CVVS on credit cards, Security questions, etc...
 

Man Alive.

I haven't done much e-commerce outside of tons paypaling in a long time.

But I just registered for Western Union and sent someone some money....

The CVVS thing (the 3 digit number on the back of the card) is a joke -- I write "ASK FOR ID" in permanent marker on the back of my cards... so I can barely read the code, and on a couple cards it was scraped off from keys or change or something.

Yet, without that CVVS2 number I wasn't about to do anything with that card.

But my point here is... what good is this information really?

If someone compromises their databases they will have it all anyway? CVVS/2 seems like a joke to me.



They also forced me to select a security question and gave me three commonly used choices of:

Mothers maiden name
Pets Name
And something else that I forgot.

Another bad idea - to lock people into answering the same security questions over and over.

For example: If someone got this database, they might be able to change my hotmail information because they know the answer to say, my Mothers maiden name...

So then they could go change my hotmail address because hotmail suggested I use my mothers maiden name too. (as an example - I didn't really do this obviously)

From there they could access/damage a ton of other things.

Actually, Visa Regs say that any CV2 info collected must be purged after the sale is settled. So it shouldn't be on a database.

It's not supposed to be, anyway. Any above board processor or gateway follows these guidelines.

Just to throw my hat in to the ring on this one, any Cards without CV2 nuimbers should only be processed in a 'Card Holder Present' Situation.

Granted this is not always the case however we have been told this is the case. I dont know of ant Credit Cards without these numbers however there are many Debit Cards which do not have a CV2 number.

well cvv2 does not stop people who do this for a living, its simply an algo and whatever good guys have access to bad guys can get access to as well

This sounds like a great idea... but can't you remove permanent marker ink from plastic with a bit of alcohol?

Maybe it could be engraved if the plastic burrs could be cleaned up?

My signature seems to change fairly frequently - even in the last 2 months since I signed my newest card - but I've only been ever asked for verification ID once...

But its different for each bank, so hackers are limited. Same for DIS data on the mag stripe of credit cards... it can be hacked so someone can turn a credit card # and exp date into a real plastic card... but each bank would have to have their DIS data cracked seperately. Several have already been cracked.

Doh. You've just ruined my false sense of security :(

Actually it hardly matters.

$6/hr employees rarely care who's doing what... I might get asked for ID 10% of the time.
(and it's BIG and BOLD on the back of the card - ASK FOR ID.)

Nobody cares. It's an ongoing theme :glugglug

sperbonzo is correct... CVV2 must not be stored as per Visa regs.

That said, the number appearing in the "signature strip" on the back of the card is a definite PIA. I have a Visa which is about 2 months old and the last number is almost completely scratched out. Amex display's theirs on the front of the card. Much better, IMO.

cvv2 is definitely not supposed to be stored. It was designed to be an additional security measure for card not present transactions, and it does work to some degree. Biggest problem is the banks that issue cards that do not support it, I dont even know why they print it on the card.

basically, just like everything else with visa, the banks are given a deadline in which to implement certain things. much like verified by visa, chip cards and not printing full card numbers on receipts.

most banks issue a CVV because it's easy to do, but they won't support verifying the info until they have to.