One of the first anti-scam measures introduce to protect the merchants against card fraud from online purchase scams is the card security code(CVC or CVC2). Introduced for the growing number of purchases where the card is not present or Card Verification Value (CVV or CVV2), allowing validation of the card number presented is the original produced by the issuer. Supplying the card security code(CSC) in a transaction is intended to verify that the customer has the card in their possession.
For “card not present” transactions merchants are forbidden from storing the CVV2 once the individual transaction is completed. The idea here is if a database of transaction data is ever compromised, without the CVV2, the stolen information has limited value for online credit frauds. The online payment gateways as part of the Payment Card Industry Data Security Standard (PCI DSS) do not allow to store the CVV2 code, therefore access to these web-based payment interfaces may provide access to complete card numbers, expiration dates, and other transaction information without the CVV2 code.
The PCI standard applies to larger merchants who store, process, and transmit cardholder information and. These merchants have the resources to develop their own credit processing solution or are credit card service providers who service smaller merchants with point of sales (POS) devices or online credit card processing web interfaces. Since the CSC is not contained on the magnetic stripe of the card, it is not typically included where the card is presented and handled in a POS device. Some merchants may require the code for their own security standards. These are usually larger merchant chains that use this code to validate a presented card for protection against duplicated cards. Typically, these larger merchants have negotiated better rates from card payment processors based on the lower risk they represent to card issuers, who provide them the interchange services.