At least in Europe, but I guess in the rest of the world too, there is an asymmetrical mathematical relation between the card number and the three digits of the CVV. It is hard to find out, but easy to verify. So the seller knows the card number you indicated is a valid one, and you did not just make it up. Or so my bank told me, they may be bluffing or lying.
With my bank, if my card is stolen and the thief uses it for tap and go transactions, I’m only liable for a relatively small amount (it might be about 200 bucks) as long as I report the card stolen as soon as I realise.
After that, the risk is on the bank. It’s a pretty sweet deal. When you consider that pre-cards, I would usually carry around at least that much in cash it is no greater risk to me than me having a wallet full of cash stolen.
I assume the banks offer this deal because their long-term policy is to move everyone off cash and onto cards because they get commissions, and the logistics of dealing with cash all the time is a major expense for banks. They would rather that payments were all digital. Presumably they figure that the amount they pay in fraudulent tap and go transactions is worth it, as a price for achieving their long-term goals.
And similarly for the merchants. Handling cash is a PITA for them too. First, having cash registers full of money exposes them to robberies. Then at the end of each day they have to count the cash in each register and reconcile the discrepancies. Then they have to take the money to a bank each day, or the larger merchants have to hire armed courier services to schlep all that money around. Then when the banks get it, they have to count it all.
When merchants accepts credit or debit cards, they have to pay a cut of each sale to the banks, but that’s still a preferable deal for them.
I’m not sure where you are but I’m in Australia and cash is dead. I have an emergency fifty in my wallet. It’s been there for about a year. A few places have started saying they simply no longer take cash. Covid helped that along but it was happening anyway.
Cash is fading out in America, and is no longer King, but it’s not dead yet. Merchants pay a cut to the banks when they take cards, so that cuts into their profits. Some merchants pass that expense on to the customer, with higher prices for card sales and lower prices for cash sales. I don’t think they’re supposed to do that.
It seems especially common at gas stations. Many stations charge more per gallon for card sales than cash sales.
Also, for more expensive purchases, the bank’s cut can be significant, and some merchants simply won’t accept plastic for large purchases. This is commonly seen at car dealerships, who often don’t take credit card or debit card payments when you buy a car. They’d prefer a check or other secured payment, and even for a check they will call the bank on the spot to verify that the check will be good.
At least seven years ago, when I last bought a used car for about $5000.
Just today (May 12, 2021) I had major maintenance done on that car, totaling a bit over $1000. I paid by credit card, and the mechanic charged me extra for that.
I used to do work for a luxury car dealer and every now and again someone would want to pay for their car with a credit card, for the points.
As you say, applying the usual straight percentage would have resulted in the merchant fee being ridiculous. But what this guy knew was that you could call the bank and say “I have a customer who wants to put through $80,000 on his credit card but I’m not going to take it based on your standard merchant fee” and then negotiate something. He said that the bank was typically so keen to get the transaction they would agree to quite a reasonable fee.
The CVV is still relevant: the primary use case is card-not-present (from the perspective of the merchant) transactions. The most common example of this is online purchases but any sort of manual entry (over the phone, broken reader, etc.) typically counts. It’s a mechanism to help verify that the instigator of the transaction is in fact in possession of the card. It’s never stored anywhere (except encrypted at the issuing bank so that it can be verified) which makes it less at risk of being hacked. It’s not on the magnetic strip or EMV chip and is never asked for with card-present (i.e. a used card reader) so actually serves no role in swiped, inserted or tapped card transactions. You need to have seen it on the physical card to know it.
So it isn’t going to prevent a thief from ordering something online if they have physical possession of your stolen card. Not knowing your ZIP code or some subset (typically the numbers) of your billing address might stop them, although that’s an obviously imperfect protection if you’ve stolen the card from someone in their home town. But the CVV is going to get in the way of ordering something online if you’ve gotten a dump of transaction data from a merchant hack or used some form of identity theft method to get access to the card number.
It’s probably best not to lump the expiry and CVV into “just another seven digits” like the card number. Their surface area and usage, etc. are different enough for them to add more value than that, although it’s certainly imperfect.
The CVV I’ve mentioned in the previous post and is different because it’s not transmitted on any card-present transaction and is never stored by any of the intermediaries. So knowing it correlates pretty closely to having physical access to the card which isn’t true of the card number or the expiry date.
The expiry date can be thought of as some additional digits that provide a bit more data crosschecking for verifying transactions. If card numbers are easier to steal than expiry dates (I don’t actually know if that’s the case) then it might help a bit. I know many years ago some issuers were still issuing card numbers sequentially (so if you knew that 612345…0001 was issued in March 2004 you could guess that …0002, etc. was too). I’m pretty sure no-one is doing that anymore.
I’m not sure about modern practices but a decade or so back the card number plus expiry date was often the “primary key” for the card in the database. I.e. it would uniquely identify the card and it was possible to have multiple cards with the same number but with different expiry dates. Actually, that must still be true, because plenty of places will reissue cards if they’re not lost or stolen with the same number.
Expiry dates are more likely useful as an obsolescence forcing function. If a card has an expiry date of April 2021 it’s never going to useable again. That means you can phase in additional security measures or different branding, etc. without having the older less secure cards “grandfathered” in forever. More cynically, it forces customer engagement “hey, here’s a replacement for that card you’re not using very much, just a reminder that it’s here for that sweet, sweet convenience”.
I guess what prompted this thread was that (a) I use credit cards online probably more than I use them physically, and that always requires me to input my CVV and (b) I’m a bit cynical about whether websites will actually not store the CVV (whether they are supposed to or not).
I suppose what it comes down to is that they are still useful firstly for limiting fraud emanating from transactions where the card is present and secondly on the assumption that hopefully most websites handle the CVV correctly.
If they do, and they’re caught, it’s the kiss of death. They’re liable for a huge amount of loss and will never get the ability to take CC transactions again. People who code this sort of thing know what is allowed, and there are audits to make sure the rules are followed. It’s possible that a coder could make a mistake but most places don’t handle that type of data with home grown code. It’s handled through common industry packages.
I’m sure there are disreputable companies that might store that information as part of a scam, but no legit place will ever do this.
And that’s the catch. Some companies on the net are set up to collect CC information. They offer a great deal on a snazzy product and may actually deliver, only to have the information they really wanted.
To quote Daffy Duck - “It’s a great trick, but I can only do it once!”
First, to get permission to accept credit cards, the merchant has to be approved by a bank. This is AFAIK not as trivial as getting a credit card. Banks are aware that merchants can do far greater damage.
Second, when a fraud scheme appears to be happening, banks can and do run programs to check where cards were used and when. You do not want to be the merchant where the computer says “all these cards were used with this merchant, and all subsequent frauds used the valid CVV.”
The other thing I recall reading is that there is a lag between when the transactions are recorded and when the money is put in the merchant’s account. So the merchant is always waiting for a substantial portion of his income.
(First modern card fraud like this I heard of - small snack bar in downtown Toronto was caught - they had a video camera in the ceiling tiles - record the magstripe via the card reader, video people entering their pin. Create fake bank cards by writing the magstripe on a blank card, then go empty people’s bank accounts at unattended ATMs. Obviously, it didn’t take long to find the common denominator in this sort of scam. )
it used to be that the merchant agreements forbade them from charging extra for card use. Most consumer protection laws made this impossible, so now merchants can inist on extra for the card. Since card fees can range from 1.5% to 4%, you can see why some merchants don’t want to eat the cost.
First instance I saw of this was before the process was overruled - the gas station instead had “cash only” pumps as well as regular pumps, and the cash pumps had the same gas for a cheaper price. That apparently got around the merchant restrictions.
I recall a guy involved in a Science Fiction convention describing their problem with credit cards, The accepted memberships via credit card - one year they had an agreement with a local game store to use their CC setup - but some customer disputed the charges because he did not recognized the merchant’s name; when the bank found out what happened, they warned both merchant and convention not to do this, most likely because the merchant was charged a 1.5% premium and the convention over 3%.
Costco famously negotiates with card issuers for a good rate and only accepts one type of card. Oddly, it’s Mastercard in Canada and (I think) Visa in the USA. However, I’m told that Costco USA will take Canadian Costco branded Mastercard.
Whereas debit, I’m told, is a flat fee - tiered, something like 25 cents under $5.00 and 50 cent over that. Which is why merchants used to have signs posted “no debit under $5.00” because losing 25 cents on a $1.50 coffee was hardly worth it - especially before the government here stepped in and fees were around 40 cents for a $1.50 transaction.
After a Supreme Court case a few years ago, merchants are free to impose surcharges for credit card transactions. And I think merchants are also free not to accept credit cards for small transactions (like those under ten bucks).
And I believe the merchant fee varies, with rewards cards having higher fees. So I’ve also heard that some merchants might have variable pricing with lower prices for those using credit cards with low merchant fees.
But you do it once and grab a couple of hundred credit card number. Set up another sham company, rinse and repeat. Organized crime scammers can set people up to take the fall for them to start up the business or take over an existing business.
It’s the same problem as robbing banks - can you do it often enough to make a decent living while evading law enforcement? Every trick leaves a few more breadcrumbs for the police to track you. It might be possible in some places like eastern Europe, but I suspect that trying to do that same trick too often in the west is going to get the actors caught fairly quickly.
You have to set up and publicize a web page for a product people will want to order.
You have to get bank approval as a credit card merchant which involves a history of reliable financial behaviour.
You need to be able to deliver on the product you sell as a front, which means a decent starting capital. Also need to ship the product (from where?)
You have to find a way to convert valid CC info into money that you can get away with, untraceably.
Each of these steps can be done, but each exposes the perp to more people and gives more clues on how to find them. The bigger the fraud, the more attention it attracts from the CC security people.
On the other hand, Costco in Canada will not take an American Costco-branded Visa. I tried.
I believe this video explains all…
That would make sense if, as was said, Costco stores in Canada are Mastercard-only.
But American ones are Visa-only but took the Canadian Costco Mastercard. Only that Mastercard but any Visa. Odd…
Do you have a cite for that? Because the Costco website lists the accepted payment methods but does not mention that. (Although the costco.com site does accept Mastercard.)