Using the payment card 3 digit security code in a random multi-factor environment

Impetus

Virtually every payment card has the 3 digit “security” code on the reverse side, next to the mainly obsolete signature panel. Depending on the payment system, Visa, MC etc, this is called (CVV2/CVC2/CID or CSC) – which is typical American – there is no public standard in place. Like we have in GSM/LTE mobile phone networks etc, which were invented in Europe, and copied by most of the rest of the world. Many / most websites now have provision to collect this security code and pass it on to the card issuer for verification. Why not use it to eliminate fraudulent web transactions from skimmers, etc?

[In my view this code is not necessary for repeat purchases (eg by an established Amazon customer), or airline tickets (where you will mostly be examined to death on your ID before flying) – unless you live in one of a few intelligently run countries like Germany, where if you have hand luggage only, you can walk to the gate, and scan your home printed boarding pass (or mobile phone image) at the turnstile, and get on the aircraft with no human intervention. No intelligent being is going to take a flight with a stolen card - irrespective of “ground handling” interactions, because if you use a stolen card it is an easy matter for the police to arrest you in the boarding process].

Many online bank applications use multi-factor authentication. Some of these applications require one to insert one’s debit card into a calculator, to compute a one-time random access code. The biggest source of fraud in countries that use the EMV system – ie most European and many Asian and Middle Eastern banks (cards with chips) is online shopping – ie in much of the planet aside from N. America. Why don’t the same one time code calculators offer an option to compute a 3 digit “CVV2” security code for online shopping? In other words the security code would no longer be printed on the back of the card, and would change randomly for every transaction, as calculated by the issuing bank provided calculator.

The infrastructure is already in place at the merchant end. Which allows individual banks to implement the technology without waiting for the rest of the world to accept/process this additional security.

oscarBravo

My bank "calculator" lives on my desk. I'm not always at my desk when I'm shopping online.

Impetus

oscarBravo wrote: »

My bank "calculator" lives on my desk. I'm not always at my desk when I'm shopping online.

It is up to the customer how they organise their lives. I would have thought that if the CVV2 etc code was randomly computed, there should exist an option to obtain to cards with fixed CVV2 codes as now. Or fixed CVV2 on the card that works up to a certain transaction value. CVV2 is a method of shifting liability from the bank to the cardholder. If the banks were honest about its role, it could be used for extra random security.

Maybe it should be linked to "credit limits" or monthly "spending limits" on certain cards. eg if you limit is over 10k€, you must use the calculator.

It is crazy to use a card with a limit of say €30,000 on the net - without some protection. On the Mediterranean, there are large motor boats with large tanks that have no bother gobbling up 100,000 €+ of fuel at a fill. (Some have a capacity for 400,000 litres). It is inconvenient to pay for this with cash, and you can't expect a fuel supplier at some random port to supply a large quantity of fuel on open account - to a boat that can be in another jurisdiction within a few hours. While this is a problem for the very rich, a good bank will take on board the requirements of all customers.

Basically it should be up to the cardholder to decide if they are happy with their exposure, and if not be able to ask for multi-factor authentication. Or change bank to one that does offer this service.