Credit Card Security: Concern with giving out 3 digit code.

Please note this sub-forum does not provide professional finance advice. You should seek advice from a licensed financial advisor.

To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification.

If investing please consider our affiliate link for new accounts: Sharesies.

Forums › Finance and wealth management › Credit Card Security: Concern with giving out 3 digit code.

1 | 2 | 3

8227 posts

Uber Geek

Trusted

2degrees

Lifetime subscriber

#897578 18-Sep-2013 12:14

Geektastic:

Time for a law change then.

In the UK they are even liable to replace faulty goods paid for using their cards!!

I think the point Kyanar is making is still valid. It doesn't matter whether it is the merchant, the card issuer, the payment processor, or Visa/Mastercard that is liable. One way or another the cost of liability is factored into their costs, and it comes from you. You don't have to pay for the $5000 TV someone charged to your Visa. You pay interest, annual fees, credit card surcharges, whatever -- some amount of those is effectively your portion of the overall fraud bill.

The ultimate liability correctly belongs with the merchant as they have the ability to scrutinise the card presented, and decline to charge it if anything is fishy. If they don't do that, and the charge is fraudulent, then it is their fault.

On the other hand the big boys - payment clearing houses, issuers, Visa/Mastercard - see the big flows of cash and are in a much better position to detect suspicious activities overall. That's why they automatically block cards acting suspiciously, but the merchant covers the fraudulent charge.

iPad Pro 11" + iPhone 15 Pro Max + 2degrees 4tw!

These comments are my own and do not represent the opinions of 2degrees.

dacraka

766 posts

Ultimate Geek

ID Verified

Trusted

#897618 18-Sep-2013 12:45

Yea, the merchant isn't allowed to store the three digit CCV code, just ask their policy of taking down that data - e.g. they write it down, enter it directly into the payment processor, they store the CCV code etc, then decide if you want to give your details from there.

SteveON

1916 posts

Uber Geek

#897621 18-Sep-2013 12:58

ToPGuNZ: I feel safer using websites. Giving it to a person who is writing it down on a piece of paper seems very unsafe. I suppose it is all a matter of risk avoidence/acceptance.

How is it any different?

The CVV numbers are voluntary by the merchant/issuing banks sometimes enforce it, but if the digits are just an extension of the number. I have a trick for you that will solve any credit/debit card issues.

dacraka: Yea, the merchant isn't allowed to store the three digit CCV code, just ask their policy of taking down that data - e.g. they write it down, enter it directly into the payment processor, they store the CCV code etc, then decide if you want to give your details from there.

They aren't allowed to, but how many merchants adhere to PCI standards now days?

Inphinity

2780 posts

Uber Geek

#897640 18-Sep-2013 13:21

SteveON:

They aren't allowed to, but how many merchants adhere to PCI standards now days?

If you have genuine reason to believe a merchant to be non-compliant, I suggest you pass this on to your card issuer or other relevant entity, as compliance is a requirement.

mattwnz

20153 posts

Uber Geek

#897650 18-Sep-2013 13:28

I didn't think they were allowed to ask for the CVC number over the phone. A phone transaction is essentially a mail order, where you fill in your details and mail it to a comapmy.So if they are asking for it over the phone, it means that they could potentially store, it which isn't permitted from my understanding. The CVC is supposed to confirm that you have the card in your possession, which is fine for when you enter it online through a payment gateway where the transaction is processed in realtime, but not when the processing is done manually over the phone. Personally I would question why they require that, and probably wouldn't give it. INstead ask them for a secure payment webpage where you can enter your details.

Inphinity

2780 posts

Uber Geek

#897661 18-Sep-2013 13:35

mattwnz: I didn't think they were allowed to ask for the CVC number over the phone.

There is no PCI DSS compliance requirement that excludes taking CVV codes over the phone. It does, however, as you say, exclude storing said data. This means call centres who record or monitor calls have to be very careful with how they manage this - a call recording that includes CVV information is a compliance failure.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#897665 18-Sep-2013 13:41

Geektastic:
Kyanar:
Geektastic:

Are credit card companies not liable for fraudulent use where you are not at fault? They are in the UK.

No, they are not liable. All the merchants end up liable, as the card issuers chargeback all the transactions. Which means that this eventuality is built into store margins, which means ultimately you're liable for it whether your card is ever stolen or not.

Time for a law change then.

In the UK they are even liable to replace faulty goods paid for using their cards!!

Some cards here offer this as a "feature" as well, which ultimately you're paying for as part of your credit card fees.

There is no need for a law change.

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

mattwnz

20153 posts

Uber Geek

#897668 18-Sep-2013 13:43

Inphinity:
mattwnz: I didn't think they were allowed to ask for the CVC number over the phone.

There is no PCI DSS compliance requirement that excludes taking CVV codes over the phone. It does, however, as you say, exclude storing said data. This means call centres who record or monitor calls have to be very careful with how they manage this - a call recording that includes CVV information is a compliance failure.

That is a very good point. Hadn't thought about calls that are being recorded. But I have never come across a company asking for the code over the phone either, so must be quite rare.

ToPGuNZ

389 posts

Ultimate Geek

Lifetime subscriber

#897681 18-Sep-2013 13:52

SteveON:
ToPGuNZ: I feel safer using websites. Giving it to a person who is writing it down on a piece of paper seems very unsafe. I suppose it is all a matter of risk avoidence/acceptance.

How is it any different?

The CVV numbers are voluntary by the merchant/issuing banks sometimes enforce it, but if the digits are just an extension of the number. I have a trick for you that will solve any credit/debit card issues.

dacraka: Yea, the merchant isn't allowed to store the three digit CCV code, just ask their policy of taking down that data - e.g. they write it down, enter it directly into the payment processor, they store the CCV code etc, then decide if you want to give your details from there.

They aren't allowed to, but how many merchants adhere to PCI standards now days?

It is different to me in that I look for a HTTPS letters on the website address or it goes to a separate secure site. My thinking is that it is then secure, data is not stored and it is a safe transaction. Obviously this is not always the case and there is lots of complexity around how it all works but an average Jo like me just felt very uncomfortable when doing it over the phone but feels ok doing it online.

Overall it sounds like I should not be worried as bank/merchant will cover the loss. If I am worried about the process then I can ask them what they do with the data and report if I think it is needed.

hashbrown

463 posts

Ultimate Geek

#897774 18-Sep-2013 15:38

mattwnz:
Inphinity:
mattwnz: I didn't think they were allowed to ask for the CVC number over the phone.

There is no PCI DSS compliance requirement that excludes taking CVV codes over the phone. It does, however, as you say, exclude storing said data. This means call centres who record or monitor calls have to be very careful with how they manage this - a call recording that includes CVV information is a compliance failure.

That is a very good point. Hadn't thought about calls that are being recorded. But I have never come across a company asking for the code over the phone either, so must be quite rare.

One interpretation I've seen is also that if an unencrypted VOIP line is used by the agent, it is a violation, as the CVV is never allowed to be transmitted across the network unencrypted.

Aredwood

3885 posts

Uber Geek

#899289 21-Sep-2013 00:28

My landline phone is a VOIP line. Would that mean that every time I have been asked for a CVV over that phone line those rules have been broken? Assuming that Im using unencrypted VOIP. (Have no idea if it is encrypted or not).

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#899332 21-Sep-2013 09:05

Aredwood: My landline phone is a VOIP line. Would that mean that every time I have been asked for a CVV over that phone line those rules have been broken? Assuming that Im using unencrypted VOIP. (Have no idea if it is encrypted or not).

PCI only covers the merchant's infrastructure. The cardholder's infrastructure (your phone, internet, etc) are not covered - otherwise you'd be required to have a PCI compliant computer to shop online which is frankly a little unmanageable.

freitasm

BDFL - Memuneh
79270 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#899341 21-Sep-2013 09:35

ToPGuNZ: It is different to me in that I look for a HTTPS letters on the website address or it goes to a separate secure site. My thinking is that it is then secure, data is not stored and it is a safe transaction. Obviously this is not always the case and there is lots of complexity around how it all works but an average Jo like me just felt very uncomfortable when doing it over the phone but feels ok doing it online.

HTTPS and a padlock in the address bar means nothing in terms of actual information security. It only means some data is encrypted when transmitted from your computer to theirs. At that point you have no idea what's going on behind the scenes. How safe their systems are. How the information is handled and disposed of after the transaction is completed. If the form you're submitting is an unsecure iframe inside the secure page, if there are XSS vulnerabilities on the site, if there's a transparent proxy between your two computers, if there are SQL injections vulnerabilities on their website and on and on and on...

Batman

Mad Scientist
29762 posts

Uber Geek

Trusted

Lifetime subscriber

#899350 21-Sep-2013 09:59

SaltyNZ: Well, yes, they do need that information in order to process a transaction. How else do you expect it to happen? Now, if they are *storing* it, then there are very strict rules in place to protect it. They may not be storing it, and instead passing it to a payment processor and then deleting it. (If the payment processor stores it, then *they* have to comply with the rules).

But the bottom line is, if you want to pay by credit card over the phone, then you need to give somebody your credit card details. If you don't want to tell it to a person on the phone, then don't.

Who here does or does not give out cc details over the phone?

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#899355 21-Sep-2013 10:23

joker97:
SaltyNZ: Well, yes, they do need that information in order to process a transaction. How else do you expect it to happen? Now, if they are *storing* it, then there are very strict rules in place to protect it. They may not be storing it, and instead passing it to a payment processor and then deleting it. (If the payment processor stores it, then *they* have to comply with the rules).

But the bottom line is, if you want to pay by credit card over the phone, then you need to give somebody your credit card details. If you don't want to tell it to a person on the phone, then don't.

Who here does or does not give out cc details over the phone?

I do. If I can't trust the company enough that I'm not willing to hand them details to bill me when I can reverse any transaction with a single phone call, frankly I shouldn't be doing business with them.

1 | 2 | 3