Card based transactions, such as credit and debit card transactions, have certain security vulnerabilities. In order to complete a card based transaction using, for example, a credit card, a user must provide a primary account number (PAN) and a verification value, which may be referred to as a Card Verification Value (CVV or CV2), Card Verification Code (CVC) or Card Security Code (CSC). As described herein, the terms CVV, CVC and CSC may be used interchangeably. A credit or debit card typically is provided with two card verification values. The first card verification value (CVV) is encoded into the magnetic stripe on the card. The second CVV is printed on the front or back of the card, typically in human readable characters.
The first card verification value (CVV), which is typically encoded into the magnetic stripe (“magstripe”) of the card, is generally used to conduct “card present” transactions, e.g., when the user presents the card in person and the magstripe on the card is swiped or read by a card reader to obtain the card data, including the CVV, to complete a transaction. The CVV encoded on the magnetic stripe of the card is typically referred to as CVC1 or CVV1, and is a unique cryptogram which is generated based on card data and an encryption key. In a “card present” transaction, the user's card is swiped, or read, by a magnetic stripe reader, which may be a POS terminal, as an example. Information from the magstripe, including the account number, expiration date and CVV1, is sent over a network to an authenticating system, for example, the financial institution or merchant that issued the card, where the CVV is verified as a step in authorizing the transaction.
The security of the CVV encoded on the magstripe can be compromised in a number of ways. The card may be obtained from the user and the magstripe, including the encoded CVV1 can be easily read by a card reader and the data used to create a duplicate “cloned” or counterfeited card. For example, user cardholders freely hand over their cards in stores and restaurants, or use them in automated point-of-sale systems such as gas pumps. For example, an attacker may mount a very small “skimmer” to a card reader used by a legitimate merchant or retailer or to a card reader on a gas pump, unbeknownst to the merchant, retailer or gas pump operator. The small “skimmer” acts as a secondary card reader to read and record the data which may include the primary account number (PAN) or bankcard number, and the card validation code (CVV) or card security code (CSC) from the card's magstripe during a legitimate transaction. The attacker retrieves the “skimmed” card information which can then be used to create a counterfeit card. The attacker, by transferring the skimmed information to a magstripe on a counterfeit card, may clone the user's card without the need to decrypt the skimmed information.
The second card verification code, known as a CVV2 or CVC2, is typically a three-digit or four-digit value and is printed on the card or signature strip, but not encoded into the magnetic stripe. Supplying or requiring the CVV2 code in a transaction is intended to verify that the customer has the card in their possession. For example, when the transaction is a “card not present” transaction, where the card cannot be swiped to obtain the encoded CVV1, such as an on-line or telephone transaction, the CVV2 code can be inputted through a keypad or provided verbally to confirm the person conducting the transaction is in possession of the card, or at least, has knowledge of the card verification code. Alternatively, the CVV2 code may be required for a “card present” transaction in addition to the CVV1 read from the card's magstripe, as a supplemental verification that the card presented is an authentic card and not a counterfeit card produced from skimmed data.
For MasterCard™, Visa™, Diners Club™ and Discover™ credit and debit cards the second card verification code is typically a three-digit code, called the “CVC2” (card validation code), “CVV2” (card verification value), and “CVV,” respectively. The CVV is not embossed like the card account number, and is typically the final group of numbers printed on the back signature panel of the card. The CVV value may also appear in a separate panel to the right of the signature strip, to prevent overwriting the CVV value when signing the card. American Express™ cards have a four-digit code printed on the front side of the card above the number, referred to as the CID (Card Identification Number or Unique Card Code). The CID is printed flat, not embossed like the card account number.
Credit and debit cards have a common numbering scheme for the card number, which is the primary account number (PAN). The PAN includes a single-digit Major Industry Identifier (MII), a six-digit Issuer Identification Number (IIN), an account number, and a single digit check sum calculated using an algorithm which is typically the Luhn algorithm. The MII is considered to be part of the IIN. The PAN is typically embossed on the front surface of the credit/debit card.
Cardholder users are subject to attacks from many venues, such as “phishing” attacks, where the cardholder is tricked into entering the PAN and/or CVV2 with other card details into a fraudulent website. The growth in phishing has reduced the real-world effectiveness of the CVV2 as an anti-fraud device. A typical credit or debit card is good for several years, during which time the embossed PAN, magstripe data and printed CVV do not change. The static nature of the magstripe data on a credit or debit card and the use of a static PAN and CVV may aggravate the problem of fraud prevention. If an attacker obtains the static card data, including the PAN and/or CVV, the attacker can readily use the card to complete transactions without detection until the legitimate cardholder reviews a billing statement, exceeds a credit limit or commits an overdraft, or the attacker's illegitimate transactions trigger a fraud detection pattern resulting in notification to the cardholder of suspect activity, account suspension or other reaction by the card issuing entity.
When used for an online or other “card not present” transaction, the PAN and/or CVV2 are provided as human readable characters, and are either keyed in, entered into a printed or faxed order form, or provided verbally. The PAN and/or CVV, when provided by any of these means, cannot typically be protected cryptographically, e.g., encoded. For printed, mailed or faxed orders, the cardholder's account information, including the PAN and/or CVV, is only as secure as the merchant's document security system. For telephone transactions, the account information, including the PAN and/or CVV, may be compromised by the customer service representative recording the information. For on-line transactions, even if a merchant web site or on-line shopping cart is fully secure, the cardholder user's computing device (PC, laptop, notebook, PDA, etc.) may not be fully secure. The user's computing device may contain malicious “Trojan” type viruses and screen wipers that record account details including the PAN and/or CVV during the online transaction, for retrieval and use in subsequent attacks on the user's account.