Be wary about giving out that security code on your plastic

November 13, 2008|By DAN THANH DANG | DAN THANH DANG,dan.thanh.dang@baltsun.com

The Q:

Everyone has probably seen those three- or four-digit security codes stamped on the back - and occasionally, the front - of your credit card. Some businesses ask for it and some don't when you make a purchase.

Dorothy Schleupner of Pasadena was wondering why businesses need to request the code at all?

"My bank told me the security code is there for my protection," Schleupner said.

During a recent transaction when Schleupner was attempting to purchase a Christmas gift by phone, a merchant asked for the three-digit code and she refused to hand it over.

"I told them that if they can't process the purchase without the security code, then no thanks," Schleupner said. "Are they supposed to ask for it? Do I have to share it with them? What's the story with that?"

The A:

Those little three or four digits are known as the Card Security Code or its more common name, Card Verification Value. The first code, called CVV1, is encoded on the magnetic stripe of the card and used for transactions in person.

The second code and the most often cited is CVV2, which was developed as a security measure to fight against the use of stolen credit card numbers. In these high-tech times, consumers have become increasingly aware and diligent about protecting their confidential data, but high-profile security breaches continue to occur every day through a variety of ways that compromise millions of credit and debit card accounts.

The CVV2 code is used for "card-not-present" transactions to verify that the person trying to use the card actually has physical possession of the card. On most credit cards, the CVV2 is located on the back of the card, adjacent to the box occupied by your signature, according to proi.net, a business Web site. American Express prints your security code on the front of the credit card.

According to proi.net, the three-digit code is not stored on your statements nor does the issuing bank have access to it. There is no master database containing these numbers. The CVV2 is the result of a sophisticated algorithm that uses your credit card number, expiration date and a private security key from the issuing financial institution.

The idea, of course, is that if criminals somehow get hold of your credit card number, they can't go on a buying spree online without knowing what your CVV2 is, since many online purchases require those digits. Many businesses will block your online transaction without the CVV2. Naturally, this doesn't work if a thief has your card.

In any case, it's of the utmost importance that you don't share your CVV2 with just anyone. If someone calls or sends you an e-mail to verify your CVV2, be wary even if they present you with your real credit card numbers, since it's most likely a phishing scam to fill in the gap on a crucial piece of data they need to use your card online.

Not all merchants will ask for your CVV2, but more are requiring it. You should only give your CVV2 to merchants you trust, according to the Payment Card Industry's Security Standards Council, which is an organization founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. to develop and manage data security compliance programs.

To make sure you're safe, however, you should ask merchants what they intend on doing with your CVV2.

Since merchants and credit card processors hold so much sensitive information, they are most vulnerable to attacks from hackers.

Such risk is why the PCI's Data Security Standard recommends that merchants not store cardholder information anywhere and forbids merchants from storing your CVV2 in print or in a database.

Storing cardholder CVV2s can result in a business losing its merchant account with the card issuer.

Therefore, you can follow in Schleupner's footsteps by refusing to hand over your CVV2, but realize that many businesses will not let you make an online or telephone purchase without it. Just prepare to shop more often in person, which is the route Schleupner decided she will likely follow from now on. If you can't live without online shopping, then just make sure you're dealing only with reputable and trusted businesses.

Reach Consuming Interests by e-mail at consuminginterests@baltsun.com or by phone at 410-332-6151.

Baltimore Sun Articles
|
|
|
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.