Card Security Codes: are they putting you at risk?

Card Security Codes: are they putting you at risk?

Those 3-digits at the back of your card used to be the final word in security, but crooks are increasingly getting their hands on them.

Sam Richardson

Rights, Scams and Politics

Sam Richardson
Updated on 15 January 2019

Next time you’re shopping online, chances are that you’ll be asked for your Card Security Code (CSC), otherwise known as a CVV number.

Those 3 digits on the back of the card (or four on the front for American Express) were the cutting edge of security when they were developed in the UK in 1995.

CSCs were introduced because of growing concerns that criminals were using victims’ cards for online shopping. But with the level of bank and credit card fraud reaching £2 billion, these codes risk being overtaken by technology.

November saw thousands of CSCs stolen by hackers who targeted the website of Vision Direct, with shoppers advised to change their details.

Elsewhere, lack of awareness is creating risks: Islington Council got in hot water in June for collecting CSCs by email.

In this article, we look at CSCs and how well they really protect us when shopping online.

How to keep your money and personal information safe: insider tips from a hacker

When you need a Card Security Code

Surprisingly, online retailers don’t have to ask for a Card Security Code to charge your debit card.

Most do, however, as part of an overall effort to ensure the shopper has the physical card present. Exceptions are sometimes made for repeat purchases being delivered to the same address.

This also means that whilst sites often store credit card numbers and expiry dates, they’re not allowed to store CSCs, to ensure you need your card to hand when you use them.

Card security codes are used in online shopping (image: Shutterstock)

In the case of Vision Direct, a piece of code added to their website meant that hackers stole the code as it was being typed in, rather than from a Vision Direct database.

Once crooks have your CSC, you’re in deep trouble: just 1-2% per cent of online transactions require extra cardholder authentication to complete the transaction.

If you’ve lost your card or your CSC has fallen into someone else’s hands, you should contact your bank immediately to cancel it.

App security: what some banks are doing to beat scammers

Dynamic security codes

Just as crooks are using technology to get your Card Security Code, entrepreneurs are using technology to improve it.

In France, a card has been developed where the security code is displayed on a tiny screen on the card, and automatically refreshed every hour, although no bank has yet put the card into use.

In the UK, it’s possible to use PayPal, which stops merchants seeing your card details, but it can’t be used for physical purchases.

One potential solution is MuchBetter, a prepaid card (pictured below) and payment service provider that uses an app to make card payments more secure.

When making an online purchase, the app generates a CSC (CVV) which can only be used for that purchase, explains Jens Bader, the co-founder of MuchBetter.

“It doesn’t matter whether the merchant is storing your CVV, whether someone steals it, or somebody looks over your shoulder, because that CVV is only good for that one transaction.”

Their security goes even further, says Bader: “we don’t even know what your MuchBetter card number is… we don’t know what the 16-digit number is.”

MuchBetter generates a new CVV each time (image: MuchBetter)

Bader argues that the card and app combination, which is free, is more convenient than extra passwords: “we’re not redirecting the customers: we’re not taking them on a long journey…the customer just uses a fingerprint to open the app.”

Using either PayPal or MuchBetter, rather then as a credit card, means you’ll lose out on Section 75 protection for faulty or undelivered purchases.

Is PayPal a safe and secure way to pay online?

Big changes in 2019

Banks and regulators are acting to tackle online payment fraud. In September next year, tough new EU rules will attempt to tackle criminals.

Instead of asking for extra details on 1-2% of transactions, 25% of online purchases will now require cardholder authentication.

Authentication for online payments and account access will be based on the use of two or more different factors: something you know, such as a password; something you have, such as a phone, or card and something you are, such as a fingerprint.

Biometric cards are being trialed (image: Mastercard)

Even passwords could be on the way out, says Ajay Bhalla, president of global enterprise risk and security, at Mastercard.

“The use of passwords to authenticate someone is woefully outdated, with consumers forgetting them and retailers facing abandoned shopping baskets.

“In payments technology, this is something we’re closing in on as we move from cash to card, password to thumbprint, and beyond to innovative technologies such as artificial intelligence. It’s far easier to authenticate with a thumbprint or a selfie, and it’s safer too.”

A card that reads your fingerprint is being trialled by Mastercard in South Africa, although there is no indication of whether it will be introduced to the UK.

For now, keep your Card Security Code safe, and if you're concerned consider using other methods for your online shopping.

Contactless payment security, concerns and considerations

Most Recent