Your card's security code explained

By Michael Lloyd


Consumers of a certain age will remember a time when they weren't asked for the last three or four digits on the back of their credit or debit card when making a purchase online or over the phone. Now, however, the security code is vital to making card purchases.

Introduced in the UK in the mid-‘90s, the 3-digit security code was developed as an extra layer of protection for consumers making card-not-present transactions. Now, it's almost universally required to authorise distant or online purchases. The code goes by several names: card security code (CSC), card verification code (CVC), card verification value (CVV).

How it works
"The card verification code was designed to prevent card-not-present fraud (usually via online purchases) by requesting customers to provide an extra verification code apart from the card's number, holder and expiry date," Liviu Arsene, senior e-threat analyst at anti-virus software firm Bitdefender, said in response to emailed questions.

The code is sent to your bank along with your card number, expiry date and address details when you make a purchase. If all of this information is correct, and assuming you have sufficient funds in your account to cover the transaction cost, your bank will authorise payment via its payment network.

Retailers are not allowed to store CSCs on their systems, which means cybercriminals who hack into company databases and steal payment information cannot access them. In theory, this makes it harder for thieves to use your card, even if they've stolen other personal information. CSCs are also never transmitted during physical "card present" purchases, making it difficult for card skimmers to collect them.

Vulnerabilities of CSCs
Unfortunately, the technology available to card data thieves has matured since CSCs were invented. In their traditional form, CSCs still prevent vital payment information from being exposed during the purchase authorisation process. However, cybercriminals can now steal CSCs in other ways. For instance, thieves can use key-loggers to steal CSCs from consumers entering payment details on computers and phones.

Hackers also use email phishing attacks to trick consumers into handing over their CSC numbers on counterfeit websites. On top of this, unscrupulous customer service employees or crooked firms can manually record full card data sets, including CSC numbers.

Data thieves don't typically use the payment details they gather themselves, and instead offer the stolen information to other criminals for a price. Huge batches of card details are offered on dark web marketplaces, as well as on "card dump" sites on the traditional web. Data sets that include valid CSC information can sell for a huge amount compared to batches that don't.

"Because CSCs are physically and irrevocability assigned to each specific card, they're just as likely to get phished," Arsene said. "The CVV code is ‘attached' to the card throughout its entire lifetime, potentially allowing a cybercriminal a greater window of opportunity for fraud."

Next-generation CSC solutions
Now that cybercriminals can more easily get their hands on CSCs, the banking technology industry has been forced to rethink their use.

In October 2014, Oberthur Technologies (OT) launched the first payment card integrating dynamic CVV technology. A year later, Dutch digital security firm Gemalto unveiled a Dynamic Code Verification system.

With the new system, a miniature digital display fitted to the back of credit and debit cards that provides a new CSC number every 20 minutes. Barclays announced at the end of 2016 that it is exploring similar technology for its own cards. Gemalto has said a number of banks in Europe are considering adopting the displays.  

"The algorithm allows for new and valid CVV numbers to be generated every couple of minutes or hours, significantly reducing the window of opportunity for cybercriminals if they should get their hands on a valid CSC code," Arsene said. In many ways, dynamic codes work very similarly to authentication tokens, which validate transactions for a limited period, she said.

"From a security perspective, dynamic CSCs should significantly reduce the risk of online credit card fraud," Arsene said, provided the CSC code generation algorithm is not easily hackable, and that it's not easy to predict valid authentication codes for compromised credit and debit cards.

See related: What are banks doing to protect consumers from fraud?, Know your fraudster: Types of criminals and what they want from you, Protect yourself from phishing and smishing

Published: 27 January 2017