Card Security Codes: are they putting you at risk?

Those 3-digits at the back of your card used to be the final word in security, but crooks are increasingly getting their hands on them.

Next time you’re shopping online, chances are that you’ll be asked for your Card Security Code (CSC), otherwise known as a CVV number.

Those 3 digits on the back of the card (or four on the front for American Express) were the cutting edge of security when they were developed in the UK in 1995.

CSCs were introduced because of growing concerns that criminals were using victims’ cards for online shopping. But with the level of bank and credit card fraud reaching £2 billion, these codes risk being overtaken by technology.

November saw thousands of CSCs stolen by hackers who targeted the website of Vision Direct, with shoppers advised to change their details.

Elsewhere, lack of awareness is creating risks: Islington Council got in hot water in June for collecting CSCs by email.

In this article, we look at CSCs and how well they really protect us when shopping online.

How to keep your money and personal information safe: insider tips from a hacker

When you need a Card Security Code

Surprisingly, online retailers don’t have to ask for a Card Security Code to charge your debit card.

Most do, however, as part of an overall effort to ensure the shopper has the physical card present. Exceptions are sometimes made for repeat purchases being delivered to the same address.

This also means that whilst sites often store credit card numbers and expiry dates, they’re not allowed to store CSCs, to ensure you need your card to hand when you use them.

Card security codes are used in online shopping (image: Shutterstock)

In the case of Vision Direct, a piece of code added to their website meant that hackers stole the code as it was being typed in, rather than from a Vision Direct database.

Once crooks have your CSC, you’re in deep trouble: just 1-2% per cent of online transactions require extra cardholder authentication to complete the transaction.

If you’ve lost your card or your CSC has fallen into someone else’s hands, you should contact your bank immediately to cancel it.

App security: what some banks are doing to beat scammers

Dynamic security codes

Just as crooks are using technology to get your Card Security Code, entrepreneurs are using technology to improve it.

In France, a card has been developed where the security code is displayed on a tiny screen on the card, and automatically refreshed every hour, although no bank has yet put the card into use.

In the UK, it’s possible to use PayPal, which stops merchants seeing your card details, but it can’t be used for physical purchases.

One potential solution is MuchBetter, a prepaid card (pictured below) and payment service provider that uses an app to make card payments more secure.

When making an online purchase, the app generates a CSC (CVV) which can only be used for that purchase, explains Jens Bader, the co-founder of MuchBetter.

“It doesn’t matter whether the merchant is storing your CVV, whether someone steals it, or somebody looks over your shoulder, because that CVV is only good for that one transaction.”

Their security goes even further, says Bader: “we don’t even know what your MuchBetter card number is… we don’t know what the 16-digit number is.”

MuchBetter generates a new CVV each time (image: MuchBetter)

Bader argues that the card and app combination, which is free, is more convenient than extra passwords: “we’re not redirecting the customers: we’re not taking them on a long journey…the customer just uses a fingerprint to open the app.”

Using either PayPal or MuchBetter, rather then as a credit card, means you’ll lose out on Section 75 protection for faulty or undelivered purchases.

Is PayPal a safe and secure way to pay online?

Big changes in 2019

Banks and regulators are acting to tackle online payment fraud. In September next year, tough new EU rules will attempt to tackle criminals.

Instead of asking for extra details on 1-2% of transactions, 25% of online purchases will now require cardholder authentication.

Authentication for online payments and account access will be based on the use of two or more different factors: something you know, such as a password; something you have, such as a phone, or card and something you are, such as a fingerprint.

Biometric cards are being trialed (image: Mastercard)

Even passwords could be on the way out, says Ajay Bhalla, president of global enterprise risk and security, at Mastercard.

“The use of passwords to authenticate someone is woefully outdated, with consumers forgetting them and retailers facing abandoned shopping baskets.

“In payments technology, this is something we’re closing in on as we move from cash to card, password to thumbprint, and beyond to innovative technologies such as artificial intelligence. It’s far easier to authenticate with a thumbprint or a selfie, and it’s safer too.”

A card that reads your fingerprint is being trialled by Mastercard in South Africa, although there is no indication of whether it will be introduced to the UK.

For now, keep your Card Security Code safe, and if you're concerned consider using other methods for your online shopping.

Contactless payment security, concerns and considerations

Comments


Be the first to comment

Do you want to comment on this article? You need to be signed in for this feature

Copyright © lovemoney.com All rights reserved.

 

loveMONEY.com Financial Services Limited is authorised and regulated by the Financial Conduct Authority (FCA) with Firm Reference Number (FRN): 479153.

loveMONEY.com is a company registered in England & Wales (Company Number: 7406028) with its registered address at First Floor Ridgeland House, 15 Carfax, Horsham, West Sussex, RH12 1DY, United Kingdom. loveMONEY.com Limited operates under the trading name of loveMONEY.com Financial Services Limited. We operate as a credit broker for consumer credit and do not lend directly. Our company maintains relationships with various affiliates and lenders, which we may promote within our editorial content in emails and on featured partner pages through affiliate links. Please note, that we may receive commission payments from some of the product and service providers featured on our website. In line with Consumer Duty regulations, we assess our partners to ensure they offer fair value, are transparent, and cater to the needs of all customers, including vulnerable groups. We continuously review our practices to ensure compliance with these standards. While we make every effort to ensure the accuracy and currency of our editorial content, users should independently verify information with their chosen product or service provider. This can be done by reviewing the product landing page information and the terms and conditions associated with the product. If you are uncertain whether a product is suitable, we strongly recommend seeking advice from a regulated independent financial advisor before applying for the products.