mattwnz: I didn't think they were allowed to ask for the CVC number over the phone. A phone transaction is essentially a mail order, where you fill in your details and mail it to a comapmy.So if they are asking for it over the phone, it means that they could potentially store, it which isn't permitted from my understanding. The CVC is supposed to confirm that you have the card in your possession, which is fine for when you enter it online through a payment gateway where the transaction is processed in realtime, but not when the processing is done manually over the phone. Personally I would question why they require that, and probably wouldn't give it. INstead ask them for a secure payment webpage where you can enter your details.

Yeah - Mattwnz is right. If the merchant is asking you for that, then it means he is putting through your card holder not present MOTO (mail order / telephone order) transaction from you as a Internet transaction so he can pay less commission or MSF rate. I notice even large corporates like Apple call centre in Australia ask for this information on the phone.

Just contact the bank and put a VbyV (Visa) or Securecode (Mastercard) on it. That is the only way your liability is protected. That way if the merchant's computer system (or paper system) is compromised and someone ends up with your card number and your three digit code, you limit your liability. If your card does not support it switch to one that does. Whether the merchant is enrolled or not is besides the point. It is all about shifting liability so it is not your problem.