To begin, A CVV number is an acronym for Card Verification Value, and this is one of the original card security features that helps avoid high-risk merchant account fraud.
In this article, you will learn more about CVV codes and how they work.
What is a CVV code?
CVV stands for “card verification value,” which serves as an additional security feature when you’re making “card-not-present” purchases, like over the internet or phone.
It is an anti-fraud security feature to help verify that you are in possession of your credit card. For Visa/Mastercard, the three-digit CVV number is printed on the signature panel on the back of the card immediately after the card’s account number. For American Express, however, the four-digit CVV number is printed on the front of the card just above the card account number.
Nowadays, it is possible to easily get the card details of someone else. For example, CCTV cameras are in operation in almost every shop following you until payment at cashiers. This is one of the reasons why the CVV code is located on the back of your payment card.
What is the difference between a CVV code and a CVC code?
In a nutshell, CVV codes and CVC codes are technically the same. CVV or card verification value and CVC or card verification code are both anti-fraud measures used when you’re making purchases where you aren’t required to enter a PIN or sign a receipt.
They are only referred to differently depending on your credit card network or credit card company. For example, Mastercard calls the code CVC2, American Express refers to it as CID, Discover calls their code CID2, and Visa has dubbed it CVV2.
Despite these different names, the codes all serve the same function and are used as a standardized security measure. In the case of ‘contactless’ cards, there is generally a chip involved which supplies its own electronically generated series of codes. They are called Dynamic CVV or iCVV.
How to find CVV code without card?
You cannot. The CVV (Card Verification Value) was designed to ensure that when you are making a non-face-to-face transaction, the person providing the account number over the phone or internet actually has the card in their possession and is the cardholder.
CVV was developed as an authentication method to ensure that the person calling by phone or using the Internet has the card. If you cannot provide the CVV value, then it is presumed you do not have the card in your possession and it’s possible you’re a fraud.
Keep in mind that banks would never give out this information. Merchants and their banks and processors are prohibited by Visa and MasterCard rules from storing the CVV value in their files. That protects you in case there is a data breach and account numbers are stolen, at least the CVV value is not available.
This is the reason why when shopping at a store you frequent, the account details and address are already pre-populated, but your CVV will always be left blank.
This is all for consumer protection. Building consumer confidence is one of the biggest ways to earn loyal customers, and bringing in more sales.
How to bypass CVV codes
According to an article from Naked Security by SOPHOS, researchers at Newcastle University in the UK recently decided to see just how effectively they could try guessing CVVs.
The initial findings were encouraging because just after a few guesses on the same website, they would end up being locked out of the site and unable to go any further.
The next thing they tried was the thing called a distributed attack where they use a program to submit payment requests automatically to lots of websites at the same time.
If each website gives you five guesses, then with 200 simultaneous guesses on a range of different websites, you can get through 1000 guesses (200 × 5) in quick order without triggering a block on any of the sites.
And with 1000 guesses, you can cover all CVV code possibilities from 000 to 999, stopping when you succeeded.
Then you can go to the 201st site and order just about whatever you like, because you’ve “solved” the CVV without ever actually seeing the victim’s card.
In other words, you’d expect the payment processor’s back-end servers to keep track not just of the number of CVV guesses from each site, but the total number of guesses since your last successful purchase from any site.
According to Newcastle University, Mastercard stopped this sort of distributed guessing, but Visa did not.
Considering how much credit card fraud happens without any need for CVV-guessing tricks like this, we don’t think this is a signal to give up online purchases entirely especially during this time of the pandemic.
After all, if any of the sites or services you used recently kept your CVV, even if only to write it down temporarily while processing your transaction, you’re exposed anyway, so CVVs aren’t a significant barrier to determining frauds.
And if you’ve ever put your card details into a hacked or fraudulent website, even or perhaps especially if the transaction was never finalized, then the scammers probably already have everything they need to clone your card.
The good thing is that card networks and other eCommerce governing bodies continue to come up with other security features that help avoid fraud. One effective example is setting up a 3D Secure code, on top of the CVV. This makes sure that even though the fraudster has all your credit card details, they won’t be able to get ahold of your 3D Secure code, as it is a one-time expiring PIN sent via text or email to the card owner.
Both merchants and consumers will benefit greatly from protecting their CVV data, and learning what 3D Secure is.