Paying for goods or services over the Internet can cause difficulties for inexperienced users. For example, to complete a purchase, a site usually offers to enter payment card information for non-cash payment: card number, expiration date, surname and name of the holder, as well as the CVV / CVC code. If the first paragraphs are more or less clear, then the last requirement can confuse many and take a lot of time to find out. This article will help you understand and answer questions such as CSC - what kind of code is it, where to find it, and why it is needed.
About technology
CSC (Card Security Code) is a security mechanism designed to prevent bank card fraud. Other related terms are also found: CVD, CVV, CVC, SPC, and V-code. CSC is intended for use in cases where the card cannot be physically presented - with online payments. The technology owes its birth to the British Equifax employee Michael Stone. Initially, the code was a combination of 11 letters and numbers. Subsequently, private agencies and banks came to understand that CSC is a harbinger of a new era of information security. The code was finalized and got its modern look, consisting of 3 digits. In the wake of the booming e-commerce industry at the end of the 20th century, the leading payment systems - MasterCard, Visa and American Express quickly picked up this technology.
There are several types of secret code:
- CVC1 or CVV1 is an encrypted combination of characters whose physical location is the magnetic stripe on the back of the card. Used for offline card payments. The code is recognized by the payment device during the purchase process and sent for verification to the authentication server of the issuing bank. Such protection is bypassed by making a duplicate payment card and copying the magnetic tape.
- CVV2 or CVC2. Designed to protect the buyer during transactions over the Internet. It is the most advanced verification method. In some European countries, payment systems require merchants and companies to verify this code in online transactions.
- iCVV or dynamic CVV. Used with contactless payment.
CSC - what is it? Mastercard and Visa
In its use and location, the card security code is completely the same for both payment systems, except for the name. CSC on Visa card is called CVV2, for Mastercard - CVC2. The digital combination of the code is located on the back of the card, in the zone of the signature strip of the holder or near it. This arrangement makes it difficult for cybercriminals to spy on numbers to steal money in public places or from video. Differing methods for applying the CSC code and card number: for a protective combination, use identity printing or embossing. This security element may even be physically absent on the card, but generated when it is issued. This option is inherent in virtual cards or entry-level plastic: Visa Electron, Mastercard Maestro and others.
Security code in other payment systems
There are other variations of CVC:
- CID (Card Identification Number - on American Express payment instruments. It has a key distinguishing feature: a security code, consisting of 4 digits, is located above the card number in its right side of the front side.
- CVD (Card Verification Data) is a security feature for Discover American credit cards.
- CVE (Elo Verification Code). A protective combination of numbers on debit and credit cards of Brazil.
- CVN2 (Card Validation Number) is a security code on the cards of the Chinese Union Pay payment system.
How reliable is this mechanism?
Issuing banks prohibit trading and service companies from storing in the database CSC passwords received during the transaction. This increases the security of payment card holders: in the event of hacking and theft of data from the company's servers, compromised client card data is practically useless without a security code. Despite this, in favor of the fact that CSC is far from the safest mechanism, there is the following evidence:
- Powerless before phishing links. The security code is not able to prevent data theft when a user by fraud goes to a fake payment page created by scammers. Typically, the interface of such a resource is indistinguishable or as close as possible to the content of a regular page, which misleads the buyer and prompts you to enter payment card data, including CSC. Thus, cybercriminals have full access to card information that allows for illegal transactions.
- Optional input. Some online trading sites do not require buyers to provide CSC. This plays into the hands of attackers who only know the compromised data from the front of the card: number and expiration date.
- Breaking. There are cases when fraudsters guessed a short three-digit CSC through hacker tricks and organized DDoS attacks.
What other card protection technologies are there?
As you can see from the previous paragraph, the CVC mechanism has flaws that threaten the safety of cardholders. Payment systems took into account that CSC is a technology that has serious shortcomings, and introduced a system of additional protection for payment cards called 3D-Secure. This mechanism adds a step to the online transaction process - user authentication on the server of the issuing bank. It may include entering a permanent code, a dynamically generated combination of numbers from an SMS message, or using a password from a list of keys.