The Finch Formerly Known As Gold

11 April 2006

Code comfort

All your major credit cards carry a Card Security Code, which is usually three digits tucked away on the back. (American Express, always different, has four digits on the front.) Last year our friendly Web host explained why they weren't much good:

The problem is, about 99.9% of all stolen credit cards used for purchasing things (like say, Web Hosting!) online are gleaned through the use of "phishing" scams. Those spams you get that claim to be from Paypal or Ebay or Wells Fargo or Bank of America. And, the Nigerians and Vietnamese not being total buffoons, they ask for the CSC code for your credit card too! So basically, anybody signing up for stuff online with a stolen credit card is either going to have the physical card (and therefore the CSC code), or will have the CSC code (and therefore have the CSC code).

In theory, using the CSC codes will stop that oh-so-popular case of credit card fraud where somebody goes searching through a trash can for receipts with people's credit card numbers on it. Except, in practice these days just about all stores mark out the first 12 digits of your credit card number on their receipts.

In theory, using the CSC codes will stop that even-more-so-popular case of credit card fraud where somebody "hacks" into a merchant's database of stored credit card numbers and compromises a bajillion cards all at once. Despite this being a very infrequent event compared to phishing scams, even when this does CSC codes don't help at all.

Why not? Well, think about it. Why is a merchant keeping all these bajillion cards in the first place? The only good reason is to be able to automatically rebill your credit card without you re-entering it every time. And that implies that they either don't need to use your CSC code to charge your card (which is true ... they're optional), or else they also have to store your CSC code ... so it'll get stolen too!

Except that "optional" is no longer an option:

The reason we're now requiring CSC codes on all credit card transactions on our site is actually pretty simple ... Discover required us to!

And I suspect the Other Guys will follow in short order.

Does this mean they'll invent a new code, perhaps on the edge of the card?

Posted at 9:10 AM to Common Cents


My employer does not collect CSC-CVV-whatever else they call it on credit card transactions, for a simple reason: we bill customers monthly, so we store the credit card numbers ourselves (securely). Credit card regulations forbid us from storing these security codes for longer than it takes to complete a single transaction, so since we can't store them, we don't collect them.

We haven't had a transaction refused yet because of it.

Posted by: Matt at 2:19 PM on 11 April 2006

We haven't been collecting them at 42nd and Treadmill, though I have a feeling we're going to start, since we're installing a new credit-card system.

(We don't bill anyone on a cycle, so the number disappears off our server once it's processed.)

Posted by: CGHill at 3:55 PM on 11 April 2006

Anyone who answers one of these phishing emails is an idiot who doesn't belong on the internet. All they have to do is to hold the mouse cursor over the link in the email that asks them to sign in and they can see that it's not in fact from a real Paypal or whatever website. Of course, this is assuming they know how to read a url. Sometimes I wish computers were still a limited pastime of big-brained geeks. At least I'd get more mileage out of my typewriter collection.

Posted by: Andrea Harris at 6:59 PM on 12 April 2006

While I agree on "idiot," I've seen cases where the phisher actually hung a TITLE statement inside the link, which (in Outlook Express, anyway) puts the fake URL on the status line, which means that holding the cursor over the link will not reveal the fakery.

Posted by: CGHill at 7:16 PM on 12 April 2006