Card Validation Code
The Card Validation Code ( CVC ) (also Card Verification Value ( CVV ), Card Verification Number ( CVN ), Card Security Code ( CSC ), Card Code Verification ( CCV ), CVC ( KPN )) or security code is a security feature on credit cards .
The verification number is intended to make it more difficult to use falsified or stolen credit card details, as it should be used to determine whether a credit card is actually physically present.
function
The currently used format is called CVC2 . It is a three- or four-digit number combination that is printed (not embossed) on the credit card in addition to the credit card number. This means that the test number is not machine-readable . It can only be verified by the issuing bank, as there is no mathematical relationship to the card number. Some credit institutions create the check digit using the DES algorithm and the like. a. from card number and expiry date.
The previous CVC format , now called CVC1 , is stored on the card's magnetic stripe and is therefore only suitable for checking a physically present card - not by telephone or the Internet.
According to the guidelines of the card company, the CVC may only be queried, but neither saved nor processed (e.g. printed on a receipt / invoice). This is to ensure that the CVC has to be queried again for each transaction.
In online transactions it is common nowadays to request the address ( Address Verification System , AVS) and / or the CVC2 to authenticate the cardholder while the payment details are being recorded, although this may ultimately represent processing or storage. Unauthorized persons could gain access to the authentication data through insecure transmission or inadmissible storage and thus render the security features useless.
Using the CVC2
- EuroCard / MasterCard : The three-digit verification number is called CVC2 (Card Validation Code 2) and is on the back of the card.
- Visa : The three-digit verification number is called CVV2 (Card Verification Value 2) and is located on the back of the card.
- American Express : The four-digit verification number is called CID (Card Identification #) and is located on the front of the card.
criticism
It is criticized that the verification number is easy to determine if the credit card number is known. Security experts from the Tübingen-based company SySS performed this publicly in 2007 on the WISO program and again in 2011 on behalf of the weekly newspaper Die Zeit . The encryption by DES is of no use, because the verification number can be determined simply by systematic trial and error at various web shops. Some web shops don't even limit the number of unsuccessful attempts because they don't want to alienate clumsy customers who make multiple mistakes. Thus the check number is useless and only fakes the customer with additional security.
Further procedure
3-D Secure is a more far-reaching procedure with which credit card issuers try to curb credit card fraud in online transactions. It is based on the fact that a connection to the card issuer is established during the transaction so that the buyer can confirm his identity there by means of a code.
Individual evidence
- ↑ Werner Rockenbach: The credit card check digit (no longer available) .
- ↑ Payment Card Industry Data Security Standard (PCI DSS) (PDF; 393 kB) prohibits the storage of confidential authentication data.
- ^ A b Thomas Fischermann: Loud holes . Die Zeit, May 19, 2011. Online at [1] , accessed on August 5, 2011.
literature
- Thomas Lammer (Ed.): Manual E-Money, E-Payment & M-Payment. Physica-Verlag, Heidelberg 2006, ISBN 3-7908-1651-5 .
- Ernst Stahl, Markus Breitschaft, Thomas Krabichler, Georg Wittmann: Risks of payment processing on the Internet. Importance, countermeasures and future challenges. IBI Research, Regensburg 2007, ISBN 978-3-937195-15-5 , details on the study and management summary as PDF
Web links
- Topic special of the ECC Handel: Risk management in e-commerce
- Secure payment methods for e-government: e-government manual ( Memento from January 17, 2012 in the Internet Archive ) (PDF; 1.2 MiB)