11 April 2006
All your major credit cards carry a Card Security Code, which is usually three digits tucked away on the back. (American Express, always different, has four digits on the front.) Last year our friendly Web host explained why they weren't much good:
The problem is, about 99.9% of all stolen credit cards used for purchasing things (like say, Web Hosting!) online are gleaned through the use of "phishing" scams. Those spams you get that claim to be from Paypal or Ebay or Wells Fargo or Bank of America. And, the Nigerians and Vietnamese not being total buffoons, they ask for the CSC code for your credit card too! So basically, anybody signing up for stuff online with a stolen credit card is either going to have the physical card (and therefore the CSC code), or will have the CSC code (and therefore have the CSC code).
In theory, using the CSC codes will stop that oh-so-popular case of credit card fraud where somebody goes searching through a trash can for receipts with people’s credit card numbers on it. Except, in practice these days just about all stores mark out the first 12 digits of your credit card number on their receipts.
In theory, using the CSC codes will stop that even-more-so-popular case of credit card fraud where somebody "hacks" into a merchant's database of stored credit card numbers and compromises a bajillion cards all at once. Despite this being a very infrequent event compared to phishing scams, even when this does CSC codes don't help at all.
Why not? Well, think about it. Why is a merchant keeping all these bajillion cards in the first place? The only good reason is to be able to automatically rebill your credit card without you re-entering it every time. And that implies that they either don't need to use your CSC code to charge your card (which is true ... they're optional), or else they also have to store your CSC code ... so it'll get stolen too!
Except that "optional" is no longer an option:
The reason we're now requiring CSC codes on all credit card transactions on our site is actually pretty simple ... Discover required us to!
And I suspect the Other Guys will follow in short order.
Does this mean they'll invent a new code, perhaps on the edge of the card?Posted at 9:10 AM to Common Cents