home of the madduck/ blog/
Credit card verification codes

There once was a credit card number tied to a name and when it was abused, the credit card company decided to tie it to an expiration date. It didn't take long until gifted hackers found out that twelve months and an average life cycle length of two years required them to check each credit card number against the 24 possible expiration date month-year pairs, so the credit card companies also required the billing address to match (at least fuzzily). Unfortunately, many of the companies accepting and storing credit card data are run by clueless people and the data sets of names, numbers, expiration dates, and billing addresses leaked, causing even more organised abuse. The credit card companies did not like that and proceeded to invest tiny amounts of additional energy and manpower into improving the status quo.

So then, one day, in the dungeons of the credit card company offices, a bright young graduate from one of the American elite colleges yelled "heureka" [*]_ and outlined how to secure credit cards with the "credit card verification code" (CVC), printed on the back of each card — printed, not stamped like the number. Maybe his/her theory was that the stamped number could be read from both sides, so a printed CVC would only be readable from one side of the card, bringing instantaneous 200% security increase. Maybe it was some other theory.

In any case, the companies readily adopted the CVC and by today, every web form will ask you to also enter the CVC. They'll probably store and leak it too.

What's next? Credit card colour?

NP: OSI / Free

Update: Andrew Pollock points me to the Wikipedia article on CVC as good reading. Indeed, the article explains security benefits in face-to-face transactions and in the socalled "card not present" situations, like ordering over the Internet. Apparently the CVC must not be stored, so in some ways they have learnt from the past. I know of at least one merchant in the US who stores the CVC in my profile though.

Update: Mark Brown adds: "The CVC is being used because it defeats attacks like taking a photo of a card with a mobile phone: it makes it usefully harder (not impossible) for people to transparently clone cards." This squares with the Wikipedia article.