Card security code

From Wikipedia, the free encyclopedia
Jump to: navigation, search
The Card security code is located on the back of MasterCard, Visa and Discover credit or debit cards and is typically a separate group of 3 digits to the right of the signature strip.
On American Express cards, the Card security code is a printed, not embossed, group of four digits on the front towards the right.

The card security code (CSC), sometimes called Card Verification Data (CVD), Card Verification Value (CVV or CVV2), Card Verification Value Code (CVVC), Card Verification Code (CVC or CVC2), Verification Code (V-Code or V Code), or Card Code Verification (CCV)[1] are different terms for security features for credit or debit card transactions, providing increased protection against credit card fraud.

Contents

[edit] Types of codes

There are several types of security codes:

These codes should not be confused with the standard card account number appearing in embossed or printed digits. (The standard card number undergoes a separate validation algorithm called the Luhn algorithm which serves to determine whether a given card's number is appropriate.)

These codes should also not be confused with a card's PIN or passwords associated with MasterCard SecureCode or Verified by Visa. These codes are not printed or embedded in the card but are manually entered at the time of transaction.

[edit] Location of code

The CSC (the second type of code noted above) is a three- or four-digit value printed on the card or signature strip, but not encoded on the magnetic stripe.

"CVC2" (card validation code) MasterCard,
"CVV2" (card verification value) Visa,
"CID" (card identification number) Discover.
"CID" or "unique card code"

[edit] Security benefits

Since the CSC is not contained on the magnetic stripe of the card, it is not typically included in the transaction when the card is used face to face at a merchant. However, some merchants in North America, such as Sears and Staples, require the code. For American Express cards, this has been an invariable practice (for "card not present" transactions) in European Union (EU) states like Ireland and the United Kingdom since the start of 2005. This provides a level of protection to the bank/cardholder, in that a corrupt merchant cannot simply capture the magnetic stripe details of a card and use them later for "card not present" purchases over the phone, mail order or Internet. To do this, a merchant would also have to note the CVV2 visually and record it, which is more likely to arouse the cardholder's suspicion.

Merchants who require the CVV2 for "card not present" transactions are forbidden in the USA by Visa from storing the CVV2 once the individual transaction is authorized and completed.[3] This way, if a database of transactions is compromised, the CVV2 is not included, and the stolen card numbers are less useful. The Payment Card Industry Data Security Standard (PCI DSS) also prohibits the storage of CSC (and other sensitive authorisation data) post transaction authorisation. This applies globally to anyone who stores, processes or transmits card holder data.[4]

Supplying the CSC code in a transaction is intended to verify that the customer has the card in their possession. Knowledge of the code proves that the customer has seen the card, or has seen a record made by somebody who saw the card.

[edit] Limitations

[edit] Generation of card security codes

CVC1, CVV1, CVC2 and CVV2 values are generated when the card is issued. The values are calculated by encrypting the bank card number (also known as the primary account number or PAN), expiration date and service code with encryption keys (often called Card Verification Key or CVK) known only to the issuing bank, and decimalising the result.[6][7]

[edit] See also

[edit] References

Personal tools
Namespaces
Variants
Actions
Navigation
Interaction
Toolbox
Print/export
Languages