Card Security Code
A card security code (CSC), in addition to the bank card number which is embossed or printed on the card, is a security feature for “card not present” payments instituted to reduce the incidence of credit card fraud. It is often used in situations where a PIN cannot be used. Contactless card and chip cards may electronically generate their own code, such as iCVV or Dynamic CVV.
CSC was originally developed in the UK as an 11 character alphanumeric code by Equifax employee Michael Stone in 1995. After testing with the Littlewoods Home Shopping group and NatWest Bank, the concept was adopted by APACS (the UK Association of Payment Clearing Services) and streamlined to the 3 digit code known today. MasterCard started issuing in 1997 and Visa in the United States issued them by 2001. American Express started to use the CSC in 1999 in response to growing internet transactions and card member complaints of spending interruptions when the security of a card has been brought into question.
Different Code Names:
“CID” or “Card Identification Number” – Discover
“CID or UCC” – “Unique Card Code” – American Express
“CSC” or “Card Security Code” – Debit Card
“CVC2” or “Card Validation Code” – MasterCard
“CVE” or “Elo Verification Code” – Elo – Brazil
“CVN2” or “Card Validation Number 2” – China UnionPay
“CVV” or “Card Verification Value” –Visa
“CVV2” or “Card Verification Value 2” –Visa
Types of codes
The first code, called CVC1 or CVV1, is encoded on track 2 of the magnetic stripe of the card and used for card present transactions. The purpose of the code is to verify that a payment card is actually in the hand of the merchant. This code is automatically retrieved when the magnetic stripe of a card is swiped on a point-of-sale (card present) device and is verified by the issuer. A limitation is that if the entire card has been duplicated and the magnetic stripe copied, then the code is still valid.
The second code, and the most cited, is CVV2 or CVC2. This code is often sought by merchants for card not present transactions occurring by mail, fax, telephone or Internet. In some countries in Western Europe, card issuers require a merchant to obtain the code when the cardholder is not present in person.
Contactless cards and chip cards may supply their own electronically-generated codes, such as iCVV or Dynamic CVV.
Location of the Security Code
The card security code is typically the last three or four digits printed, not embossed like the card number, on the signature strip on the back of the card. On American Express cards, the card security code is the four digits printed (not embossed) on the front towards the right. The card security code is not encoded on the magnetic stripe but is printed flat.
American Express cards have a four-digit code printed on the front side of the card above the number.
Diners Club, Discover, JCB, MasterCard, and Visa credit and debit cards have a three-digit card security code. The code is the final group of numbers printed on the back signature panel of the card.
New North American MasterCard and Visa cards feature the code in a separate panel to the right of the signature strip. This has been done to prevent overwriting of the numbers by signing the card.
As a security measure, merchants who require the CVV2 for “card not present” payment card transactions are required by the card issuer not to store the CVV2 once the individual transaction is authorized.This way, if a database of transactions is compromised, the CVV2 is not included, and the stolen card numbers are less useful. Virtual terminals and payment gateways do not store the CVV2 code.
The Payment Card Industry Data Security Standard (PCI DSS) also prohibits the storage of CSC (and other sensitive authorization data) post transaction authorization. This applies globally to anyone who stores, processes or transmits card holder data. For American Express cards, this has been an invariable practice (for “card not present” transactions) in European Union (EU) countries like Ireland and the United Kingdom since the start of 2005. This provides a level of protection to the bank/cardholder, that a fraudulent merchant or employee cannot simply capture the magnetic stripe details of a card and use them later for “card not present” purchases over the phone, mail order or Internet.
Supplying the CSC code in a transaction is intended to verify that the customer has the card in their possession. Knowledge of the code proves that the customer has seen the card, or has seen a record made by somebody who saw the card.
The use of the CSC cannot protect against phishing scams, where the cardholder is tricked into entering the CSC among other card details via a fraudulent website. There is also a scam where a phisher has already obtained the card account number (perhaps by hacking a merchant database or from a poorly designed receipt) and gives this information to the victims (lulling them into a false sense of security) before asking for the CSC (which is all that the phisher needs).
Since the CSC may not be stored by the merchant for any length of time, a merchant who needs to regularly bill a card for a regular subscription would not be able to provide the code after the initial transaction. Payment gateways, however, have responded by adding “periodic bill” features as part of the authorization process.
Some card issuers do not use the CSC. However, transactions without CSC are possibly subjected to higher card processing cost to the merchants, and fraudulent transactions without CSC are more likely to be resolved in favor of the cardholder.
It is not mandatory for a merchant to require the security code for making a transaction, however, if no code is processed the merchant may be accessed a surcharge on their payment processing fee.
Fast Charge Payment Gateway Settings:
Sign up or Switch Free Today! All Information Will Remain 100% Confidential!
Fast Charge is a quick, easy and secure way to process all of your payments. It's real-time and you're always open!