Two questions regarding credit card security

I’m interested in knowing a few things about security features used to make the infamously unsecure credit card system somewhat more fraudproof.

First of all, I don’t quite get the idea behind the CVV (card validation value, although different card systems use different names for it). It’s a three-digit number printed on the back of the card and nowhere else, meant to validate if the person using a card number (for online purchase, for example) has the card in possession physically. My impression is that this only works once; once you’ve used the CVV for a purchase, the card is not more secure than it would be without it: The staff of the company where you used the card now knows your CVV, so you’re not protected against fraudulent employees; and a tapper intercepting your online traffic does not only get hold of the card number but also the CVV. Where’s the additional protection here?

Secondly, I don’t understand why there are no one-time numbers used for credit card transactions, very much like the TANs used for online banking. The store would validate your TAN by contacting a server of the credit card company, and if they’re giving you an OK, the payment is confirmed. An intercepted online transaction wouldn’t do any harm because the TAN used for it is now worthless.

Any ideas?

I would like to throw in another question into the pot too. Does it means if anyone who managed to memorise my credit card number can just use it to buy stuff from any online shops? Why isn’t there like a personal PIN number who is a mandatory requirement for each transaciton, like says ATM ?

There are single-use credit card numbers. I remember several trials. They just haven’t caught on:

I think the main reason these haven’t succeeded is that it’s more trouble for the consumer. Given the limits on liability to the consumer, it’s tough to get people to accept anti-fraud measures that change the usability of their card.

In general, authentication can be done with three different things: something you have (e.g. a card), something you know (e.g. a PIN), or something you are (e.g. a fingerprint). In a standard web-based form, the only thing you can do is provide something you know. Even if you include an additional PIN, this is just a few extra digits for the thief to remember. One-time numbers or expiring PINs as suggested by the OP do exist and do solve a lot of the problems, but people don’t use them because there’s very little incentive to do so.

If your card number is stolen after an ordinary purchase (say, someone get the number from a restaurant receipt), the CVV was not used so the thief cannot use it to buy things online where the CVV is required. Places where you slide your card typically don’t take your CVV.

Also please note that when your card expires and you get a new one, the number can be the same and the new card expires a predictable number of years later a hypothetical thief (who stole your card details some time ago but hasn’t used it yet) may know, while your CVV will change.

Most online shops also want to see the house number you give them in your address match the one the credit card company has on file for you. This is why, in my opinion, showing your ID when buying with your credit card makes you less secure, because you’ve potentially given the clerk-as-thief the number they need to finish stealing your card.

In some cases, the answer could be yes if the seller is sloppy. However, in most cases, the problem for a thief is not just placing an order – he has to also receive the on-line order. So the seller will only ship to the address that is tied to the credit card. But like I said, not all sellers require this. In any case, don’t forget that you do have some protection on unauthorized credit card purchases. This might be the main reason why the general public has not clamored for a more secure system – where’s the incentive to the consumer?

Some brick-and-mortar sellers are (or at least were) sloppy also. I was the victim of fraud about 10 years ago when I found an unauthorized purchase for 600 bucks at a major department store near my house. I hadn’t even been at that mall the day the purchase occurred, and had never spent that much at that store, so I was certain the purchase was not mine. Through sheer dumb luck I found out what had probably happened: an employee at my doctor’s office (major medical center hereabouts) had been swiping patients’ credit card info, phoning in “pick-up at the store” orders, and going herself (or sending her boyfriend) to pick up the merchandise. The store (won’t name it but one that’s very well known for its customer service) had been handing over the stuff w/o any verification.

I filed a written challenge to the purchase, and it was removed from my account. Except for the confusion, easy as pie.

Aside: The sheer dumb luck was that I was on the phone trying to straighten out a billing foulup with the medical center. They said “you paid by check xxx date”. I said “no I didn’t, I have the cc bill in front of me”. Then rambled on “I happen to have it because I’m in the middle of checking into a suspicious transaction”. They said “Uh, can you tell me more about that?” and light bulbs went off - the fake purchase happened within a couple days of the doctor visit. This person had evidently made a habit of this activity, and had been arrested just a couple days earlier.

protecting against CC fraud is all about reducing the net cost to the CC company. The short answer to the OP is (IMHO, I am not an expert in anything related to CCs) CVV which are only used online, reduce fraud more than the reduction in legitimate business. With one time numbers, the loss of business outweighs the loss from the fraud.

Remember that any time the CC company attempts to validate the person, that is a secondary method of reducing fraud. Identifying the person is hard and costs the CC company a lot in lost business. What they really do to save money is validate the transaction. By examining the transactions, they detect patterns of fraud and save themselves a lot of money without pissing off the customers. Of course they usually miss the first couple of fraudulent transactions, but by catching the rest they reduce their total loss. It is all about money, not catching the bad guy. Anyone arrested for fraud is a perk. The CC companies like it, especially since it takes a possible repeat offender off the streets for a few years, but it doesn’t help the bottom line.