: Card Identification Number (Discover and American Express)
- CSC: Card Security Code (American Express)
Where to find it?
Here’s where you can usually find your credit card’s security code, depending on which network your card is in. The layout can vary a little by issuer and card, though, so if you don’t find the code where you expect it to be, keep looking for an unembossed three- or four-digit number.
- American Express: Four digits on the front of the card, on the right-hand side above the card number
- Mastercard and Visa: Three digits on the back of the card at the right end of the signature field
- Discover: Three digits on the back of the card, in a box to the right of the signature field
How Does The Credit Card Security Code Work?
Card security codes are a form of two-factor authentication. Two-factor authentication relies on two pieces of information – such as a credit card number and a CVV – to confirm you are the cardholder. The CVV verifies that the card is in your possession and, as a result, helps prevent fraud, says Monica Eaton-Cardone, co-founder and chief operating officer of the risk mitigation and chargeback management firm Chargebacks911.
“If a buyer can correctly enter the card’s CVV during checkout, it’s likely the person at least has the card in her physical possession,” Eaton-Cardone says. “That makes it harder for criminals to use stolen cardholder information to make fraudulent purchases.”
Entering the wrong code should result in a declined transaction, says Nicolas Beique, founder and CEO of payment processing platform Helcim.
Eaton-Cardone notes that even with regulations prohibiting merchants from storing your CVV information, transactions can still be authorized online without it. For instance, many subscription services only require the CVV be entered at sign-up; after that, additional purchases can be authorized without it.
“The CVV is sort of like a seatbelt for your credit card,” Eaton-Cardone says. It’s just one safety measure that, when used in conjunction with others, can offer layers of security for your credit card.
Is it Safe to Give Out Your CVV Code?
Always closely guard your card’s CVV code. If a thief has your credit card number, expiration date, and CVV number, that is all the information the thief needs to make an online purchase.
A CVV code is a layer of protection that makes fraud difficult but not impossible.
“There is a reduced chance that your account will be used to make unauthorized purchases when someone obtains your credit card number without the CVV code,” says Bruce McClary, senior vice president of communications for the National Foundation for Credit Counseling. “You may still be vulnerable in situations where the card is used without your permission on a website that does not require the CVV code to be entered.”
Cybercrimes present additional risks. Cyberthieves can employ software known as malware to steal security codes from retailers.
While it is generally safe to give your CVV number to trusted merchants, it’s not always necessary. If you’re using a card in person, the CVV code typically isn’t required. In general, providing a card security code when you’re shopping online is safe, as long as you’re making purchases from trusted websites. Typically, it’s also OK to give a CVV number over the phone. Just make sure no one is eavesdropping and can hear the numbers.
One way some credit card issuers are trying to bypass the entire CVV issue is by supplying virtual credit cards with randomly generated account numbers for online purchases. Users of Citi’s Virtual Account number service, available with select cards, can create temporary credit card numbers for one-time use instead of using their real credit card numbers. The 16-digit account number, including a security code and an expiration date, helps safeguard your online privacy.
Credit card CVV numbers are also susceptible to phishing attacks, where scammers use fraudulent emails or copycat websites to trick cardholders into sharing sensitive information, including security codes. A common scam is spoofed texts or phone calls that look like they are coming from your credit card company, asking for your CVV number to verify a recent purchase. If you receive a similar communication, ignore it and call your credit card issuer.
How Can I Secure my Security Code?
Requiring customers to give their credit card security codes when they make a purchase can protect against fraud, but the codes must be known only to cardholders for this security feature to work. It’s important to guard your credit card information, including security codes, carefully:
- Don’t lend your credit card to other people or leave it in a public place.
- Verify that websites are secure before shopping online. Check that the website address begins with “https” and that a lock icon appears next to the URL.
- Don’t enter credit card information at a public computer or over public Wi-Fi networks.
- Don’t give out credit card information to anyone who’s called you on the phone—even if the caller ID looks right. Scammers can manipulate caller ID. If you want to pay for something by phone, you should call the merchant yourself.
- Make sure your card isn’t visible in any photos you post online.
- If you store credit card information on your phone, set your phone to lock promptly when not in use, and protect it with a strong passcode or biometric authentication.
- Take advantage of any security services your credit card issuer offers, such as notifications for unusually large transactions or suspicious account activity.
- If you believe your account information may have been compromised, tell your card issuer right away so it can send you a new card.
How do Hackers Get Your CVV Number?
After your card number and personal information, a CVV is one of your last lines of defense against fraud. It’s important to understand how hackers can get this number and the tips you can follow to keep your finances intact.
There are two main ways hackers can get your card info, including your CVV number: phishing and using a web-based keylogger.
Phishing is a form of online security theft where sensitive information is stolen, such as your credit card details. Phishing usually works by tricking a user into giving up their details.
Phishing tactics can range from simplistic scam attempts to more sophisticated website tampering. Examples include tricky links —URLs that look legitimate but direct you to the phisher’s website — DNS cache poisoning —which involves a phisher changing the DNS server information so that everyone who accesses the site is redirected to another site — and screen capture malware, which is used to record and report information to the phisher.
Have you ever received an email that looked like it might have been sent by your bank but had a few suspicious details or errors? Maybe the return email address wasn’t the official address you usually receive correspondence from or maybe there was a link to an unfamiliar website? It’s likely this was a phishing email sent to fool you into downloading malware or giving up your card information.
A keylogger can be illegally installed on an online website so all of the data customers submit to the site is duplicated and forwarded to the attacker’s server. They do this by form grabbing: taking form data submitted by users, such as your name, address, credit card number and, of course, your CVV. The keylogger is designed to capture this data entered in the form field before it’s encrypted when you submit it to the site. Hackers often employ keyloggers in tandem alongside phishing attempts.
What Should You do?
Even though online transactions are becoming more secure as technology develops, there are some simple steps and tips you should consider to reduce your chances of becoming a victim of online credit card fraud.
- Use anti-virus software. Install anti-virus software and firewalls to protect your finances and other personal information when shopping or just browsing online.
- Look for the signs. Whenever you receive an email, especially if it’s requesting any type of personal or financial information, look out for telltale signs such as generic greetings, threats to your account that call for immediate action, suspicious links and email addresses, and misspelling and poor grammar.
- Check the site’s SSL certificate. SSL certificates are small data files that, when installed on a web browser, activate a padlock symbol and the https protocol which ensures secure connections from a web server to a browser. So, typically, if you see that padlock symbol, the site is safe.
- Use services such as PayPal. If you don’t want to enter your credit card details, use secure services such as PayPal which don’t require you to enter your details when you’re making a purchase. Instead, you create a PayPal account, enter your details there and then all payments are made through your secure PayPal account.
What is The Point of The Security Code on Credit Cards?
As a security measure, merchants who require the CVV2 for “card not present” transactions are required by the card issuer not to store the CVV2 once the individual transaction is authorized. This way, if a database of transactions is compromised, the CVV2 is not present and the stolen card numbers are less useful. Virtual terminals and payment gateways do not store the CVV2 code; therefore, employees and customer service representatives with access to these web-based payment interfaces, who otherwise have access to complete card numbers, expiration dates, and other information, still lack the CVV2 code.
The Payment Card Industry Data Security Standard (PCI DSS) also prohibits the storage of CSC (and other sensitive authorization data) post transaction authorization. This applies globally to anyone who stores, processes or transmits cardholder data. Since the CSC is not contained on the magnetic stripe of the card, it is not typically included in the transaction when the card is used face to face at a merchant. However, some merchants in North America, such as Sears and Staples, require the code.
For American Express cards, this has been an invariable practice (for “card not present” transactions) in European Union (EU) countries like Ireland and the United Kingdom since the start of 2005. This provides a level of protection to the bank/cardholder, in that a fraudulent merchant or employee cannot simply capture the magnetic stripe details of a card and use them later for “card not present” purchases over the phone, mail order or Internet. To do this, a merchant or its employee would also have to note the CVV2 visually and record it, which is more likely to arouse the cardholder’s suspicion.
Supplying the CSC code in a transaction is intended to verify that the customer has the card in their possession. Knowledge of the code proves that the customer has seen the card, or has seen a record made by somebody who saw the card.
- The use of the CSC cannot protect against phishing scams, where the cardholder is tricked into entering the CSC among other card details via a fraudulent website. The growth in phishing has reduced the real-world effectiveness of the CSC as an anti-fraud device. There is now also a scam where a phisher has already obtained the card account number (perhaps by hacking a merchant database or from a poorly designed receipt) and gives this information to the victims (lulling them into a false sense of security) before asking for the CSC (which is all that the phisher needs and the purpose of the scam in the first place).
- Since the CSC may not be stored by the merchant for any length of time (after the original transaction in which the CSC was quoted and then authorized), a merchant who needs to regularly bill a card for a regular subscription would not be able to provide the code after the initial transaction. Payment gateways, however, have responded by adding “periodic bill” features as part of the authorization process.
- Some card issuers do not use the CSC. However, transactions without CSC are possibly subjected to higher card processing costs to the merchants, and fraudulent transactions without CSC are more likely to be resolved in favor of the cardholder.
- It is not mandatory for a merchant to require the security code for making a transaction, so the card may still be prone to fraud even if only its number is known to phishers. For example, Amazon requires only a card number and expiration date to complete a transaction.
- It is possible for a fraudster to guess the CSC by using a distributed attack.
Should I Ever Give CVV Number Over The Phone?
Generally speaking – yes. debit cards (and credit cards for that matter) as well as reputable merchants employ a number of technologies that greatly increase the security level when making payments over the phone.
One of them is your credit/debit card number, which as an owner of the card only you should know, and another is a shortcode called CVV – an abbreviation that stands for card verification value.
Printed on the back of your card, the CVV is a 3-4 digit code and its intended goal is to provide additional security when making purchases. The CVV makes sure you are in possession of the card and not someone else as the code shouldn’t be known to anyone other than the card owner.
Despite all security measures you should never forget that fraudsters are always looking for ways to beat them and steal your credit/debit card information and quite possibly even your money! This is where you step in – by doing a few simple things you can further protect yourself and your earnings.
So here is what to pay attention to when providing card details, especially on the phone:
- If using the Internet, make sure the good or service you want to buy comes from a reputable website. With that being said, always research the company offering the service or product beforehand.
- Never make your card details shown in public.
- Never provide your CVV number when asked on the phone or when processing a card payment in person. This is a sure sign of an impending fraud! CVV numbers are for online purchases only!
- When making a payment on the phone, always obtain the phone number from a trusted source and make the call directly.
- Always check your monthly bank statement thoroughly for charges you do not recognize.
What Can I do With CVV?
One of the last lines of defense, however, is the card verification value (CVV). This is that three to four-digit verification code on the back of most standard credit cards. Even if someone steals information like your card number, expiration date, and billing address, they won’t be able to complete the transaction without the CVV.
If you have an online storefront, for example, a CVV filter is basically a CVV field on the checkout page. In order for the payment to be authorized, that unique number on the back of the card must match what the bank has on file. If not, the purchase doesn’t go through. If the numbers match, then the payment transaction goes through.
A CVV filter prevents anyone except the cardholder to use the card. Even though a hacker has your credit or debit card number, they can’t make any purchases because the filter requires those digits on the back of a card to be given to the business before the completed transaction is actually sent. Since retailers are not allowed to store information like the CVV filter, this number can’t be found online.
This is a simple, added security measure that can prevent anyone from making excessive charges to the credit or debit card, which ultimately leaves the cardholder in financial ruin.
In your business, if you make any card-not-present transactions, such as online, over the phone, or snail mail, then you need to a require a field where the cardholder inputs the CVV to verify the transaction.
Here’s the problem with CVV. These numbers are static. This means that they never change. So while that may come in useful when the card isn’t present, what happens if you lose your card in public? Some nefarious individual is now able to start using your card as freely as they would like.
Fortunately, card issuers are resolving this issue by providing cardholders with dynamic CVVs. These are temporary numbers that expire and are sent to the cardholder via email or text message. So, even if someone physically steals your credit or debit card, they can’t use it because without the CVV they can’t complete the transaction.
While CVV filters, even if they’re dynamic, won’t completely eliminate fraudulent online payments, they can reduce the risk. This is good for customers and businesses who want to avoid a bad reputation or chargebacks because of a security breach.
Read Also: How do Credit Repair Services Work?
Every person and every business needs to be concerned and active in the personal security area of life. All persons need to watch out and protect themselves from fraud. The card companies and banks can’t do it all alone. CVV number changes on an annual basis may be a start of better card protection, but until then, the CVV number itself is working pretty well.
Even though credit cards have plenty of security protection like with security codes, it’s important to be mindful of where you’re purchasing items and to check your statements periodically. Security codes are a safeguard for consumers, and it’s helpful to know what and where they are if you need to share them.