Stolen Credit Card CVV/CVC Puzzle

Please note this sub-forum does not provide professional finance advice. You should seek advice from a licensed financial advisor.

To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification.

If investing please consider our affiliate link for new accounts: Sharesies.

Forums › Finance and wealth management › Stolen Credit Card CVV/CVC Puzzle

1 | 2 | 3 | 4 | 5 | 6

Exited
4929 posts

Uber Geek

Retired Mod

Trusted

Lifetime subscriber

#3285291 22-Sep-2024 23:57

I get my next VISA I will also have to cut off some or all of the 16 credit card digits so that someone who steals it can't use it.

The cards magstrip etc store the card number. Personally - its a rather small exposure window that the bank is responsible for.
If you were really concerned, I'd disable the physical card and only activate it when you want to use it... and use Apple/Google pay for the rest.

Same with Verified by Visa/Mastercard Secure... When was the last time you encountered VbyV?

I occasionally get Mastercard Secure. Usually when I'm paying an exceptionally small bill overseas (eg. $5NZD), odd ball overseas transactions or high value transactions (eg. $5000-$9999). Using Applepay with the same vendors don't tend to trigger the fraud protections.

webhosting

Loose lips may sink ships - Be smart - Don't post internal/commercially sensitive or confidential information!

rugrat

3107 posts

Uber Geek

Lifetime subscriber

#3285292 23-Sep-2024 01:10

cokemaster:

If you were really concerned, I'd disable the physical card and only activate it when you want to use it... and use Apple/Google pay for the rest.

With ANZ when disable payWave it also blocks Apple Pay. (And I’m guessing the same with google pay).

I have an ANZ card and BNZ one, the BNZ one is better as Apple Pay still works when payWave blocked, so don’t have to unlock in settings each time use.

Goosey

2829 posts

Uber Geek

Subscriber

#3285294 23-Sep-2024 06:43

neb:

The CVC is designed to shift liability for one of more of the parties involved in the transaction, not to make you more secure. Same with Verified by Visa/Mastercard Secure, when that was enabled it resulted in a loss in conversion rate (i.e. abandoned transactions = lost sales) as high as 40-50% in some countries. When was the last time you encountered VbyV?

im calling bs on those stats.

i reckon those stats were simply fraudsters and opportunists / thief’s who some how obtained card data but no CVC (think zip zap paper, intergrated point of sale system data where the cards were swiped through pos units as opposed to the pin pad method you see nowadays, (sure it’s mostly starrred out on the receipt but in the software it’s still there in the transaction log files).

geek3001

63 posts

Master Geek

ID Verified

Subscriber

#3285305 23-Sep-2024 08:25

boosacnoodle:
geek3001:

In terms of Lotto, I presume you mean Lotto NZ? If so, I can assure you they definitely require the card's CVC number as part of the topping-up process when you buy a ticket manually via their smartphone app as I do this regularly.

Yes - they ask for one, but they do not validate this. I tried this with my partners BNZ card last night and just put in 123 - it worked.

Well, I stand corrected - thank you.

I just tried a ticket purchase, using an invalid CVC, and the transaction went through without any challenge.

One has to wonder why they even bother to ask for the CVC if they don't use it to validate the purchase, and what are they doing with it.

wellygary

8315 posts

Uber Geek

#3285361 23-Sep-2024 09:18

geek3001:

I just tried a ticket purchase, using an invalid CVC, and the transaction went through without any challenge.

One has to wonder why they even bother to ask for the CVC if they don't use it to validate the purchase, and what are they doing with it.

Call you credit card company/ Bank and tell them what is going on,

and that if you don't get a satisfactory response from them, your next calls will be to the Banking Ombudsman/Commerce Commission/Media

boosacnoodle

963 posts

Ultimate Geek

#3285382 23-Sep-2024 10:11

wellygary: Call you credit card company/ Bank and tell them what is going on,

and that if you don't get a satisfactory response from them, your next calls will be to the Banking Ombudsman/Commerce Commission/Media

That's of no relevance. The CVV exists only to shift liability somewhere between the cardholder, merchant, merchant's bank (acquirer), payment processor and the issuing bank. The card network just provides the platform. Your bank has little to no control over the process either.

SimonGilmour

31 posts

Geek

#3285385 23-Sep-2024 10:38

neb:

The CVC is designed to shift liability for one of more of the parties involved in the transaction, not to make you more secure. ....

I don't understand how. Can you explain?

Tradepub

Free professional, reference and technical white papers (affiliate link).

snj

185 posts

Master Geek

#3285395 23-Sep-2024 11:29

wellygary:

geek3001:

I just tried a ticket purchase, using an invalid CVC, and the transaction went through without any challenge.

One has to wonder why they even bother to ask for the CVC if they don't use it to validate the purchase, and what are they doing with it.

Call you credit card company/ Bank and tell them what is going on,

and that if you don't get a satisfactory response from them, your next calls will be to the Banking Ombudsman/Commerce Commission/Media

Given that it's been a problem since at least last year, and publicised in the media (see the link I posted last night), the banks obviously don't mind the situation. Siding with the shifting liability thing here, the banks can basically say "you didn't verify the CVC/ignored the result, so it's your fault and you're on the hook".

rugrat

3107 posts

Uber Geek

Lifetime subscriber

#3285398 23-Sep-2024 11:43

Yeah, I don’t understand how it shifts liability to. I mean as part of the process the CVC is not supposed to be stored so if something goes wrong and the transaction is challenged as fraud how is the CVC going to prove anything when nothing is kept on record regarding it.

What are the rules for storing CVV?

Merchants are not allowed to store CVV after a transaction has been authorized. The only exception is if the merchant has been granted permission by the credit card company to store CVV for specific business reasons.

Why is storing CVV a security risk?

Storing CVV increases the risk of credit card fraud and identity theft. If a hacker gains access to a merchant's database and steals CVV numbers, they can use them to make fraudulent purchases.

Above from https://pcicompliancehub.com/storing-cvv-what-merchants-need-to-know/#:~:text=PCI%20DSS%20Requirements%20for%20CVV%20Storage,-To%20ensure%20the&text=This%20means%20that%20once%20a,risk%20of%20it%20being%20compromised .

I did see that merchants do not have to ask for a CVC code, so if lotto is not going to use it, I don’t get why they ask for it in the first place.

It's important to note that CVV numbers are not a requirement for processing an online credit card purchase. It is up to the retailer whether to ask this question as part of the transaction process as an added measure of security. There are several reasons why a retailer may not ask for the CVV.

and from https://finom.co/en-it/blog/cvv-code/#heading-what-is-a-cvv-code it mentions that a transaction can go through with wrong CVC,

"Sometimes it is possible for a transaction to be successful even if the wrong CVV is entered, but this is unlikely. Some merchants may not check the CVV or may have a different fraud detection system in place that allows a transaction to go through with an incorrect CVV. If this happens, it is best to contact the merchant and the bank to ensure that the transaction is legitimate and to take necessary steps to prevent any further fraud."

boosacnoodle

963 posts

Ultimate Geek

#3285401 23-Sep-2024 11:54

When the issuing bank returns a response they don’t say whether the card should be accepted or not as just a yes or no. They can state that the CVV does not match but the other details are otherwise fine. It’s then up to the other parties (such as the merchant) to decide whether to accept or not based on that and likely other data.

rugrat

3107 posts

Uber Geek

Lifetime subscriber

#3285479 23-Sep-2024 16:11

Think I’ve got it now. CVC is more optional than what some of us realised. Guessing bank will have record of if it matched for each transaction.

Merchant has choice of still putting transaction through when not matched. So the likes of ANZ dynamic CVC numbers provide no protection if person who has card details uses at a merchant that doesn’t care about CVC numbers matching.

richms

28172 posts

Uber Geek

Trusted

Lifetime subscriber

#3285484 23-Sep-2024 16:27

CVC was supposed to be the magic bullet to stop skimmed cards being used online. Like everything payment card industry, there are so many people with fingers in the pie that nothing decent ever happens.

Richard rich.ms

Eva888

2429 posts

Uber Geek

Lifetime subscriber

#3285653 24-Sep-2024 08:19

Wise has virtual cards that I use at home for any foreign transactions for security. I wonder if it’s ok to block the virtual cards and get new ones weekly while out of the country just for extra security or is there a limit to the amount of times you can do this. Never tried blocking and reissuing. I use them in iPhone wallets as well when travelling.

SimonGilmour

31 posts

Geek

#3287124 27-Sep-2024 18:59

I emailed Visa but they told me to talk to my Bank. Here is an abbreviation of the messages:

ANZ:

".....Now there is security features that are not currently set with Visa or the bank where when you correctly enter in your card details for the first time with any merchant or site, it will hold and save your card details. This means when you go to processed further transactions with the incorrect CVV or CSC code, this will allow the payment to process. You will need to get in contact with the merchant regarding this security feature.....

ME:

"Hi Angel,

Thanks for your response. I'm afraid what you are saying re: CVC number does not make sense to me. In order to test the checking of the CVC number I created a NEW account with that merchant, used my existing credit card - which I had used on an old account with that merchant - and purposefully put the CVC number in wrong and the payment was still processed and I received my goods.

1.
Now, you seem to be saying that the CVC number needs to be correct the first time and that in subsequent uses it is not checked. But this was the FIRST time that this NEWLY set up account had used this credit card for that merchant. So the only way the merchant can have processed the payment and ignored the CVC number is if the merchant does not care what account/login uses a card and if the card has been used by ANY login/user at all it will not check the CVC number.
Given that the whole point of the CVC number is that it ensures that the user has the physical card in front of them, this seems insane. This means that anyone who somehow comes to be in possession of my credit card number and expiry date can set up their own account with a merchant that I have used before and use my card it without needing the CVC number. That's nuts.

2.
My understanding of the CVC number is that merchants are strictly prohibited from storing it. If, as you say, the CVC number is only needed on the first transaction, can you please explain how a merchant processes subsequent transactions without needing the CVC number.

Thanks,
Simon

SomeoneSomewhere

1802 posts

Uber Geek

Lifetime subscriber

#3287140 27-Sep-2024 20:28

My understanding of the CVC number is that merchants are strictly prohibited from storing it. If, as you say, the CVC number is only needed on the first transaction, can you please explain how a merchant processes subsequent transactions without needing the CVC number.

Self reporting: the first time you use the card with the vendor, they send all information to the bank including CVV2.

If the transaction is successful, they store the card name/number/expiry and a flag to indicate that the CVV2 has been verified.

For subsequent transactions, they send the name/number only. I am not sure whether they have to declare to the bank that the CVV2 has been previously verified, or if the same process is acceptable whether it is a repeat purchase with a previously verified CVV2 or a new card where they choose not to verify. I suspect the latter.

Per the policies and laws, almost all the liability for accepting invalid/stolen cards rests with the vendor. By not verifying a CVV2, they are increasing the chance that they have to accept a charge back, but on paper, it doesn't affect any other entity. That's why it's their choice.

1 | 2 | 3 | 4 | 5 | 6