Stephen Wilson - Lockstep Consulting - Sydney 18 October, 2008, 04:35 0 likes

"What good is the CVV number?  Who says this is any proof whatsoever that you have your card in your posission?  Sure its on the back of your card, and not raised, so in the old 'roller' machines which took imprints of your card, it's not left on the counterfoil."

Eactly right.  The CVV made sense at first because dumpster diving was the main way to steal personal IDs, and the CVV was hard to obtain.  But now that it is commonly collected online and saved god-knows-where, it is no harder for crooks to obtain that the PAN.  We might as well move to 19 digital credit card numbers!

Stephen Wilson.

A Finextra member 20 October, 2008, 14:38 0 likes

Just for the record, merchants are specifically required NOT to store the CVV, and neither for that matter are the card issuers. 

However, I don't suppose it matters much if you have merchants who think they are to big for the rules to apply to them. 

Stephen Wilson - Lockstep Consulting - Sydney 21 October, 2008, 01:19 0 likes

"Merchants are specifically required NOT to store the CVV"

Indeed, but what a multitude of issues lies beneath the surface!

- Collecting the CVV and them discarding it, is non trivial, as anyone in IT knows.

- The CVV is cached at multiple steps along the way.  The merchant needs to transmit it to the gateway: where does the CVV end up, and who is responsible for its safekeeping? Who can say it's been discarded?

- PCI compliant systems need to be carefully designed, carefully installed and carefully maintained, if they are to keep the solemn promise of discarding the CVV. 

- Above all, CVVs are valuable on the black market.  Therefore there is a profit incentive for insiders to sell them.  You can have a merchant that is PCI compliant up to the hilt, but is still leaking CVVs like a sieve because corrupt employees are selling them on.

It all points to the futility of using any ID data alone (CVV2, billing address etc.) to authenticate a card holder.  ID data, when it is replayable in CNP transactions, is immensely valuable.  It is the very value of naked ID data that makes PCI compliance ultimately of very marginal benefit. 

Sadly, every SME running an online business and taking credit cards is on the hook for PCI, requiring crazy levels of security and audit, when all it takes is one corrupt insider with access to a large volume system to siphon off a million cardholder records.

Cheers,

Stephen Wilson, Lockstep.

A Finextra member 06 November, 2008, 16:27 0 likes

In the dim and distant, we used to call it "good practice".  Now, apparently, it is no longer "good practice" it's "PCI:DSS compliant", and that makes it all hard work and too much effort.

The standards only require that bits of info are not retained longer than necessary for the completeion of the transaction - what in the past was good practice.  Even the issuers don't store the CVV, so why would retailers EVER believe that they should.  There is no issue (usually) about the CVV sitting dormant until overwritten by the one in the next transaction.  The problem arises when the designers and programmers decide that it would be a good idea to store the whole transaction "just in case".  If they just stored the bits that would be required to resolve cardholder queries, there would be no issue.  But ... they don't they store the lot!

A transaction system employing "good practice" principles will pass PCI:DSS every time.