CSC - what is it? About the technology, its functions and features

2024 Author: Howard Calhoun | [email protected]. Last modified: 2023-12-17 10:16

Paying for goods or services via the Internet can cause difficulties for inexperienced users. For example, to complete a purchase, the site usually prompts you to enter payment card details for cashless payments: card number, expiration date, holder's first and last name, and CVV/CVC code. If the first points are more or less clear, then the last requirement can confuse many and take a lot of time to figure it out. This article will help you understand and answer questions such as CSC - what is this code, where to find it, and what is it for.

About technology

CSC (Card Security Code - "card security code") - a protective mechanism designed to prevent fraud with bank cards. There are also other related designations of this term: CVD, CVV, CVC, SPC and V-code. CSC is intended for use in cases where the card cannot be physically presented - for online payments. Technology owes its appearance tolight to British Equifax employee Michael Stone. Initially, the code was a combination of 11 letters and numbers. Subsequently, private agencies and banks came to understand that CSC is the harbinger of a new era of information security. The code has been finalized and received its modern form, consisting of 3 digits. In the wake of booming e-commerce at the end of the 20th century, this technology was quickly picked up by the leading payment systems - MasterCard, Visa and American Express.

There are several types of secret code:

• CVC1 or CVV1 - an encrypted combination of characters, the physical location of which is a magnetic stripe on the back of the card. Used for offline card payments. The code is recognized by the payment device during the purchase process and sent for verification to the authentication server of the issuing bank. Such protection is bypassed by making a duplicate payment card and copying the magnetic tape.
• CVV2 or CVC2. Designed to protect the buyer during transactions over the Internet. It is the most advanced verification method. In some European countries, payment systems require merchants and businesses to verify this code when making online transactions.
• iCVV or dynamic CVV. Used for contactless payment.

CSC - what is it? Mastercard and Visa

In its use and location, the card security code is completely the same for both payment systems, except for the name. CSC on Visa cardis called CVV2, for Mastercard cards - CVC2. The digital combination of the code is located on the reverse side of the card, in the zone of the holder's signature strip or near it. This location makes it difficult for attackers to spy on the numbers to steal money in public places or from a video. The methods of applying the CSC code and the card number differ: for a security combination, an identification seal or embossing is used. This security element may not be physically present on the card at all, but it can be generated when it is issued. This option is inherent in virtual cards or primary-class plastic: Visa Electron, Mastercard Maestro and others.

Security code in other payment systems

There are other variations of CVC:

• CID (Card Identification Number - "card identification number") - on American Express payment instruments. It has a key distinguishing feature: a 4-digit security code is located above the card number on the right side of the front side.
• CVD (Card Verification Data - "card verification data") - a security element of American Discover credit cards.
• CVE (Elo Verification Code). Security combination of numbers on Brazilian debit and credit cards.
• CVN2 (Card Validation Number - "card confirmation number") - the security code on the cards of the Chinese payment system Union Pay.

How reliable is this mechanism?

Issuing banks prohibit trading and servicecompanies to store in the database the CSC passwords obtained during the transaction. This increases the security of payment card holders: in the event of hacking and theft of data from the company's servers, compromised client card data is practically useless without a security code. Despite this, in favor of the fact that CSC is far from the most secure mechanism, there is the following evidence:

• Powerless over phishing links. The security code cannot prevent data theft when a user is tricked into going to a fake payment page created by scammers. Typically, the interface of such a resource is indistinguishable or as close as possible to the content of a regular page, which misleads the buyer and prompts him to enter payment card data, including CSC. Thus, attackers have full access to card information, allowing illegal transactions.
• Optional input. Some online marketplaces do not require buyers to provide CSC. This plays into the hands of attackers who only know the compromised data from the front of the card: the number and expiration date.
• Hacking. There are cases when scammers guessed a short three-digit CSC through hacker tricks and organized DDoS attacks.

What other card security technologies are there?

As you can see from the previous paragraph, the CVC mechanism has flaws that threaten the security of bank card holders. Payment systems have taken into account that CSC is a technology that hasserious shortcomings, and introduced a system of additional protection for payment cards called 3D-Secure. This mechanism adds a step to the online transaction process - user authentication on the server of the issuing bank. It may include entering a permanent code, a dynamically generated combination of numbers from an SMS message, or using a password from a list of keys.