To use a credit card online you need to give the expiry date and CVV. I vaguely remember being told that the CVV in particular was to increase security and diminish C/C fraud.
But in the end, they are just another seven digits. How does this qualitatively improve C/C security?
Would I be right in thinking this is a vestige of when C/C’s were used manually? The expiry needed to be checked manually because there was no online checking. And the CVV provided another layer of security because an imprint of the face of the card from a manual machine wouldn’t record the CVV as it was on the back (and not embossed).
Is continued use of the expiry date and CVV in the electronic age just a vestige?
One thing I can think of is that the CC number remains constant when CCs are renewed, and the expiry date on a new card is predictable if you’re a crook with access only to the old one. Whereas the CVV will be unknown for a re-issued card.
Somewhat the same idea seems to be operative here with regard to health care cards. The new series of cards that expire every five years carry the same numbers as the original “permanent” ones, and the same numbers are re-used on each renewal, but there is now a “version code” that changes with every renewal. It’s an unpredictable two-letter code that is an intrinsic part of the authentication.
Anyway, the idea is simple to understand: in the absence of more sophisticated authentication schemes it is just supposed to be another means of making sure the person telephoning in an order has access to the actual card and did not just skim the magnetic stripe or read the credit card number.
ETA I have seen electronic terminals that ask for the card number, expiry date, and CVV. The preferred method is to use a smart card in addition to just a PIN, though (much less trivial to clone)
Also the CVV is on the back of the card. If someone has a picture of the front, they don’t have enough. It’s a way to make sure someone has a physical card, not just the credit card number.
I’ve read that the magnetic stripe degrades with use over time, so having a preset expiry date allows the CC company to preemptively tackle this problem before it becomes too big an issue.
Also, the CC company gets to hawk new products to you when your card is about to expire, ones I presume to be more profitable for them.
I guess that has to be it although it seems to me to be weak. If someone has stolen the physical card they have all the details. If they have illicit access to the information by which someone has used the card, they have access to all the details.
So the only circumstance where the CVV would save the day would be where a crook has access only to the face of the card, which would be unusual these days.
As I said in the OP I suspect the reality is that this was a far more effective security measure in the days when manual credit card slips – which imprinted the face but not the reverse – were common.
Actually, I take back what I said about an EMV chip being “much less trivial to clone” if the crook has physical access to your card, like via a compromised ATM or sales terminal. I have no reason to believe that.
Some of the newer cards are actually less secure in that respect. I’m looking at my contactless MasterCard that has nothing but a cute picture on the front - nothing embossed, and the back has the printed 16 digit card number, the printed expiration date, the CVV and my signature all colocated on one side. I guess the expectation is that I’ll always use contactless and it will never leave my hand? A picture of the backside is all anyone needs to make online orders.
actually its just in the last 5-10 years that the cvv number has actually been asked for …i think its becuase of online shopping … chrome will save your card number and exp date but not the cvv number …
IIRC, the rule for online credit card activity is:
The merchant can ask for the CVV number when a transaction is done. But, they are FORBIDDEN to store the CVV in their database - they use it to validate the transaction and then forget it. Thus, if an online retailer is hacked, the card data without the CVV is useless for online use.
If a retailer accepts a credit card without the CVV online, then they are on the hook for any reversals. Nowadays, local merchants tend to require the PIN code too. (although why someone thought tap was a good idea, I don’t know. I’ve cut into my cards where I can to disable the tap antenna.) This brings up the cases of hidden cameras or shoulder surfing to watch the PIN being entered. (Heard about someone in Mexico on vacation, bought something then had their pocket picked and their bank account emptied. Someone watched them enter the PIN in the store first. Tiny cameras and magstripe reader inserts used to be a ATM problem, which is why a lot of ATMs have flashing lights around the card insert slot now.)
If a perp insists on stealing full credit card info including CVV in person - then after a few dozen such cases, the source of the theft can be determined. “Oh, look, all these stolen credit cards were used in Bob’s Diner.” This helps narrow down where, and based on date of use, who was on shift, etc. assuming the police or the card security people give a hoot.
I have found that the last few years, the expiry date is far less predictable than back when it was always 2 years or three years to the same month. Some new cards you can no longer make imprints, even - although in these days of cellphone cameras, that really does not matter much. It used to be thieves could do a pencil rubbing to get an impression copy of the card.
What’s the sanction if they do? I suppose the card provider could try to make the merchant liable if there is a hack of the merchant’s data resulting in card no.'s and CVV’s being stolen. But unless the hack was public, the bank wouldn’t know how the data was obtained by the hackers.
There are safe guards in the system for tap. The code that your card gives out is not constant, it is time based. If I grab your code and try to use it a second time, it will not work.
Many sites I’ve been to, it’s actually eleven.
2 digits for month, 2 digits for day, and four digits for year (i.e.: 01/01/2021). Then the three digit CVV
That can’t be site specific. None of my credit cards include a day for expiration. And making every visitor type in “20” ahead of the expiration year is not an increase in security at all.
The obvious sanction for such a blatant violation of terms and conditions of use is that the merchant can no longer accept their credit card. Being an online retailer and not allowed to accept credit cards is not really a good thing.
Presumably, legally the card company can sue the merchant for any expenses - i.e. when they have to cover losses for fraud to other merchants when the stolen card info is used. I’m guessing that’s also in the terms and conditions.
Similarly, too many transaction reversals can result in the credit card company assessing a fairly hefty penalty against an online merchant; hard to argue that when you only get money into your account when the credit card company gives it to you. (Also in their terms and conditions)
Following the terms and conditions you agree to is always a prudent course of action.
The year is usually a drop down menu for the year.
And you’re right my newer charge cards don’t have a day for the expiration date. Just month and year. I wonder if they used to and I was thinking it still had a day.
The point is until maybe 5 years ago, a new expiry was predictably 2 or 3 years after the current expiry, same month. Lately I notice the renewal term is random, 2 to 4 years. This makes it also hard to guess. Presumably authentication software on the card issuer’s end detects attempts to repeatedly guess the expiry, same as attempts to guess the CVV.
Nothing is perfect, but anything that makes it harder to commit fraud reduces the rate and the card issuer’s costs.
The problem is, until the theft is discovered, a stolen or lost card can be used by the thief with no problems and no hassles. Just tap. (Yes there are limits - but I tapped for $250 at Costco the other day) At least with my Apple Watch, as soon as I take it off my wrist, the tap is useless until I put it back on and enter the security code. But I don’t enter that code in public view - I do it once when I put the watch on in the morning.
Card issuers did this because the full “insert, enter PIN, wait” cycle was getting too slow for busy merchants especially for trivial amounts. At least with credit cards, you can dispute the charges, but with debit cards it comes out of your account immediately until you can convince the bank otherwise; and debit cards come with tap enabled by default, and no way to turn it off - except to cut the antenna trace…
100% agree with you there, and to be honest my credit cards rarely come out of my pocket anymore and I probably use my debit card 8-10 times in a non-Covid year to withdraw cash and maybe 6 times a year at a merchant that doesn’t take credit. 99% of my spending outside of mortgage, taxes, cars, and insurance is on credit cards.