Why do credit cards have their number and CVC code printed on them for all to see?












86














Ever since online commerce became a reality, it was sufficient to know the credit card number, expiration date and CVC code to purchase anything online. Things are slowly changing as MFA is getting adopted by more and more banks around the world, but this wasn't the case for the majority of online stores in the past 20 years. Even before online shopping was a reality, you could still purchase items by spelling out your card's details over the phone.



So why did banks and credit card companies decide to keep printing those supposedly secret codes directly on the card itself? This way anyone can just take a picture of the card or memorise the numbers and fraud the account owner. This is especially easy for someone like a waiter, as they often remove the card out of reach for a couple of minutes as you pay your bill.










share|improve this question


















  • 3




    @quid I hope this question will stay open, but if it is to be closed as duplicate, these are much closer: What value is the 3-digit code on the credit card? and Is it a good idea to scrape away my credit card's cvv code?
    – Ben Miller
    Dec 18 '18 at 21:19










  • This question has two false premises (1) For nearly any online transaction that I have ever carried out (in the UK), it was not sufficient to know the credit card number, expiry date, and CVC. I also have to enter my address, and the transaction will typically fail if the one I enter does not match the billing address for the card. Even for transactions by phone, I am usually asked for the address the card is registered to. (2) I cannot recall a single time I have ever had a waiter remove my credit card out of my sight / reach. Bills are invariably paid at the table or in person at the counter
    – JBentley
    Dec 24 '18 at 22:50








  • 1




    @JBentley these are all recent innovations. 10 years ago you could shop online without the billing address or with using an incorrect billing address in most of the cases. Portable card terminals were likewise rare.
    – JonathanReez
    Dec 24 '18 at 23:21








  • 3




    @JBentley: I cannot recall a single time I have ever had a waiter remove my credit card out of my sight / reach. Bills are invariably paid at the table or in person at the counter What country are you in? Here in the US, it's the norm for the waiter to walk off with the credit card.
    – Ben Crowell
    Dec 25 '18 at 17:05










  • @BenCrowell The UK
    – JBentley
    Dec 26 '18 at 3:30
















86














Ever since online commerce became a reality, it was sufficient to know the credit card number, expiration date and CVC code to purchase anything online. Things are slowly changing as MFA is getting adopted by more and more banks around the world, but this wasn't the case for the majority of online stores in the past 20 years. Even before online shopping was a reality, you could still purchase items by spelling out your card's details over the phone.



So why did banks and credit card companies decide to keep printing those supposedly secret codes directly on the card itself? This way anyone can just take a picture of the card or memorise the numbers and fraud the account owner. This is especially easy for someone like a waiter, as they often remove the card out of reach for a couple of minutes as you pay your bill.










share|improve this question


















  • 3




    @quid I hope this question will stay open, but if it is to be closed as duplicate, these are much closer: What value is the 3-digit code on the credit card? and Is it a good idea to scrape away my credit card's cvv code?
    – Ben Miller
    Dec 18 '18 at 21:19










  • This question has two false premises (1) For nearly any online transaction that I have ever carried out (in the UK), it was not sufficient to know the credit card number, expiry date, and CVC. I also have to enter my address, and the transaction will typically fail if the one I enter does not match the billing address for the card. Even for transactions by phone, I am usually asked for the address the card is registered to. (2) I cannot recall a single time I have ever had a waiter remove my credit card out of my sight / reach. Bills are invariably paid at the table or in person at the counter
    – JBentley
    Dec 24 '18 at 22:50








  • 1




    @JBentley these are all recent innovations. 10 years ago you could shop online without the billing address or with using an incorrect billing address in most of the cases. Portable card terminals were likewise rare.
    – JonathanReez
    Dec 24 '18 at 23:21








  • 3




    @JBentley: I cannot recall a single time I have ever had a waiter remove my credit card out of my sight / reach. Bills are invariably paid at the table or in person at the counter What country are you in? Here in the US, it's the norm for the waiter to walk off with the credit card.
    – Ben Crowell
    Dec 25 '18 at 17:05










  • @BenCrowell The UK
    – JBentley
    Dec 26 '18 at 3:30














86












86








86


15





Ever since online commerce became a reality, it was sufficient to know the credit card number, expiration date and CVC code to purchase anything online. Things are slowly changing as MFA is getting adopted by more and more banks around the world, but this wasn't the case for the majority of online stores in the past 20 years. Even before online shopping was a reality, you could still purchase items by spelling out your card's details over the phone.



So why did banks and credit card companies decide to keep printing those supposedly secret codes directly on the card itself? This way anyone can just take a picture of the card or memorise the numbers and fraud the account owner. This is especially easy for someone like a waiter, as they often remove the card out of reach for a couple of minutes as you pay your bill.










share|improve this question













Ever since online commerce became a reality, it was sufficient to know the credit card number, expiration date and CVC code to purchase anything online. Things are slowly changing as MFA is getting adopted by more and more banks around the world, but this wasn't the case for the majority of online stores in the past 20 years. Even before online shopping was a reality, you could still purchase items by spelling out your card's details over the phone.



So why did banks and credit card companies decide to keep printing those supposedly secret codes directly on the card itself? This way anyone can just take a picture of the card or memorise the numbers and fraud the account owner. This is especially easy for someone like a waiter, as they often remove the card out of reach for a couple of minutes as you pay your bill.







credit-card security






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Dec 18 '18 at 20:59









JonathanReez

1,56541525




1,56541525








  • 3




    @quid I hope this question will stay open, but if it is to be closed as duplicate, these are much closer: What value is the 3-digit code on the credit card? and Is it a good idea to scrape away my credit card's cvv code?
    – Ben Miller
    Dec 18 '18 at 21:19










  • This question has two false premises (1) For nearly any online transaction that I have ever carried out (in the UK), it was not sufficient to know the credit card number, expiry date, and CVC. I also have to enter my address, and the transaction will typically fail if the one I enter does not match the billing address for the card. Even for transactions by phone, I am usually asked for the address the card is registered to. (2) I cannot recall a single time I have ever had a waiter remove my credit card out of my sight / reach. Bills are invariably paid at the table or in person at the counter
    – JBentley
    Dec 24 '18 at 22:50








  • 1




    @JBentley these are all recent innovations. 10 years ago you could shop online without the billing address or with using an incorrect billing address in most of the cases. Portable card terminals were likewise rare.
    – JonathanReez
    Dec 24 '18 at 23:21








  • 3




    @JBentley: I cannot recall a single time I have ever had a waiter remove my credit card out of my sight / reach. Bills are invariably paid at the table or in person at the counter What country are you in? Here in the US, it's the norm for the waiter to walk off with the credit card.
    – Ben Crowell
    Dec 25 '18 at 17:05










  • @BenCrowell The UK
    – JBentley
    Dec 26 '18 at 3:30














  • 3




    @quid I hope this question will stay open, but if it is to be closed as duplicate, these are much closer: What value is the 3-digit code on the credit card? and Is it a good idea to scrape away my credit card's cvv code?
    – Ben Miller
    Dec 18 '18 at 21:19










  • This question has two false premises (1) For nearly any online transaction that I have ever carried out (in the UK), it was not sufficient to know the credit card number, expiry date, and CVC. I also have to enter my address, and the transaction will typically fail if the one I enter does not match the billing address for the card. Even for transactions by phone, I am usually asked for the address the card is registered to. (2) I cannot recall a single time I have ever had a waiter remove my credit card out of my sight / reach. Bills are invariably paid at the table or in person at the counter
    – JBentley
    Dec 24 '18 at 22:50








  • 1




    @JBentley these are all recent innovations. 10 years ago you could shop online without the billing address or with using an incorrect billing address in most of the cases. Portable card terminals were likewise rare.
    – JonathanReez
    Dec 24 '18 at 23:21








  • 3




    @JBentley: I cannot recall a single time I have ever had a waiter remove my credit card out of my sight / reach. Bills are invariably paid at the table or in person at the counter What country are you in? Here in the US, it's the norm for the waiter to walk off with the credit card.
    – Ben Crowell
    Dec 25 '18 at 17:05










  • @BenCrowell The UK
    – JBentley
    Dec 26 '18 at 3:30








3




3




@quid I hope this question will stay open, but if it is to be closed as duplicate, these are much closer: What value is the 3-digit code on the credit card? and Is it a good idea to scrape away my credit card's cvv code?
– Ben Miller
Dec 18 '18 at 21:19




@quid I hope this question will stay open, but if it is to be closed as duplicate, these are much closer: What value is the 3-digit code on the credit card? and Is it a good idea to scrape away my credit card's cvv code?
– Ben Miller
Dec 18 '18 at 21:19












This question has two false premises (1) For nearly any online transaction that I have ever carried out (in the UK), it was not sufficient to know the credit card number, expiry date, and CVC. I also have to enter my address, and the transaction will typically fail if the one I enter does not match the billing address for the card. Even for transactions by phone, I am usually asked for the address the card is registered to. (2) I cannot recall a single time I have ever had a waiter remove my credit card out of my sight / reach. Bills are invariably paid at the table or in person at the counter
– JBentley
Dec 24 '18 at 22:50






This question has two false premises (1) For nearly any online transaction that I have ever carried out (in the UK), it was not sufficient to know the credit card number, expiry date, and CVC. I also have to enter my address, and the transaction will typically fail if the one I enter does not match the billing address for the card. Even for transactions by phone, I am usually asked for the address the card is registered to. (2) I cannot recall a single time I have ever had a waiter remove my credit card out of my sight / reach. Bills are invariably paid at the table or in person at the counter
– JBentley
Dec 24 '18 at 22:50






1




1




@JBentley these are all recent innovations. 10 years ago you could shop online without the billing address or with using an incorrect billing address in most of the cases. Portable card terminals were likewise rare.
– JonathanReez
Dec 24 '18 at 23:21






@JBentley these are all recent innovations. 10 years ago you could shop online without the billing address or with using an incorrect billing address in most of the cases. Portable card terminals were likewise rare.
– JonathanReez
Dec 24 '18 at 23:21






3




3




@JBentley: I cannot recall a single time I have ever had a waiter remove my credit card out of my sight / reach. Bills are invariably paid at the table or in person at the counter What country are you in? Here in the US, it's the norm for the waiter to walk off with the credit card.
– Ben Crowell
Dec 25 '18 at 17:05




@JBentley: I cannot recall a single time I have ever had a waiter remove my credit card out of my sight / reach. Bills are invariably paid at the table or in person at the counter What country are you in? Here in the US, it's the norm for the waiter to walk off with the credit card.
– Ben Crowell
Dec 25 '18 at 17:05












@BenCrowell The UK
– JBentley
Dec 26 '18 at 3:30




@BenCrowell The UK
– JBentley
Dec 26 '18 at 3:30










6 Answers
6






active

oldest

votes


















125














Ultimately you don't bear the fraud risk so you you don't set the risk tolerance. The three digit code, the whole card number, chip and pin, chip and signature, the signature on a receipt, the info in the mag strip etc. Your bank will tell you that all of them are really secret and you should protect them but would tattoo them to your face if they could.



The name of the game is lowest possible transaction friction relative to acceptable fraud costs.



Why is the three digit number printed on the card? Because presumably you have the card in your hand when you want to use it. This 'secret' code came about to combat and/or pre-empt low level fraud primarily related to lazy mag-strip skimming and the old days when receipts were imprints of the card. This number is not part of the mag-strip data, and only meant to be a secret from the mag-strip and people who might find themselves in possession of a large number of imprint receipts (in the early days of credit cards) or a database filled with credit card numbers. It was only ever intended to offer low level proof of the presence of the card to combat instances where large amounts of account numbers were taken; it doesn't authenticate or secure transactions, it's not a checksum, it's just a number thats not in the mag-strip or imprint. Interestingly, though not surprisingly, the number is not simply random it's derived from the primary account number cryptographically in a manner known only to the card issuer.



Why doesn't the bank try harder to protect the number? Because the bank wants you to use the card without having to remember a number.



Why is American Express's four digit 'secret' number on the front of the card, not even securely hidden away on the back, who knows; but clearly the number is not intended to be secure to anyone who might have physical access to the card.



Why isn't the card naked but for branding with the information securely stored somewhere else? Because two places is more places and you might not use the card if you need to dig up the piece of paper that was mailed to you separately with the obviously never-intended-to-be-secure three digit code printed on it.



The bank's incentive is for you to use the card. If you don't use the card, or you use a competitor's card the bank makes no money.



If you would like to secure your payment methods better than the level the bank is comfortable with, you are free to do that. Scrape the numbers off, pull the mag strip off, whatever; though probably altering the card is a breach of your cardmember agreement. The bank doesn't do that because the bank doesn't care.






share|improve this answer



















  • 8




    This is not entirely true, for card not present transactions (i.e. everything online), it is the merchant (or more accurately their bank, but cost is passed on) that bears liability by default, so in this case the card issuing banks have little incentive to change, they can just force the merchants to either bear the cost of fraud or not do business online. The general idea that the banks want the card to be easy to use is correct though.
    – Jack
    Dec 19 '18 at 2:34








  • 4




    @quid yeah, they key point is absolutely that the banks don't want to trouble consumers, so manage costs of fraud between themselves. Large companies like Amazon can afford make similar decisions to reduce friction in checkout as well (and choose to absorb costs of fraud). The whole system is build around cost/benefit rather than perfect security.
    – Jack
    Dec 19 '18 at 2:55






  • 3




    Jack is correct. As a (former) merchant, the liability is actually on the merchant, not the bank. Which is screwed up IMO. (Not actual scenario) I perform a service and the guy presents a credit card to me with a forged ID that matches the name. Chargeback from legit CC holder and bank pulls that money right out of the merchant account. The merchant is left holding an empty bag, while the bank and the fraudster profit. Not exactly same a product fraud but still bites when 5k gets deducted from your merchant account. I know about shift 2015-Oct-01 as well... got worse for merchants.
    – enorl76
    Dec 19 '18 at 4:11






  • 2




    @Mindwin As I read your reference, a neodymium magnet did the job the best. Haven't heard of one killing anyone, though.
    – Rogem
    Dec 19 '18 at 20:15






  • 1




    This answer is ony useful for USA. In other countries one can easily loose money with a stolen card. Notably, for many types of transactiins the bank willnot have to cover transactions made before you reported it missing. And many baks offer additional paid insurances for their cards.
    – Vladimir F
    Dec 20 '18 at 7:53



















50














The purpose of the security code is not a secret PIN. The purpose is to "prove" that you have the physical card in your possession at the time of purchase. It is only used when the merchant cannot confirm that you have the physical card in your possession. It is used when purchasing something from a website, but it is also used at a physical store when the card cannot be scanned and the number has to be typed in manually.



The reason it is printed on the card is that someone other than you might need to read it. If you hand it to a cashier and they are unable to scan the card for some reason and must type in the number, they can flip over the card and type in the security code, proving to the computer that they have the card in their possession. It was never meant to be memorized, and if card users do memorize the code, it loses its effectiveness as a proof of physical card possession.



You can argue that having the code printed on the card makes the card less secure, and some have suggested scraping the code off the card after you memorize it, but that really only would prevent a specific type of credit card fraud that is not as common as other methods of fraud.



In the absence of a true PIN, it is becoming increasingly common to use the billing zip code as another validation, as it is a number that the card owner already has memorized and is not printed on the card.






share|improve this answer



















  • 11




    @owjburnham IMO that aspect shouldn't be internationalised as this pseudo-pin is a peculiarly American thing. The way the billing address is used in other countries is rather different
    – Chris H
    Dec 19 '18 at 10:00








  • 2




    @owjburnham a gas station is never going to ask you to enter your whole address
    – Stephen S
    Dec 19 '18 at 13:19






  • 2




    @Toby Smith: Re "...make you open their app and accept the transaction with your fingerprint", that's got so many problems I don't know where to begin. First, I'd have to a) have a phone that would run their app; b) have the phone with me; c) in a place that has cell service is going to count me out. Then of course any entity (other than law enforcement) that wants my fingerprints is not one I'll do business with.
    – jamesqf
    Dec 19 '18 at 17:50






  • 2




    @jamesqf It's an opt-in system. If you don't want it then you don't have to. Personally, I am never out of signal range and always have my phone. That's also a common misconception, the fingerprint data stays way the OS of the phone and isn't shared with the app/bank.
    – Toby Smith
    Dec 19 '18 at 17:58






  • 4




    @Toby Smith: Re "the fingerprint data stays way the OS of the phone", SURE it does. Are you by any chance in the market for a nice bridge?
    – jamesqf
    Dec 20 '18 at 5:08



















16














The main purpose of the security code is to prevent hacked card information from being reused. The main way that this is accomplished is by requiring that payment processors do not store this code




Merchants, service providers, and other entities involved with
payment card processing must never store sensitive authentication data
after authorization. This includes the 3- or 4- digit security code
printed on the front or back of a card, the data stored on a card’s
magnetic stripe or chip (also called “Full Track Data”) – and personal
identification numbers (PIN) entered by the cardholder. This chapter
presents the objectives of PCI DSS and related 12 requirements.Source - slide 11







share|improve this answer





























    11














    You are asking why the card number and the security code are printed on the card. In both cases, let's review a bit of history:



    The card number



    The card number (called PAN in the industry) is just an identifier, it has no reason to be secret. It is needed for any transaction, so that a charge can be... charged back to the relevant account, whether:




    • at a physical point of sale (POS), using the old "imprinter" method (not sure if that's still in use anywhere). That's the reason the number is actually embossed, not just printed (along with the other details required for the transaction: expiry date, name of cardholder).


    enter image description here




    • at a point of sale, using a POS terminal ("credit card machine"), which either reads the magnetic stripe or the chip of the card, which both provide the PAN and the rest of the data without any authentification or encryption.


    • by phone or paper (what is known as "MOTO" in the industry: mail order / telephone order), when you just read the details over the phone or write them on the order form.


    • on the internet, where you need to read the number off your card and enter it into a form. How could you order anything if you can't read the card number?



    The PAN has never been considered a secret. It's just an account number, exactly like your account number appears on paper cheques, to know what account the money should be taken from.



    Some people think the key (the last digit) is a (poor) security feature, while it's actually only used to protect against input errors (digit changed, digits swapped...).



    Nowadays, people start to think that a PAN should be secret, and this has led to the introduction of "tokenisation": instead of sending the actual card number, another card number is sent instead, which is either limited to a specific channel (and possibly device), or even to a single transaction.



    This is the case for instance for Apple Pay: when you register your card with its real PAN, the bank sends back a token ("fake" PAN) which is used instead, and can only be used for payments made with Apple Pay on that device. If ever someone intercepted that PAN, they wouldn't be able to do anything with it: it won't be accepted to add a card to Apple Pay, won't be accepted in store, online, over the phone, or anywhere else.



    Is that really useful? In a perfect world where all transactions are authenticated by other means, it really shouldn't matter, a PAN by itself should be useless. In practice, as there are channels that allow the use of pretty insecure authentication methods, that's an additional line of defence.



    Note that the need for tokenisation is probably slightly more important with the introduction of contactless: you can read the PAN of any contactless card without even touching it, it's just a matter of getting close enough.



    The security code



    The security code printed on the back of the card (or on the front, for American Express cards) was not originally present. It was added to avoid the following fraud scenarios:




    • a credit card receipt with the full card number (and name and expiry) was discarded and collected by someone else (this was especially true when imprinters were in use, but was also true before the card networks finally decided it was forbidden to print the full PAN on the customer receipt).


    • a card is "swiped" to record the contents of the magnetic stripe, which contains the PAN, expiry, cardholder name, and more...). This allowed people who had physical access to cards (waiters, cashiers...) to record large numbers of cards pretty quickly without being noticed.



    To counter this, this new code was added, which is not on the receipt (as it's not embossed), and is not on the magnetic track either.



    This code is required only for MOTO and online purchases, where you cannot see if the user actually has the card (a so-called "card not present" transaction), and you want to be a bit more sure that the user has the card.



    This is indeed quite easy to circumvent: you just need to either make a full copy of the card (both sides) or make a note of all the data. But in many of the scenarios above, that made it just a bit more difficult for a dishonest user to do it without being noticed.



    (The introduction of hand-held terminals also helps a lot, as a user can keep his eyes -- and hands -- on the card at all times, but especially in restaurants in the US, this is not yet standard practice).



    The security code also helps in the case a site stores your credit card data, and someone manages to get access to it: in theory, no-one is allowed to store the security code, so a hacker would only get the PAN and expiry, and would not be able to use it again, but, in practice, way too many people still store the security code. The industry is chasing after those (it's one of the aspects of the PCI DSS initiative), but there's still a long way to go.



    The real protection comes from new authentication measures (3D Secure) that allow another mode of verification beyond just that data. Depending on the bank (or even the card), they could involve:




    • a password

    • a one-time password (OTP) sent via SMS or other means

    • biometric authentication (fingerprint, face recognition, iris scan...)

    • actually talking to the chip on the card by use of the card reader connected to your computer (I'm not sure this has actually been deployed anywhere)
      ...


    Note that the security code is used only for online/MOTO transactions ("card not present" transactions). Card present transactions will either use:




    • another security code which is on the magnetic stripe (though this is easy to copy)

    • communication with the chip (on cards that have one) so that the card authenticates itself.






    share|improve this answer



















    • 2




      PCI requires vendors to treat the PAN as secret
      – Brian Knoblauch
      Dec 19 '18 at 18:09










    • Re American Express: I have such a card with a 15 digit PAN (so where's the checknum?). On the front of the card appears a four digit number and on the back of the card on a stripe appears the card number with a three digit number. I have always assumed that the three digit number on the back is the CVC number.
      – No'am Newman
      Dec 20 '18 at 7:27










    • "on the internet, where you need to read the number off your card and enter it into a form. How could you order anything if you can't read the card number?" You just do the same as with any password, memorize it and/or store it in an encrypted storage. It particularly easy to memorize thee three digits in CVC but I remember everything on my card to be able to pay quickly.
      – Vladimir F
      Dec 20 '18 at 7:38












    • @No’amNewman the last digit is always the check digit, whether the PAN has 15, 16 or 19 digits. The Amex security code was originally the 4 digits on the front. I know they relatively recently added 3 digits on the back in addition, never used those, not sure if they work. If they do, it’s probably to reduce issues with people used to them being there (and sites which did not make a difference in their instructions).
      – jcaron
      Dec 20 '18 at 7:39






    • 1




      @jcaron Please do not burn a strawman. This whole page is about a three digit number.
      – Vladimir F
      Dec 20 '18 at 8:06



















    0














    Simple, the intention behind the credit system is utilize trust between the exchange of different parties in a timely matter. However, the cyber world is far from bullet proof. Most exploits are usually within the design themselves and not anything else. My advice to anybody looking into getting somewhere in life using computers, stick to marketable skills like screen & logic board repairs instead of cyber theft. There is much more opportunity in showing the world what takes time to understand i.e electrical engineering instead of harassing others by taking from them (credit card theft). It seems like cybersecurity in the future will rely on thinking machines handling repetitive decisions, from there the people can decide which direction is more beneficial in the long run.






    share|improve this answer








    New contributor




    David Smith is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.


























      0














      There was previously a "Verified by Visa" system where the Visa credit card had a password that the consumer kept. The password wasn't on the card. The "Verified by Visa" system was used on internet transactions. Merchants had the option of offering the system.






      share|improve this answer








      New contributor




      S Spring is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.


















        Your Answer








        StackExchange.ready(function() {
        var channelOptions = {
        tags: "".split(" "),
        id: "93"
        };
        initTagRenderer("".split(" "), "".split(" "), channelOptions);

        StackExchange.using("externalEditor", function() {
        // Have to fire editor after snippets, if snippets enabled
        if (StackExchange.settings.snippets.snippetsEnabled) {
        StackExchange.using("snippets", function() {
        createEditor();
        });
        }
        else {
        createEditor();
        }
        });

        function createEditor() {
        StackExchange.prepareEditor({
        heartbeatType: 'answer',
        autoActivateHeartbeat: false,
        convertImagesToLinks: true,
        noModals: true,
        showLowRepImageUploadWarning: true,
        reputationToPostImages: 10,
        bindNavPrevention: true,
        postfix: "",
        imageUploader: {
        brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
        contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
        allowUrls: true
        },
        noCode: true, onDemand: true,
        discardSelector: ".discard-answer"
        ,immediatelyShowMarkdownHelp:true
        });


        }
        });














        draft saved

        draft discarded


















        StackExchange.ready(
        function () {
        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmoney.stackexchange.com%2fquestions%2f103079%2fwhy-do-credit-cards-have-their-number-and-cvc-code-printed-on-them-for-all-to-se%23new-answer', 'question_page');
        }
        );

        Post as a guest















        Required, but never shown

























        6 Answers
        6






        active

        oldest

        votes








        6 Answers
        6






        active

        oldest

        votes









        active

        oldest

        votes






        active

        oldest

        votes









        125














        Ultimately you don't bear the fraud risk so you you don't set the risk tolerance. The three digit code, the whole card number, chip and pin, chip and signature, the signature on a receipt, the info in the mag strip etc. Your bank will tell you that all of them are really secret and you should protect them but would tattoo them to your face if they could.



        The name of the game is lowest possible transaction friction relative to acceptable fraud costs.



        Why is the three digit number printed on the card? Because presumably you have the card in your hand when you want to use it. This 'secret' code came about to combat and/or pre-empt low level fraud primarily related to lazy mag-strip skimming and the old days when receipts were imprints of the card. This number is not part of the mag-strip data, and only meant to be a secret from the mag-strip and people who might find themselves in possession of a large number of imprint receipts (in the early days of credit cards) or a database filled with credit card numbers. It was only ever intended to offer low level proof of the presence of the card to combat instances where large amounts of account numbers were taken; it doesn't authenticate or secure transactions, it's not a checksum, it's just a number thats not in the mag-strip or imprint. Interestingly, though not surprisingly, the number is not simply random it's derived from the primary account number cryptographically in a manner known only to the card issuer.



        Why doesn't the bank try harder to protect the number? Because the bank wants you to use the card without having to remember a number.



        Why is American Express's four digit 'secret' number on the front of the card, not even securely hidden away on the back, who knows; but clearly the number is not intended to be secure to anyone who might have physical access to the card.



        Why isn't the card naked but for branding with the information securely stored somewhere else? Because two places is more places and you might not use the card if you need to dig up the piece of paper that was mailed to you separately with the obviously never-intended-to-be-secure three digit code printed on it.



        The bank's incentive is for you to use the card. If you don't use the card, or you use a competitor's card the bank makes no money.



        If you would like to secure your payment methods better than the level the bank is comfortable with, you are free to do that. Scrape the numbers off, pull the mag strip off, whatever; though probably altering the card is a breach of your cardmember agreement. The bank doesn't do that because the bank doesn't care.






        share|improve this answer



















        • 8




          This is not entirely true, for card not present transactions (i.e. everything online), it is the merchant (or more accurately their bank, but cost is passed on) that bears liability by default, so in this case the card issuing banks have little incentive to change, they can just force the merchants to either bear the cost of fraud or not do business online. The general idea that the banks want the card to be easy to use is correct though.
          – Jack
          Dec 19 '18 at 2:34








        • 4




          @quid yeah, they key point is absolutely that the banks don't want to trouble consumers, so manage costs of fraud between themselves. Large companies like Amazon can afford make similar decisions to reduce friction in checkout as well (and choose to absorb costs of fraud). The whole system is build around cost/benefit rather than perfect security.
          – Jack
          Dec 19 '18 at 2:55






        • 3




          Jack is correct. As a (former) merchant, the liability is actually on the merchant, not the bank. Which is screwed up IMO. (Not actual scenario) I perform a service and the guy presents a credit card to me with a forged ID that matches the name. Chargeback from legit CC holder and bank pulls that money right out of the merchant account. The merchant is left holding an empty bag, while the bank and the fraudster profit. Not exactly same a product fraud but still bites when 5k gets deducted from your merchant account. I know about shift 2015-Oct-01 as well... got worse for merchants.
          – enorl76
          Dec 19 '18 at 4:11






        • 2




          @Mindwin As I read your reference, a neodymium magnet did the job the best. Haven't heard of one killing anyone, though.
          – Rogem
          Dec 19 '18 at 20:15






        • 1




          This answer is ony useful for USA. In other countries one can easily loose money with a stolen card. Notably, for many types of transactiins the bank willnot have to cover transactions made before you reported it missing. And many baks offer additional paid insurances for their cards.
          – Vladimir F
          Dec 20 '18 at 7:53
















        125














        Ultimately you don't bear the fraud risk so you you don't set the risk tolerance. The three digit code, the whole card number, chip and pin, chip and signature, the signature on a receipt, the info in the mag strip etc. Your bank will tell you that all of them are really secret and you should protect them but would tattoo them to your face if they could.



        The name of the game is lowest possible transaction friction relative to acceptable fraud costs.



        Why is the three digit number printed on the card? Because presumably you have the card in your hand when you want to use it. This 'secret' code came about to combat and/or pre-empt low level fraud primarily related to lazy mag-strip skimming and the old days when receipts were imprints of the card. This number is not part of the mag-strip data, and only meant to be a secret from the mag-strip and people who might find themselves in possession of a large number of imprint receipts (in the early days of credit cards) or a database filled with credit card numbers. It was only ever intended to offer low level proof of the presence of the card to combat instances where large amounts of account numbers were taken; it doesn't authenticate or secure transactions, it's not a checksum, it's just a number thats not in the mag-strip or imprint. Interestingly, though not surprisingly, the number is not simply random it's derived from the primary account number cryptographically in a manner known only to the card issuer.



        Why doesn't the bank try harder to protect the number? Because the bank wants you to use the card without having to remember a number.



        Why is American Express's four digit 'secret' number on the front of the card, not even securely hidden away on the back, who knows; but clearly the number is not intended to be secure to anyone who might have physical access to the card.



        Why isn't the card naked but for branding with the information securely stored somewhere else? Because two places is more places and you might not use the card if you need to dig up the piece of paper that was mailed to you separately with the obviously never-intended-to-be-secure three digit code printed on it.



        The bank's incentive is for you to use the card. If you don't use the card, or you use a competitor's card the bank makes no money.



        If you would like to secure your payment methods better than the level the bank is comfortable with, you are free to do that. Scrape the numbers off, pull the mag strip off, whatever; though probably altering the card is a breach of your cardmember agreement. The bank doesn't do that because the bank doesn't care.






        share|improve this answer



















        • 8




          This is not entirely true, for card not present transactions (i.e. everything online), it is the merchant (or more accurately their bank, but cost is passed on) that bears liability by default, so in this case the card issuing banks have little incentive to change, they can just force the merchants to either bear the cost of fraud or not do business online. The general idea that the banks want the card to be easy to use is correct though.
          – Jack
          Dec 19 '18 at 2:34








        • 4




          @quid yeah, they key point is absolutely that the banks don't want to trouble consumers, so manage costs of fraud between themselves. Large companies like Amazon can afford make similar decisions to reduce friction in checkout as well (and choose to absorb costs of fraud). The whole system is build around cost/benefit rather than perfect security.
          – Jack
          Dec 19 '18 at 2:55






        • 3




          Jack is correct. As a (former) merchant, the liability is actually on the merchant, not the bank. Which is screwed up IMO. (Not actual scenario) I perform a service and the guy presents a credit card to me with a forged ID that matches the name. Chargeback from legit CC holder and bank pulls that money right out of the merchant account. The merchant is left holding an empty bag, while the bank and the fraudster profit. Not exactly same a product fraud but still bites when 5k gets deducted from your merchant account. I know about shift 2015-Oct-01 as well... got worse for merchants.
          – enorl76
          Dec 19 '18 at 4:11






        • 2




          @Mindwin As I read your reference, a neodymium magnet did the job the best. Haven't heard of one killing anyone, though.
          – Rogem
          Dec 19 '18 at 20:15






        • 1




          This answer is ony useful for USA. In other countries one can easily loose money with a stolen card. Notably, for many types of transactiins the bank willnot have to cover transactions made before you reported it missing. And many baks offer additional paid insurances for their cards.
          – Vladimir F
          Dec 20 '18 at 7:53














        125












        125








        125






        Ultimately you don't bear the fraud risk so you you don't set the risk tolerance. The three digit code, the whole card number, chip and pin, chip and signature, the signature on a receipt, the info in the mag strip etc. Your bank will tell you that all of them are really secret and you should protect them but would tattoo them to your face if they could.



        The name of the game is lowest possible transaction friction relative to acceptable fraud costs.



        Why is the three digit number printed on the card? Because presumably you have the card in your hand when you want to use it. This 'secret' code came about to combat and/or pre-empt low level fraud primarily related to lazy mag-strip skimming and the old days when receipts were imprints of the card. This number is not part of the mag-strip data, and only meant to be a secret from the mag-strip and people who might find themselves in possession of a large number of imprint receipts (in the early days of credit cards) or a database filled with credit card numbers. It was only ever intended to offer low level proof of the presence of the card to combat instances where large amounts of account numbers were taken; it doesn't authenticate or secure transactions, it's not a checksum, it's just a number thats not in the mag-strip or imprint. Interestingly, though not surprisingly, the number is not simply random it's derived from the primary account number cryptographically in a manner known only to the card issuer.



        Why doesn't the bank try harder to protect the number? Because the bank wants you to use the card without having to remember a number.



        Why is American Express's four digit 'secret' number on the front of the card, not even securely hidden away on the back, who knows; but clearly the number is not intended to be secure to anyone who might have physical access to the card.



        Why isn't the card naked but for branding with the information securely stored somewhere else? Because two places is more places and you might not use the card if you need to dig up the piece of paper that was mailed to you separately with the obviously never-intended-to-be-secure three digit code printed on it.



        The bank's incentive is for you to use the card. If you don't use the card, or you use a competitor's card the bank makes no money.



        If you would like to secure your payment methods better than the level the bank is comfortable with, you are free to do that. Scrape the numbers off, pull the mag strip off, whatever; though probably altering the card is a breach of your cardmember agreement. The bank doesn't do that because the bank doesn't care.






        share|improve this answer














        Ultimately you don't bear the fraud risk so you you don't set the risk tolerance. The three digit code, the whole card number, chip and pin, chip and signature, the signature on a receipt, the info in the mag strip etc. Your bank will tell you that all of them are really secret and you should protect them but would tattoo them to your face if they could.



        The name of the game is lowest possible transaction friction relative to acceptable fraud costs.



        Why is the three digit number printed on the card? Because presumably you have the card in your hand when you want to use it. This 'secret' code came about to combat and/or pre-empt low level fraud primarily related to lazy mag-strip skimming and the old days when receipts were imprints of the card. This number is not part of the mag-strip data, and only meant to be a secret from the mag-strip and people who might find themselves in possession of a large number of imprint receipts (in the early days of credit cards) or a database filled with credit card numbers. It was only ever intended to offer low level proof of the presence of the card to combat instances where large amounts of account numbers were taken; it doesn't authenticate or secure transactions, it's not a checksum, it's just a number thats not in the mag-strip or imprint. Interestingly, though not surprisingly, the number is not simply random it's derived from the primary account number cryptographically in a manner known only to the card issuer.



        Why doesn't the bank try harder to protect the number? Because the bank wants you to use the card without having to remember a number.



        Why is American Express's four digit 'secret' number on the front of the card, not even securely hidden away on the back, who knows; but clearly the number is not intended to be secure to anyone who might have physical access to the card.



        Why isn't the card naked but for branding with the information securely stored somewhere else? Because two places is more places and you might not use the card if you need to dig up the piece of paper that was mailed to you separately with the obviously never-intended-to-be-secure three digit code printed on it.



        The bank's incentive is for you to use the card. If you don't use the card, or you use a competitor's card the bank makes no money.



        If you would like to secure your payment methods better than the level the bank is comfortable with, you are free to do that. Scrape the numbers off, pull the mag strip off, whatever; though probably altering the card is a breach of your cardmember agreement. The bank doesn't do that because the bank doesn't care.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Dec 26 '18 at 15:21

























        answered Dec 18 '18 at 21:52









        quid

        34.8k566118




        34.8k566118








        • 8




          This is not entirely true, for card not present transactions (i.e. everything online), it is the merchant (or more accurately their bank, but cost is passed on) that bears liability by default, so in this case the card issuing banks have little incentive to change, they can just force the merchants to either bear the cost of fraud or not do business online. The general idea that the banks want the card to be easy to use is correct though.
          – Jack
          Dec 19 '18 at 2:34








        • 4




          @quid yeah, they key point is absolutely that the banks don't want to trouble consumers, so manage costs of fraud between themselves. Large companies like Amazon can afford make similar decisions to reduce friction in checkout as well (and choose to absorb costs of fraud). The whole system is build around cost/benefit rather than perfect security.
          – Jack
          Dec 19 '18 at 2:55






        • 3




          Jack is correct. As a (former) merchant, the liability is actually on the merchant, not the bank. Which is screwed up IMO. (Not actual scenario) I perform a service and the guy presents a credit card to me with a forged ID that matches the name. Chargeback from legit CC holder and bank pulls that money right out of the merchant account. The merchant is left holding an empty bag, while the bank and the fraudster profit. Not exactly same a product fraud but still bites when 5k gets deducted from your merchant account. I know about shift 2015-Oct-01 as well... got worse for merchants.
          – enorl76
          Dec 19 '18 at 4:11






        • 2




          @Mindwin As I read your reference, a neodymium magnet did the job the best. Haven't heard of one killing anyone, though.
          – Rogem
          Dec 19 '18 at 20:15






        • 1




          This answer is ony useful for USA. In other countries one can easily loose money with a stolen card. Notably, for many types of transactiins the bank willnot have to cover transactions made before you reported it missing. And many baks offer additional paid insurances for their cards.
          – Vladimir F
          Dec 20 '18 at 7:53














        • 8




          This is not entirely true, for card not present transactions (i.e. everything online), it is the merchant (or more accurately their bank, but cost is passed on) that bears liability by default, so in this case the card issuing banks have little incentive to change, they can just force the merchants to either bear the cost of fraud or not do business online. The general idea that the banks want the card to be easy to use is correct though.
          – Jack
          Dec 19 '18 at 2:34








        • 4




          @quid yeah, they key point is absolutely that the banks don't want to trouble consumers, so manage costs of fraud between themselves. Large companies like Amazon can afford make similar decisions to reduce friction in checkout as well (and choose to absorb costs of fraud). The whole system is build around cost/benefit rather than perfect security.
          – Jack
          Dec 19 '18 at 2:55






        • 3




          Jack is correct. As a (former) merchant, the liability is actually on the merchant, not the bank. Which is screwed up IMO. (Not actual scenario) I perform a service and the guy presents a credit card to me with a forged ID that matches the name. Chargeback from legit CC holder and bank pulls that money right out of the merchant account. The merchant is left holding an empty bag, while the bank and the fraudster profit. Not exactly same a product fraud but still bites when 5k gets deducted from your merchant account. I know about shift 2015-Oct-01 as well... got worse for merchants.
          – enorl76
          Dec 19 '18 at 4:11






        • 2




          @Mindwin As I read your reference, a neodymium magnet did the job the best. Haven't heard of one killing anyone, though.
          – Rogem
          Dec 19 '18 at 20:15






        • 1




          This answer is ony useful for USA. In other countries one can easily loose money with a stolen card. Notably, for many types of transactiins the bank willnot have to cover transactions made before you reported it missing. And many baks offer additional paid insurances for their cards.
          – Vladimir F
          Dec 20 '18 at 7:53








        8




        8




        This is not entirely true, for card not present transactions (i.e. everything online), it is the merchant (or more accurately their bank, but cost is passed on) that bears liability by default, so in this case the card issuing banks have little incentive to change, they can just force the merchants to either bear the cost of fraud or not do business online. The general idea that the banks want the card to be easy to use is correct though.
        – Jack
        Dec 19 '18 at 2:34






        This is not entirely true, for card not present transactions (i.e. everything online), it is the merchant (or more accurately their bank, but cost is passed on) that bears liability by default, so in this case the card issuing banks have little incentive to change, they can just force the merchants to either bear the cost of fraud or not do business online. The general idea that the banks want the card to be easy to use is correct though.
        – Jack
        Dec 19 '18 at 2:34






        4




        4




        @quid yeah, they key point is absolutely that the banks don't want to trouble consumers, so manage costs of fraud between themselves. Large companies like Amazon can afford make similar decisions to reduce friction in checkout as well (and choose to absorb costs of fraud). The whole system is build around cost/benefit rather than perfect security.
        – Jack
        Dec 19 '18 at 2:55




        @quid yeah, they key point is absolutely that the banks don't want to trouble consumers, so manage costs of fraud between themselves. Large companies like Amazon can afford make similar decisions to reduce friction in checkout as well (and choose to absorb costs of fraud). The whole system is build around cost/benefit rather than perfect security.
        – Jack
        Dec 19 '18 at 2:55




        3




        3




        Jack is correct. As a (former) merchant, the liability is actually on the merchant, not the bank. Which is screwed up IMO. (Not actual scenario) I perform a service and the guy presents a credit card to me with a forged ID that matches the name. Chargeback from legit CC holder and bank pulls that money right out of the merchant account. The merchant is left holding an empty bag, while the bank and the fraudster profit. Not exactly same a product fraud but still bites when 5k gets deducted from your merchant account. I know about shift 2015-Oct-01 as well... got worse for merchants.
        – enorl76
        Dec 19 '18 at 4:11




        Jack is correct. As a (former) merchant, the liability is actually on the merchant, not the bank. Which is screwed up IMO. (Not actual scenario) I perform a service and the guy presents a credit card to me with a forged ID that matches the name. Chargeback from legit CC holder and bank pulls that money right out of the merchant account. The merchant is left holding an empty bag, while the bank and the fraudster profit. Not exactly same a product fraud but still bites when 5k gets deducted from your merchant account. I know about shift 2015-Oct-01 as well... got worse for merchants.
        – enorl76
        Dec 19 '18 at 4:11




        2




        2




        @Mindwin As I read your reference, a neodymium magnet did the job the best. Haven't heard of one killing anyone, though.
        – Rogem
        Dec 19 '18 at 20:15




        @Mindwin As I read your reference, a neodymium magnet did the job the best. Haven't heard of one killing anyone, though.
        – Rogem
        Dec 19 '18 at 20:15




        1




        1




        This answer is ony useful for USA. In other countries one can easily loose money with a stolen card. Notably, for many types of transactiins the bank willnot have to cover transactions made before you reported it missing. And many baks offer additional paid insurances for their cards.
        – Vladimir F
        Dec 20 '18 at 7:53




        This answer is ony useful for USA. In other countries one can easily loose money with a stolen card. Notably, for many types of transactiins the bank willnot have to cover transactions made before you reported it missing. And many baks offer additional paid insurances for their cards.
        – Vladimir F
        Dec 20 '18 at 7:53













        50














        The purpose of the security code is not a secret PIN. The purpose is to "prove" that you have the physical card in your possession at the time of purchase. It is only used when the merchant cannot confirm that you have the physical card in your possession. It is used when purchasing something from a website, but it is also used at a physical store when the card cannot be scanned and the number has to be typed in manually.



        The reason it is printed on the card is that someone other than you might need to read it. If you hand it to a cashier and they are unable to scan the card for some reason and must type in the number, they can flip over the card and type in the security code, proving to the computer that they have the card in their possession. It was never meant to be memorized, and if card users do memorize the code, it loses its effectiveness as a proof of physical card possession.



        You can argue that having the code printed on the card makes the card less secure, and some have suggested scraping the code off the card after you memorize it, but that really only would prevent a specific type of credit card fraud that is not as common as other methods of fraud.



        In the absence of a true PIN, it is becoming increasingly common to use the billing zip code as another validation, as it is a number that the card owner already has memorized and is not printed on the card.






        share|improve this answer



















        • 11




          @owjburnham IMO that aspect shouldn't be internationalised as this pseudo-pin is a peculiarly American thing. The way the billing address is used in other countries is rather different
          – Chris H
          Dec 19 '18 at 10:00








        • 2




          @owjburnham a gas station is never going to ask you to enter your whole address
          – Stephen S
          Dec 19 '18 at 13:19






        • 2




          @Toby Smith: Re "...make you open their app and accept the transaction with your fingerprint", that's got so many problems I don't know where to begin. First, I'd have to a) have a phone that would run their app; b) have the phone with me; c) in a place that has cell service is going to count me out. Then of course any entity (other than law enforcement) that wants my fingerprints is not one I'll do business with.
          – jamesqf
          Dec 19 '18 at 17:50






        • 2




          @jamesqf It's an opt-in system. If you don't want it then you don't have to. Personally, I am never out of signal range and always have my phone. That's also a common misconception, the fingerprint data stays way the OS of the phone and isn't shared with the app/bank.
          – Toby Smith
          Dec 19 '18 at 17:58






        • 4




          @Toby Smith: Re "the fingerprint data stays way the OS of the phone", SURE it does. Are you by any chance in the market for a nice bridge?
          – jamesqf
          Dec 20 '18 at 5:08
















        50














        The purpose of the security code is not a secret PIN. The purpose is to "prove" that you have the physical card in your possession at the time of purchase. It is only used when the merchant cannot confirm that you have the physical card in your possession. It is used when purchasing something from a website, but it is also used at a physical store when the card cannot be scanned and the number has to be typed in manually.



        The reason it is printed on the card is that someone other than you might need to read it. If you hand it to a cashier and they are unable to scan the card for some reason and must type in the number, they can flip over the card and type in the security code, proving to the computer that they have the card in their possession. It was never meant to be memorized, and if card users do memorize the code, it loses its effectiveness as a proof of physical card possession.



        You can argue that having the code printed on the card makes the card less secure, and some have suggested scraping the code off the card after you memorize it, but that really only would prevent a specific type of credit card fraud that is not as common as other methods of fraud.



        In the absence of a true PIN, it is becoming increasingly common to use the billing zip code as another validation, as it is a number that the card owner already has memorized and is not printed on the card.






        share|improve this answer



















        • 11




          @owjburnham IMO that aspect shouldn't be internationalised as this pseudo-pin is a peculiarly American thing. The way the billing address is used in other countries is rather different
          – Chris H
          Dec 19 '18 at 10:00








        • 2




          @owjburnham a gas station is never going to ask you to enter your whole address
          – Stephen S
          Dec 19 '18 at 13:19






        • 2




          @Toby Smith: Re "...make you open their app and accept the transaction with your fingerprint", that's got so many problems I don't know where to begin. First, I'd have to a) have a phone that would run their app; b) have the phone with me; c) in a place that has cell service is going to count me out. Then of course any entity (other than law enforcement) that wants my fingerprints is not one I'll do business with.
          – jamesqf
          Dec 19 '18 at 17:50






        • 2




          @jamesqf It's an opt-in system. If you don't want it then you don't have to. Personally, I am never out of signal range and always have my phone. That's also a common misconception, the fingerprint data stays way the OS of the phone and isn't shared with the app/bank.
          – Toby Smith
          Dec 19 '18 at 17:58






        • 4




          @Toby Smith: Re "the fingerprint data stays way the OS of the phone", SURE it does. Are you by any chance in the market for a nice bridge?
          – jamesqf
          Dec 20 '18 at 5:08














        50












        50








        50






        The purpose of the security code is not a secret PIN. The purpose is to "prove" that you have the physical card in your possession at the time of purchase. It is only used when the merchant cannot confirm that you have the physical card in your possession. It is used when purchasing something from a website, but it is also used at a physical store when the card cannot be scanned and the number has to be typed in manually.



        The reason it is printed on the card is that someone other than you might need to read it. If you hand it to a cashier and they are unable to scan the card for some reason and must type in the number, they can flip over the card and type in the security code, proving to the computer that they have the card in their possession. It was never meant to be memorized, and if card users do memorize the code, it loses its effectiveness as a proof of physical card possession.



        You can argue that having the code printed on the card makes the card less secure, and some have suggested scraping the code off the card after you memorize it, but that really only would prevent a specific type of credit card fraud that is not as common as other methods of fraud.



        In the absence of a true PIN, it is becoming increasingly common to use the billing zip code as another validation, as it is a number that the card owner already has memorized and is not printed on the card.






        share|improve this answer














        The purpose of the security code is not a secret PIN. The purpose is to "prove" that you have the physical card in your possession at the time of purchase. It is only used when the merchant cannot confirm that you have the physical card in your possession. It is used when purchasing something from a website, but it is also used at a physical store when the card cannot be scanned and the number has to be typed in manually.



        The reason it is printed on the card is that someone other than you might need to read it. If you hand it to a cashier and they are unable to scan the card for some reason and must type in the number, they can flip over the card and type in the security code, proving to the computer that they have the card in their possession. It was never meant to be memorized, and if card users do memorize the code, it loses its effectiveness as a proof of physical card possession.



        You can argue that having the code printed on the card makes the card less secure, and some have suggested scraping the code off the card after you memorize it, but that really only would prevent a specific type of credit card fraud that is not as common as other methods of fraud.



        In the absence of a true PIN, it is becoming increasingly common to use the billing zip code as another validation, as it is a number that the card owner already has memorized and is not printed on the card.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Dec 18 '18 at 21:21

























        answered Dec 18 '18 at 21:14









        Ben Miller

        76.8k19207275




        76.8k19207275








        • 11




          @owjburnham IMO that aspect shouldn't be internationalised as this pseudo-pin is a peculiarly American thing. The way the billing address is used in other countries is rather different
          – Chris H
          Dec 19 '18 at 10:00








        • 2




          @owjburnham a gas station is never going to ask you to enter your whole address
          – Stephen S
          Dec 19 '18 at 13:19






        • 2




          @Toby Smith: Re "...make you open their app and accept the transaction with your fingerprint", that's got so many problems I don't know where to begin. First, I'd have to a) have a phone that would run their app; b) have the phone with me; c) in a place that has cell service is going to count me out. Then of course any entity (other than law enforcement) that wants my fingerprints is not one I'll do business with.
          – jamesqf
          Dec 19 '18 at 17:50






        • 2




          @jamesqf It's an opt-in system. If you don't want it then you don't have to. Personally, I am never out of signal range and always have my phone. That's also a common misconception, the fingerprint data stays way the OS of the phone and isn't shared with the app/bank.
          – Toby Smith
          Dec 19 '18 at 17:58






        • 4




          @Toby Smith: Re "the fingerprint data stays way the OS of the phone", SURE it does. Are you by any chance in the market for a nice bridge?
          – jamesqf
          Dec 20 '18 at 5:08














        • 11




          @owjburnham IMO that aspect shouldn't be internationalised as this pseudo-pin is a peculiarly American thing. The way the billing address is used in other countries is rather different
          – Chris H
          Dec 19 '18 at 10:00








        • 2




          @owjburnham a gas station is never going to ask you to enter your whole address
          – Stephen S
          Dec 19 '18 at 13:19






        • 2




          @Toby Smith: Re "...make you open their app and accept the transaction with your fingerprint", that's got so many problems I don't know where to begin. First, I'd have to a) have a phone that would run their app; b) have the phone with me; c) in a place that has cell service is going to count me out. Then of course any entity (other than law enforcement) that wants my fingerprints is not one I'll do business with.
          – jamesqf
          Dec 19 '18 at 17:50






        • 2




          @jamesqf It's an opt-in system. If you don't want it then you don't have to. Personally, I am never out of signal range and always have my phone. That's also a common misconception, the fingerprint data stays way the OS of the phone and isn't shared with the app/bank.
          – Toby Smith
          Dec 19 '18 at 17:58






        • 4




          @Toby Smith: Re "the fingerprint data stays way the OS of the phone", SURE it does. Are you by any chance in the market for a nice bridge?
          – jamesqf
          Dec 20 '18 at 5:08








        11




        11




        @owjburnham IMO that aspect shouldn't be internationalised as this pseudo-pin is a peculiarly American thing. The way the billing address is used in other countries is rather different
        – Chris H
        Dec 19 '18 at 10:00






        @owjburnham IMO that aspect shouldn't be internationalised as this pseudo-pin is a peculiarly American thing. The way the billing address is used in other countries is rather different
        – Chris H
        Dec 19 '18 at 10:00






        2




        2




        @owjburnham a gas station is never going to ask you to enter your whole address
        – Stephen S
        Dec 19 '18 at 13:19




        @owjburnham a gas station is never going to ask you to enter your whole address
        – Stephen S
        Dec 19 '18 at 13:19




        2




        2




        @Toby Smith: Re "...make you open their app and accept the transaction with your fingerprint", that's got so many problems I don't know where to begin. First, I'd have to a) have a phone that would run their app; b) have the phone with me; c) in a place that has cell service is going to count me out. Then of course any entity (other than law enforcement) that wants my fingerprints is not one I'll do business with.
        – jamesqf
        Dec 19 '18 at 17:50




        @Toby Smith: Re "...make you open their app and accept the transaction with your fingerprint", that's got so many problems I don't know where to begin. First, I'd have to a) have a phone that would run their app; b) have the phone with me; c) in a place that has cell service is going to count me out. Then of course any entity (other than law enforcement) that wants my fingerprints is not one I'll do business with.
        – jamesqf
        Dec 19 '18 at 17:50




        2




        2




        @jamesqf It's an opt-in system. If you don't want it then you don't have to. Personally, I am never out of signal range and always have my phone. That's also a common misconception, the fingerprint data stays way the OS of the phone and isn't shared with the app/bank.
        – Toby Smith
        Dec 19 '18 at 17:58




        @jamesqf It's an opt-in system. If you don't want it then you don't have to. Personally, I am never out of signal range and always have my phone. That's also a common misconception, the fingerprint data stays way the OS of the phone and isn't shared with the app/bank.
        – Toby Smith
        Dec 19 '18 at 17:58




        4




        4




        @Toby Smith: Re "the fingerprint data stays way the OS of the phone", SURE it does. Are you by any chance in the market for a nice bridge?
        – jamesqf
        Dec 20 '18 at 5:08




        @Toby Smith: Re "the fingerprint data stays way the OS of the phone", SURE it does. Are you by any chance in the market for a nice bridge?
        – jamesqf
        Dec 20 '18 at 5:08











        16














        The main purpose of the security code is to prevent hacked card information from being reused. The main way that this is accomplished is by requiring that payment processors do not store this code




        Merchants, service providers, and other entities involved with
        payment card processing must never store sensitive authentication data
        after authorization. This includes the 3- or 4- digit security code
        printed on the front or back of a card, the data stored on a card’s
        magnetic stripe or chip (also called “Full Track Data”) – and personal
        identification numbers (PIN) entered by the cardholder. This chapter
        presents the objectives of PCI DSS and related 12 requirements.Source - slide 11







        share|improve this answer


























          16














          The main purpose of the security code is to prevent hacked card information from being reused. The main way that this is accomplished is by requiring that payment processors do not store this code




          Merchants, service providers, and other entities involved with
          payment card processing must never store sensitive authentication data
          after authorization. This includes the 3- or 4- digit security code
          printed on the front or back of a card, the data stored on a card’s
          magnetic stripe or chip (also called “Full Track Data”) – and personal
          identification numbers (PIN) entered by the cardholder. This chapter
          presents the objectives of PCI DSS and related 12 requirements.Source - slide 11







          share|improve this answer
























            16












            16








            16






            The main purpose of the security code is to prevent hacked card information from being reused. The main way that this is accomplished is by requiring that payment processors do not store this code




            Merchants, service providers, and other entities involved with
            payment card processing must never store sensitive authentication data
            after authorization. This includes the 3- or 4- digit security code
            printed on the front or back of a card, the data stored on a card’s
            magnetic stripe or chip (also called “Full Track Data”) – and personal
            identification numbers (PIN) entered by the cardholder. This chapter
            presents the objectives of PCI DSS and related 12 requirements.Source - slide 11







            share|improve this answer












            The main purpose of the security code is to prevent hacked card information from being reused. The main way that this is accomplished is by requiring that payment processors do not store this code




            Merchants, service providers, and other entities involved with
            payment card processing must never store sensitive authentication data
            after authorization. This includes the 3- or 4- digit security code
            printed on the front or back of a card, the data stored on a card’s
            magnetic stripe or chip (also called “Full Track Data”) – and personal
            identification numbers (PIN) entered by the cardholder. This chapter
            presents the objectives of PCI DSS and related 12 requirements.Source - slide 11








            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Dec 19 '18 at 7:05









            BobtheMagicMoose

            2612




            2612























                11














                You are asking why the card number and the security code are printed on the card. In both cases, let's review a bit of history:



                The card number



                The card number (called PAN in the industry) is just an identifier, it has no reason to be secret. It is needed for any transaction, so that a charge can be... charged back to the relevant account, whether:




                • at a physical point of sale (POS), using the old "imprinter" method (not sure if that's still in use anywhere). That's the reason the number is actually embossed, not just printed (along with the other details required for the transaction: expiry date, name of cardholder).


                enter image description here




                • at a point of sale, using a POS terminal ("credit card machine"), which either reads the magnetic stripe or the chip of the card, which both provide the PAN and the rest of the data without any authentification or encryption.


                • by phone or paper (what is known as "MOTO" in the industry: mail order / telephone order), when you just read the details over the phone or write them on the order form.


                • on the internet, where you need to read the number off your card and enter it into a form. How could you order anything if you can't read the card number?



                The PAN has never been considered a secret. It's just an account number, exactly like your account number appears on paper cheques, to know what account the money should be taken from.



                Some people think the key (the last digit) is a (poor) security feature, while it's actually only used to protect against input errors (digit changed, digits swapped...).



                Nowadays, people start to think that a PAN should be secret, and this has led to the introduction of "tokenisation": instead of sending the actual card number, another card number is sent instead, which is either limited to a specific channel (and possibly device), or even to a single transaction.



                This is the case for instance for Apple Pay: when you register your card with its real PAN, the bank sends back a token ("fake" PAN) which is used instead, and can only be used for payments made with Apple Pay on that device. If ever someone intercepted that PAN, they wouldn't be able to do anything with it: it won't be accepted to add a card to Apple Pay, won't be accepted in store, online, over the phone, or anywhere else.



                Is that really useful? In a perfect world where all transactions are authenticated by other means, it really shouldn't matter, a PAN by itself should be useless. In practice, as there are channels that allow the use of pretty insecure authentication methods, that's an additional line of defence.



                Note that the need for tokenisation is probably slightly more important with the introduction of contactless: you can read the PAN of any contactless card without even touching it, it's just a matter of getting close enough.



                The security code



                The security code printed on the back of the card (or on the front, for American Express cards) was not originally present. It was added to avoid the following fraud scenarios:




                • a credit card receipt with the full card number (and name and expiry) was discarded and collected by someone else (this was especially true when imprinters were in use, but was also true before the card networks finally decided it was forbidden to print the full PAN on the customer receipt).


                • a card is "swiped" to record the contents of the magnetic stripe, which contains the PAN, expiry, cardholder name, and more...). This allowed people who had physical access to cards (waiters, cashiers...) to record large numbers of cards pretty quickly without being noticed.



                To counter this, this new code was added, which is not on the receipt (as it's not embossed), and is not on the magnetic track either.



                This code is required only for MOTO and online purchases, where you cannot see if the user actually has the card (a so-called "card not present" transaction), and you want to be a bit more sure that the user has the card.



                This is indeed quite easy to circumvent: you just need to either make a full copy of the card (both sides) or make a note of all the data. But in many of the scenarios above, that made it just a bit more difficult for a dishonest user to do it without being noticed.



                (The introduction of hand-held terminals also helps a lot, as a user can keep his eyes -- and hands -- on the card at all times, but especially in restaurants in the US, this is not yet standard practice).



                The security code also helps in the case a site stores your credit card data, and someone manages to get access to it: in theory, no-one is allowed to store the security code, so a hacker would only get the PAN and expiry, and would not be able to use it again, but, in practice, way too many people still store the security code. The industry is chasing after those (it's one of the aspects of the PCI DSS initiative), but there's still a long way to go.



                The real protection comes from new authentication measures (3D Secure) that allow another mode of verification beyond just that data. Depending on the bank (or even the card), they could involve:




                • a password

                • a one-time password (OTP) sent via SMS or other means

                • biometric authentication (fingerprint, face recognition, iris scan...)

                • actually talking to the chip on the card by use of the card reader connected to your computer (I'm not sure this has actually been deployed anywhere)
                  ...


                Note that the security code is used only for online/MOTO transactions ("card not present" transactions). Card present transactions will either use:




                • another security code which is on the magnetic stripe (though this is easy to copy)

                • communication with the chip (on cards that have one) so that the card authenticates itself.






                share|improve this answer



















                • 2




                  PCI requires vendors to treat the PAN as secret
                  – Brian Knoblauch
                  Dec 19 '18 at 18:09










                • Re American Express: I have such a card with a 15 digit PAN (so where's the checknum?). On the front of the card appears a four digit number and on the back of the card on a stripe appears the card number with a three digit number. I have always assumed that the three digit number on the back is the CVC number.
                  – No'am Newman
                  Dec 20 '18 at 7:27










                • "on the internet, where you need to read the number off your card and enter it into a form. How could you order anything if you can't read the card number?" You just do the same as with any password, memorize it and/or store it in an encrypted storage. It particularly easy to memorize thee three digits in CVC but I remember everything on my card to be able to pay quickly.
                  – Vladimir F
                  Dec 20 '18 at 7:38












                • @No’amNewman the last digit is always the check digit, whether the PAN has 15, 16 or 19 digits. The Amex security code was originally the 4 digits on the front. I know they relatively recently added 3 digits on the back in addition, never used those, not sure if they work. If they do, it’s probably to reduce issues with people used to them being there (and sites which did not make a difference in their instructions).
                  – jcaron
                  Dec 20 '18 at 7:39






                • 1




                  @jcaron Please do not burn a strawman. This whole page is about a three digit number.
                  – Vladimir F
                  Dec 20 '18 at 8:06
















                11














                You are asking why the card number and the security code are printed on the card. In both cases, let's review a bit of history:



                The card number



                The card number (called PAN in the industry) is just an identifier, it has no reason to be secret. It is needed for any transaction, so that a charge can be... charged back to the relevant account, whether:




                • at a physical point of sale (POS), using the old "imprinter" method (not sure if that's still in use anywhere). That's the reason the number is actually embossed, not just printed (along with the other details required for the transaction: expiry date, name of cardholder).


                enter image description here




                • at a point of sale, using a POS terminal ("credit card machine"), which either reads the magnetic stripe or the chip of the card, which both provide the PAN and the rest of the data without any authentification or encryption.


                • by phone or paper (what is known as "MOTO" in the industry: mail order / telephone order), when you just read the details over the phone or write them on the order form.


                • on the internet, where you need to read the number off your card and enter it into a form. How could you order anything if you can't read the card number?



                The PAN has never been considered a secret. It's just an account number, exactly like your account number appears on paper cheques, to know what account the money should be taken from.



                Some people think the key (the last digit) is a (poor) security feature, while it's actually only used to protect against input errors (digit changed, digits swapped...).



                Nowadays, people start to think that a PAN should be secret, and this has led to the introduction of "tokenisation": instead of sending the actual card number, another card number is sent instead, which is either limited to a specific channel (and possibly device), or even to a single transaction.



                This is the case for instance for Apple Pay: when you register your card with its real PAN, the bank sends back a token ("fake" PAN) which is used instead, and can only be used for payments made with Apple Pay on that device. If ever someone intercepted that PAN, they wouldn't be able to do anything with it: it won't be accepted to add a card to Apple Pay, won't be accepted in store, online, over the phone, or anywhere else.



                Is that really useful? In a perfect world where all transactions are authenticated by other means, it really shouldn't matter, a PAN by itself should be useless. In practice, as there are channels that allow the use of pretty insecure authentication methods, that's an additional line of defence.



                Note that the need for tokenisation is probably slightly more important with the introduction of contactless: you can read the PAN of any contactless card without even touching it, it's just a matter of getting close enough.



                The security code



                The security code printed on the back of the card (or on the front, for American Express cards) was not originally present. It was added to avoid the following fraud scenarios:




                • a credit card receipt with the full card number (and name and expiry) was discarded and collected by someone else (this was especially true when imprinters were in use, but was also true before the card networks finally decided it was forbidden to print the full PAN on the customer receipt).


                • a card is "swiped" to record the contents of the magnetic stripe, which contains the PAN, expiry, cardholder name, and more...). This allowed people who had physical access to cards (waiters, cashiers...) to record large numbers of cards pretty quickly without being noticed.



                To counter this, this new code was added, which is not on the receipt (as it's not embossed), and is not on the magnetic track either.



                This code is required only for MOTO and online purchases, where you cannot see if the user actually has the card (a so-called "card not present" transaction), and you want to be a bit more sure that the user has the card.



                This is indeed quite easy to circumvent: you just need to either make a full copy of the card (both sides) or make a note of all the data. But in many of the scenarios above, that made it just a bit more difficult for a dishonest user to do it without being noticed.



                (The introduction of hand-held terminals also helps a lot, as a user can keep his eyes -- and hands -- on the card at all times, but especially in restaurants in the US, this is not yet standard practice).



                The security code also helps in the case a site stores your credit card data, and someone manages to get access to it: in theory, no-one is allowed to store the security code, so a hacker would only get the PAN and expiry, and would not be able to use it again, but, in practice, way too many people still store the security code. The industry is chasing after those (it's one of the aspects of the PCI DSS initiative), but there's still a long way to go.



                The real protection comes from new authentication measures (3D Secure) that allow another mode of verification beyond just that data. Depending on the bank (or even the card), they could involve:




                • a password

                • a one-time password (OTP) sent via SMS or other means

                • biometric authentication (fingerprint, face recognition, iris scan...)

                • actually talking to the chip on the card by use of the card reader connected to your computer (I'm not sure this has actually been deployed anywhere)
                  ...


                Note that the security code is used only for online/MOTO transactions ("card not present" transactions). Card present transactions will either use:




                • another security code which is on the magnetic stripe (though this is easy to copy)

                • communication with the chip (on cards that have one) so that the card authenticates itself.






                share|improve this answer



















                • 2




                  PCI requires vendors to treat the PAN as secret
                  – Brian Knoblauch
                  Dec 19 '18 at 18:09










                • Re American Express: I have such a card with a 15 digit PAN (so where's the checknum?). On the front of the card appears a four digit number and on the back of the card on a stripe appears the card number with a three digit number. I have always assumed that the three digit number on the back is the CVC number.
                  – No'am Newman
                  Dec 20 '18 at 7:27










                • "on the internet, where you need to read the number off your card and enter it into a form. How could you order anything if you can't read the card number?" You just do the same as with any password, memorize it and/or store it in an encrypted storage. It particularly easy to memorize thee three digits in CVC but I remember everything on my card to be able to pay quickly.
                  – Vladimir F
                  Dec 20 '18 at 7:38












                • @No’amNewman the last digit is always the check digit, whether the PAN has 15, 16 or 19 digits. The Amex security code was originally the 4 digits on the front. I know they relatively recently added 3 digits on the back in addition, never used those, not sure if they work. If they do, it’s probably to reduce issues with people used to them being there (and sites which did not make a difference in their instructions).
                  – jcaron
                  Dec 20 '18 at 7:39






                • 1




                  @jcaron Please do not burn a strawman. This whole page is about a three digit number.
                  – Vladimir F
                  Dec 20 '18 at 8:06














                11












                11








                11






                You are asking why the card number and the security code are printed on the card. In both cases, let's review a bit of history:



                The card number



                The card number (called PAN in the industry) is just an identifier, it has no reason to be secret. It is needed for any transaction, so that a charge can be... charged back to the relevant account, whether:




                • at a physical point of sale (POS), using the old "imprinter" method (not sure if that's still in use anywhere). That's the reason the number is actually embossed, not just printed (along with the other details required for the transaction: expiry date, name of cardholder).


                enter image description here




                • at a point of sale, using a POS terminal ("credit card machine"), which either reads the magnetic stripe or the chip of the card, which both provide the PAN and the rest of the data without any authentification or encryption.


                • by phone or paper (what is known as "MOTO" in the industry: mail order / telephone order), when you just read the details over the phone or write them on the order form.


                • on the internet, where you need to read the number off your card and enter it into a form. How could you order anything if you can't read the card number?



                The PAN has never been considered a secret. It's just an account number, exactly like your account number appears on paper cheques, to know what account the money should be taken from.



                Some people think the key (the last digit) is a (poor) security feature, while it's actually only used to protect against input errors (digit changed, digits swapped...).



                Nowadays, people start to think that a PAN should be secret, and this has led to the introduction of "tokenisation": instead of sending the actual card number, another card number is sent instead, which is either limited to a specific channel (and possibly device), or even to a single transaction.



                This is the case for instance for Apple Pay: when you register your card with its real PAN, the bank sends back a token ("fake" PAN) which is used instead, and can only be used for payments made with Apple Pay on that device. If ever someone intercepted that PAN, they wouldn't be able to do anything with it: it won't be accepted to add a card to Apple Pay, won't be accepted in store, online, over the phone, or anywhere else.



                Is that really useful? In a perfect world where all transactions are authenticated by other means, it really shouldn't matter, a PAN by itself should be useless. In practice, as there are channels that allow the use of pretty insecure authentication methods, that's an additional line of defence.



                Note that the need for tokenisation is probably slightly more important with the introduction of contactless: you can read the PAN of any contactless card without even touching it, it's just a matter of getting close enough.



                The security code



                The security code printed on the back of the card (or on the front, for American Express cards) was not originally present. It was added to avoid the following fraud scenarios:




                • a credit card receipt with the full card number (and name and expiry) was discarded and collected by someone else (this was especially true when imprinters were in use, but was also true before the card networks finally decided it was forbidden to print the full PAN on the customer receipt).


                • a card is "swiped" to record the contents of the magnetic stripe, which contains the PAN, expiry, cardholder name, and more...). This allowed people who had physical access to cards (waiters, cashiers...) to record large numbers of cards pretty quickly without being noticed.



                To counter this, this new code was added, which is not on the receipt (as it's not embossed), and is not on the magnetic track either.



                This code is required only for MOTO and online purchases, where you cannot see if the user actually has the card (a so-called "card not present" transaction), and you want to be a bit more sure that the user has the card.



                This is indeed quite easy to circumvent: you just need to either make a full copy of the card (both sides) or make a note of all the data. But in many of the scenarios above, that made it just a bit more difficult for a dishonest user to do it without being noticed.



                (The introduction of hand-held terminals also helps a lot, as a user can keep his eyes -- and hands -- on the card at all times, but especially in restaurants in the US, this is not yet standard practice).



                The security code also helps in the case a site stores your credit card data, and someone manages to get access to it: in theory, no-one is allowed to store the security code, so a hacker would only get the PAN and expiry, and would not be able to use it again, but, in practice, way too many people still store the security code. The industry is chasing after those (it's one of the aspects of the PCI DSS initiative), but there's still a long way to go.



                The real protection comes from new authentication measures (3D Secure) that allow another mode of verification beyond just that data. Depending on the bank (or even the card), they could involve:




                • a password

                • a one-time password (OTP) sent via SMS or other means

                • biometric authentication (fingerprint, face recognition, iris scan...)

                • actually talking to the chip on the card by use of the card reader connected to your computer (I'm not sure this has actually been deployed anywhere)
                  ...


                Note that the security code is used only for online/MOTO transactions ("card not present" transactions). Card present transactions will either use:




                • another security code which is on the magnetic stripe (though this is easy to copy)

                • communication with the chip (on cards that have one) so that the card authenticates itself.






                share|improve this answer














                You are asking why the card number and the security code are printed on the card. In both cases, let's review a bit of history:



                The card number



                The card number (called PAN in the industry) is just an identifier, it has no reason to be secret. It is needed for any transaction, so that a charge can be... charged back to the relevant account, whether:




                • at a physical point of sale (POS), using the old "imprinter" method (not sure if that's still in use anywhere). That's the reason the number is actually embossed, not just printed (along with the other details required for the transaction: expiry date, name of cardholder).


                enter image description here




                • at a point of sale, using a POS terminal ("credit card machine"), which either reads the magnetic stripe or the chip of the card, which both provide the PAN and the rest of the data without any authentification or encryption.


                • by phone or paper (what is known as "MOTO" in the industry: mail order / telephone order), when you just read the details over the phone or write them on the order form.


                • on the internet, where you need to read the number off your card and enter it into a form. How could you order anything if you can't read the card number?



                The PAN has never been considered a secret. It's just an account number, exactly like your account number appears on paper cheques, to know what account the money should be taken from.



                Some people think the key (the last digit) is a (poor) security feature, while it's actually only used to protect against input errors (digit changed, digits swapped...).



                Nowadays, people start to think that a PAN should be secret, and this has led to the introduction of "tokenisation": instead of sending the actual card number, another card number is sent instead, which is either limited to a specific channel (and possibly device), or even to a single transaction.



                This is the case for instance for Apple Pay: when you register your card with its real PAN, the bank sends back a token ("fake" PAN) which is used instead, and can only be used for payments made with Apple Pay on that device. If ever someone intercepted that PAN, they wouldn't be able to do anything with it: it won't be accepted to add a card to Apple Pay, won't be accepted in store, online, over the phone, or anywhere else.



                Is that really useful? In a perfect world where all transactions are authenticated by other means, it really shouldn't matter, a PAN by itself should be useless. In practice, as there are channels that allow the use of pretty insecure authentication methods, that's an additional line of defence.



                Note that the need for tokenisation is probably slightly more important with the introduction of contactless: you can read the PAN of any contactless card without even touching it, it's just a matter of getting close enough.



                The security code



                The security code printed on the back of the card (or on the front, for American Express cards) was not originally present. It was added to avoid the following fraud scenarios:




                • a credit card receipt with the full card number (and name and expiry) was discarded and collected by someone else (this was especially true when imprinters were in use, but was also true before the card networks finally decided it was forbidden to print the full PAN on the customer receipt).


                • a card is "swiped" to record the contents of the magnetic stripe, which contains the PAN, expiry, cardholder name, and more...). This allowed people who had physical access to cards (waiters, cashiers...) to record large numbers of cards pretty quickly without being noticed.



                To counter this, this new code was added, which is not on the receipt (as it's not embossed), and is not on the magnetic track either.



                This code is required only for MOTO and online purchases, where you cannot see if the user actually has the card (a so-called "card not present" transaction), and you want to be a bit more sure that the user has the card.



                This is indeed quite easy to circumvent: you just need to either make a full copy of the card (both sides) or make a note of all the data. But in many of the scenarios above, that made it just a bit more difficult for a dishonest user to do it without being noticed.



                (The introduction of hand-held terminals also helps a lot, as a user can keep his eyes -- and hands -- on the card at all times, but especially in restaurants in the US, this is not yet standard practice).



                The security code also helps in the case a site stores your credit card data, and someone manages to get access to it: in theory, no-one is allowed to store the security code, so a hacker would only get the PAN and expiry, and would not be able to use it again, but, in practice, way too many people still store the security code. The industry is chasing after those (it's one of the aspects of the PCI DSS initiative), but there's still a long way to go.



                The real protection comes from new authentication measures (3D Secure) that allow another mode of verification beyond just that data. Depending on the bank (or even the card), they could involve:




                • a password

                • a one-time password (OTP) sent via SMS or other means

                • biometric authentication (fingerprint, face recognition, iris scan...)

                • actually talking to the chip on the card by use of the card reader connected to your computer (I'm not sure this has actually been deployed anywhere)
                  ...


                Note that the security code is used only for online/MOTO transactions ("card not present" transactions). Card present transactions will either use:




                • another security code which is on the magnetic stripe (though this is easy to copy)

                • communication with the chip (on cards that have one) so that the card authenticates itself.







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited Dec 19 '18 at 17:20

























                answered Dec 19 '18 at 15:59









                jcaron

                1,2121516




                1,2121516








                • 2




                  PCI requires vendors to treat the PAN as secret
                  – Brian Knoblauch
                  Dec 19 '18 at 18:09










                • Re American Express: I have such a card with a 15 digit PAN (so where's the checknum?). On the front of the card appears a four digit number and on the back of the card on a stripe appears the card number with a three digit number. I have always assumed that the three digit number on the back is the CVC number.
                  – No'am Newman
                  Dec 20 '18 at 7:27










                • "on the internet, where you need to read the number off your card and enter it into a form. How could you order anything if you can't read the card number?" You just do the same as with any password, memorize it and/or store it in an encrypted storage. It particularly easy to memorize thee three digits in CVC but I remember everything on my card to be able to pay quickly.
                  – Vladimir F
                  Dec 20 '18 at 7:38












                • @No’amNewman the last digit is always the check digit, whether the PAN has 15, 16 or 19 digits. The Amex security code was originally the 4 digits on the front. I know they relatively recently added 3 digits on the back in addition, never used those, not sure if they work. If they do, it’s probably to reduce issues with people used to them being there (and sites which did not make a difference in their instructions).
                  – jcaron
                  Dec 20 '18 at 7:39






                • 1




                  @jcaron Please do not burn a strawman. This whole page is about a three digit number.
                  – Vladimir F
                  Dec 20 '18 at 8:06














                • 2




                  PCI requires vendors to treat the PAN as secret
                  – Brian Knoblauch
                  Dec 19 '18 at 18:09










                • Re American Express: I have such a card with a 15 digit PAN (so where's the checknum?). On the front of the card appears a four digit number and on the back of the card on a stripe appears the card number with a three digit number. I have always assumed that the three digit number on the back is the CVC number.
                  – No'am Newman
                  Dec 20 '18 at 7:27










                • "on the internet, where you need to read the number off your card and enter it into a form. How could you order anything if you can't read the card number?" You just do the same as with any password, memorize it and/or store it in an encrypted storage. It particularly easy to memorize thee three digits in CVC but I remember everything on my card to be able to pay quickly.
                  – Vladimir F
                  Dec 20 '18 at 7:38












                • @No’amNewman the last digit is always the check digit, whether the PAN has 15, 16 or 19 digits. The Amex security code was originally the 4 digits on the front. I know they relatively recently added 3 digits on the back in addition, never used those, not sure if they work. If they do, it’s probably to reduce issues with people used to them being there (and sites which did not make a difference in their instructions).
                  – jcaron
                  Dec 20 '18 at 7:39






                • 1




                  @jcaron Please do not burn a strawman. This whole page is about a three digit number.
                  – Vladimir F
                  Dec 20 '18 at 8:06








                2




                2




                PCI requires vendors to treat the PAN as secret
                – Brian Knoblauch
                Dec 19 '18 at 18:09




                PCI requires vendors to treat the PAN as secret
                – Brian Knoblauch
                Dec 19 '18 at 18:09












                Re American Express: I have such a card with a 15 digit PAN (so where's the checknum?). On the front of the card appears a four digit number and on the back of the card on a stripe appears the card number with a three digit number. I have always assumed that the three digit number on the back is the CVC number.
                – No'am Newman
                Dec 20 '18 at 7:27




                Re American Express: I have such a card with a 15 digit PAN (so where's the checknum?). On the front of the card appears a four digit number and on the back of the card on a stripe appears the card number with a three digit number. I have always assumed that the three digit number on the back is the CVC number.
                – No'am Newman
                Dec 20 '18 at 7:27












                "on the internet, where you need to read the number off your card and enter it into a form. How could you order anything if you can't read the card number?" You just do the same as with any password, memorize it and/or store it in an encrypted storage. It particularly easy to memorize thee three digits in CVC but I remember everything on my card to be able to pay quickly.
                – Vladimir F
                Dec 20 '18 at 7:38






                "on the internet, where you need to read the number off your card and enter it into a form. How could you order anything if you can't read the card number?" You just do the same as with any password, memorize it and/or store it in an encrypted storage. It particularly easy to memorize thee three digits in CVC but I remember everything on my card to be able to pay quickly.
                – Vladimir F
                Dec 20 '18 at 7:38














                @No’amNewman the last digit is always the check digit, whether the PAN has 15, 16 or 19 digits. The Amex security code was originally the 4 digits on the front. I know they relatively recently added 3 digits on the back in addition, never used those, not sure if they work. If they do, it’s probably to reduce issues with people used to them being there (and sites which did not make a difference in their instructions).
                – jcaron
                Dec 20 '18 at 7:39




                @No’amNewman the last digit is always the check digit, whether the PAN has 15, 16 or 19 digits. The Amex security code was originally the 4 digits on the front. I know they relatively recently added 3 digits on the back in addition, never used those, not sure if they work. If they do, it’s probably to reduce issues with people used to them being there (and sites which did not make a difference in their instructions).
                – jcaron
                Dec 20 '18 at 7:39




                1




                1




                @jcaron Please do not burn a strawman. This whole page is about a three digit number.
                – Vladimir F
                Dec 20 '18 at 8:06




                @jcaron Please do not burn a strawman. This whole page is about a three digit number.
                – Vladimir F
                Dec 20 '18 at 8:06











                0














                Simple, the intention behind the credit system is utilize trust between the exchange of different parties in a timely matter. However, the cyber world is far from bullet proof. Most exploits are usually within the design themselves and not anything else. My advice to anybody looking into getting somewhere in life using computers, stick to marketable skills like screen & logic board repairs instead of cyber theft. There is much more opportunity in showing the world what takes time to understand i.e electrical engineering instead of harassing others by taking from them (credit card theft). It seems like cybersecurity in the future will rely on thinking machines handling repetitive decisions, from there the people can decide which direction is more beneficial in the long run.






                share|improve this answer








                New contributor




                David Smith is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.























                  0














                  Simple, the intention behind the credit system is utilize trust between the exchange of different parties in a timely matter. However, the cyber world is far from bullet proof. Most exploits are usually within the design themselves and not anything else. My advice to anybody looking into getting somewhere in life using computers, stick to marketable skills like screen & logic board repairs instead of cyber theft. There is much more opportunity in showing the world what takes time to understand i.e electrical engineering instead of harassing others by taking from them (credit card theft). It seems like cybersecurity in the future will rely on thinking machines handling repetitive decisions, from there the people can decide which direction is more beneficial in the long run.






                  share|improve this answer








                  New contributor




                  David Smith is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.





















                    0












                    0








                    0






                    Simple, the intention behind the credit system is utilize trust between the exchange of different parties in a timely matter. However, the cyber world is far from bullet proof. Most exploits are usually within the design themselves and not anything else. My advice to anybody looking into getting somewhere in life using computers, stick to marketable skills like screen & logic board repairs instead of cyber theft. There is much more opportunity in showing the world what takes time to understand i.e electrical engineering instead of harassing others by taking from them (credit card theft). It seems like cybersecurity in the future will rely on thinking machines handling repetitive decisions, from there the people can decide which direction is more beneficial in the long run.






                    share|improve this answer








                    New contributor




                    David Smith is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.









                    Simple, the intention behind the credit system is utilize trust between the exchange of different parties in a timely matter. However, the cyber world is far from bullet proof. Most exploits are usually within the design themselves and not anything else. My advice to anybody looking into getting somewhere in life using computers, stick to marketable skills like screen & logic board repairs instead of cyber theft. There is much more opportunity in showing the world what takes time to understand i.e electrical engineering instead of harassing others by taking from them (credit card theft). It seems like cybersecurity in the future will rely on thinking machines handling repetitive decisions, from there the people can decide which direction is more beneficial in the long run.







                    share|improve this answer








                    New contributor




                    David Smith is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.









                    share|improve this answer



                    share|improve this answer






                    New contributor




                    David Smith is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.









                    answered Dec 26 '18 at 14:47









                    David Smith

                    11




                    11




                    New contributor




                    David Smith is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.





                    New contributor





                    David Smith is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.






                    David Smith is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.























                        0














                        There was previously a "Verified by Visa" system where the Visa credit card had a password that the consumer kept. The password wasn't on the card. The "Verified by Visa" system was used on internet transactions. Merchants had the option of offering the system.






                        share|improve this answer








                        New contributor




                        S Spring is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                        Check out our Code of Conduct.























                          0














                          There was previously a "Verified by Visa" system where the Visa credit card had a password that the consumer kept. The password wasn't on the card. The "Verified by Visa" system was used on internet transactions. Merchants had the option of offering the system.






                          share|improve this answer








                          New contributor




                          S Spring is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.





















                            0












                            0








                            0






                            There was previously a "Verified by Visa" system where the Visa credit card had a password that the consumer kept. The password wasn't on the card. The "Verified by Visa" system was used on internet transactions. Merchants had the option of offering the system.






                            share|improve this answer








                            New contributor




                            S Spring is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                            Check out our Code of Conduct.









                            There was previously a "Verified by Visa" system where the Visa credit card had a password that the consumer kept. The password wasn't on the card. The "Verified by Visa" system was used on internet transactions. Merchants had the option of offering the system.







                            share|improve this answer








                            New contributor




                            S Spring is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                            Check out our Code of Conduct.









                            share|improve this answer



                            share|improve this answer






                            New contributor




                            S Spring is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                            Check out our Code of Conduct.









                            answered Dec 26 '18 at 17:18









                            S Spring

                            1532




                            1532




                            New contributor




                            S Spring is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                            Check out our Code of Conduct.





                            New contributor





                            S Spring is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                            Check out our Code of Conduct.






                            S Spring is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                            Check out our Code of Conduct.






























                                draft saved

                                draft discarded




















































                                Thanks for contributing an answer to Personal Finance & Money Stack Exchange!


                                • Please be sure to answer the question. Provide details and share your research!

                                But avoid



                                • Asking for help, clarification, or responding to other answers.

                                • Making statements based on opinion; back them up with references or personal experience.


                                To learn more, see our tips on writing great answers.





                                Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                                Please pay close attention to the following guidance:


                                • Please be sure to answer the question. Provide details and share your research!

                                But avoid



                                • Asking for help, clarification, or responding to other answers.

                                • Making statements based on opinion; back them up with references or personal experience.


                                To learn more, see our tips on writing great answers.




                                draft saved


                                draft discarded














                                StackExchange.ready(
                                function () {
                                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmoney.stackexchange.com%2fquestions%2f103079%2fwhy-do-credit-cards-have-their-number-and-cvc-code-printed-on-them-for-all-to-se%23new-answer', 'question_page');
                                }
                                );

                                Post as a guest















                                Required, but never shown





















































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown

































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown







                                Popular posts from this blog

                                Aardman Animations

                                Are they similar matrix

                                “minimization” problem in Euclidean space related to orthonormal basis