CVV1, CVV2, CVV3: Demystifying credit card data (1/2)


[This is a series of posts dedicated to describing the card-validation code (CVC) or card-validation value (CVV) for credit cards.]

Swiping a credit card through a magnetic stripe reader is perhaps the most common way of using a plastic card for payments. At the implementation view, involves reading the data encoded in the magnetic stripe on the back. In a pinch when there are no point-of-sale terminals present, getting an imprint of the card by pressing a carbon paper over it will do. When the merchant and card-holder are not in the same place,  the purchase is instead conducted by relaying the card number, expiration date, perhaps the billing address and an additional number printed on the card dubbed CVV2. More fashionable recently are contactless payments, where the card is tapped against a reader, as in Mastercard Paypass, Visa PayWave or Discover Zip. Each of these involves a slightly different protocol, relying on different characteristics of the card data to authenticate the card.

Swipe transaction are perhaps easiest to describe. The data encoded on the magnetic stripe is static, formatted according to ISO7813 in three tracks, with the third one typically unused. One of the fields in this track layout is the Card Validation Code (CVC) or CVC1. which serves as a cryptographic integrity check on the track contents. Much like a message authentication code, the CVC simplifies the process of authenticating track data when it is received by the issuing bank. It also prevents easy fabrication of credit cards: while track data is relatively predictable given the card number, expiration date and other fields, CVC1 does not have any predictable pattern that allows derivation from the other pieces.

CVC2 serves a similar purpoes but  is used in conjunction with card-not-present or “CNP” transactions such as ecommerce when the user types card information into a web browser.  While CVC1 is encoded in the magnetic stripe, CVC2 is only printed on the card itself– three-digits on the back under the magnetic stripe for Visa, Mastercard and Discover, and four-digits on the front for American Express. (The extra digit can be viewed as balancing out the fact that AmEx cards have 15 digits, one less than other major brands.) PCI standards impose stringent constraints on handling of CVC2. For example: while card numbers, expiration date and billing address can be saved for future use to simplify later transactions, CVC2 can not be stored by the merchant. It is only intended for authenticating the card owner during the purchase.

CVC2 and CVC1 are by design incompatible. It is not possible to use the CVC1 for making a purchase online, or encode CVC2 into a magnetic stripe for a successful swipe transaction. This has important ramifications on managing risks due to theft of payment information. It effectively creates a “firewall” between virtual and in-store fraud. Suppose a waiter has taken to swiping all customer credit cards through his very own mag-stripe reader to save a copy of the track data. The resulting cache of contraband information can be used to forge additional cards and used to make in-store payments compliments of unsuspecting diners. But unless our enterprising waiter also remembered to write down or photograph the CVC2 from those cards, they can not be used for any online purchase where the merchant validates CVC2. (Surprisingly some leading retailers including Amazon do not require CVC2, so this turns out not to be major impediment for the aspiring criminal.) Going in the other direction, when yet another website processing credit cards experiences a data breach, the spoils from this stunt can be used for additional online/mail-order/phone-order transactions. But they are not useful for minting actual plastic cards with valid magnetic stripe to use at an old-fashioned bricks-and-mortar store, due to the absence of CVC1.

Updated: 12.18.13 to correct CVC1 / CVC2 mix-up in last paragraph

[continued]

CP

9 thoughts on “CVV1, CVV2, CVV3: Demystifying credit card data (1/2)

  1. If this is correct, “CVC1 is encoded in the magnetic stripe.” and
    “CVC2 is only printed on the card itself.”,

    then, this must be a typo: “It is not possible to use the CVC2 for making a purchase online”. The number printed on the back of the card is used all the time to make purchases online.

    My question is, Does the magnetic stripe “CVC” number (which were stolen this month from Target shoppers) change when you get a new MasterCard or VISA credit or debit card (i.e., when an older card expires)?

    • Thank you for catching that. You are absolutely right– CVC1 and CVC2 were mixed up in that paragraph; it is corrected now.

      Yes the CVC1 number does change on a new card. In fact most issuers will compute CVC1 as a function of credit-card number and expiration date, using a secret-key held by that issuer. When the card number or expiration changes– true for a new card– the CVC1/2 will be recalculated anew. (Granted there is a small probability the new value will be same as old one by coincidence.)

  2. The system would be more secure if credit card issuers would vary the interval between expiration dates. Anyone could guess that my new expiration date is two years hence and simply plug that info into the formual for CVC1 or CVC2 to get my new CVC codes.

    • The saving grace is that the formula for computing CVC1/CVC2 also includes a secret key only known to the issuer of the card– in other words, the bank sponsoring the card. So even if someone had the full card number, expiration date and other fields, they could not compute the correct CVC.

      The key is unique to a batch of cards eg the platinum cards verses rewards cards will have different ones. And it’s never made available to merchants or intermediate payment processors; no matter how incompetent Target and their suppliers may be, they can not leak these keys. They can only cause the loss of individual CVCs, one card at a time.

  3. Thank you very much for this detailed post and making clear the differences between CVC1 and CVC2.

    You already touched that topic a little bit but I am still wondering:
    Would it be possible for fraudsters to create a working copy of my credit card if they only have my name, card number, expiration date and the PIN (e.g. because somebody got access to my computer and my password database, where this information was stored in)? Or in other words: Is there a chance that there are ATMs somewhere that would allow cash withdrawal although the credit card copy does not have the correct CVC1 (or no CVC1 at all)?

    I am asking because I recently became a victim of a card fraud, as somebody managed to withdraw cash from an ATM in Belize (and I am from Germany, by the way).
    So there are just two possibilities how that could have happened: Either the card data has been skimmed or somebody got access to my computer. And I would like to rule out the latter.

    I would be happy if you could share your thoughts.

    Regards!

    • Short answer is no.
      ATMs read the magnetic stripe on the card, or when available interface with the chip, to authenticate the card as being a legitimate payment instrument.
      Unless you used a mag-stripe reader to scan the contents of your card and stored that raw information on your computer, they would not be able to create a working clone based on information stolen from that machine.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s