About That Three-Digit Security Code (CVV) ...
 

Even if it's the bank you called about the card?

Or do you make an exception in that case?

I've had some bank recently (can't remember which one) ask me for that code to verify that I actually had the card in hand. But since I called them, I didn't see a problem with giving it. (I also called them from home, where there was no one to overhear it.)

...

Meanwhile, even without the CVV, someone who hears your account number, billing address,a nd expiration date, has everything they need to go shopping at many places online.

So I would be wary of buying things over voice phone with a card (that's not already on file with company) in a situation where people can overhear, no matter how much or little information they ask you. Because if that information was good enough for them, it's going to be good enough for any thief that overheard what you were saying and made a record of it.

And thus I don't see what CVV makes worse. It's already bad enough if they get everything other than CVV. All CVV does is extend the number of places they can use your card info, but even without the CVV they can use your card info at lots of places. (And someone who's into stealing card info they overhear probably knows where they can shop with however much of the info they got.)

A transaction run with a CVV is still a CNP transaction.

While PCI is mostly toothless, mail-order merchants generally certify under the SAQ C standard, which requires that they do not store cardholder data.

Obviously that does nothing to stop a phone agent from scribbling down your details on a post-it note but who cares? You're not liable for it.

I wonder how OP will end up handling a gas station chain named after a certain type of quotation mark asking him to enter the CVV on the terminal. Especially if his car has almost no gas left and his card won't work at the pump for whatever reason.

(This exact thing happened to me this morning. Well, not the nearly running out of gas or the card not working outside, but the terminal inside did ask for it.)

Anyway, the physical store locations ask for it because they had to manually enter your card details for whatever reason--or their terminals don't have chip enabled and it's an additional security measure. Online stores ask for it because it shaves a bit off their card fees and is something that in theory only the cardholder would know, as it's supposed to be disposed of by the merchant after authorization. Really, we should do 2FA for online transactions but I imagine US stores/issuers aren't going to bother if we're going so far as to effectively get rid of all cardholder authentication for chip transactions.

We tried 2FA (kinda) for online transactions. US merchants saw 43% drops in conversions on average.

https://www.adyen.com/fr_FR/presse-e...nversion-rates

3D Secure isn't exactly 2FA, at least how it was initially implemented; it was more along the lines of a static password. Plus, there are enough non-supporting online merchants that it's easy to use one of those instead if one forgets that password.

The more recent implementations work like what we usually think of as 2FA, where a one-time code gets texted or emailed. That along with a lot more merchant support (possibly mandated by card networks and/or the law) would probably result in a lot smaller of a drop, if one were to occur at all.

This is all likely moot, though, as banks in the US are reluctant to introduce any sort of friction whatsoever--either for in-person transactions or otherwise.

3DSecure introduces Liability Shift - where the merchant is immunised from liability for "unauthorised transaction" chargebacks, shifting the liability onto the issuing bank. I would think that'd be a pretty good incentive.

There's apparently a reason why that's not enough of an incentive, at least as of now. Increased online fraud may change those calculations at some point.

Because it is a security feature specifically designed for Card Not Present transactions which includes both telephone and internet. Security is not a binary perfect/useless outcome. If the code reduces fraud by any measurable amount policy can be established by comparing that savings to the implementation cost.

That's why I called it "kinda" 2FA, but yes it's really just 1FA times two.

I rarely place orders over the phone, but don't recall having been asked for the CVV in those cases. Since much of the fraud has to do with snapping pics of both sides of the card by servers, they should have the CVV to enter to obtain their loot.

That type of fraud doesn't seem to be that common or else the card networks probably would have pushed back harder on the whole taking cards away at restaurants thing.

I sometimes pay medical bills by phone because there is no online option, and these days they do ask for the CVV.

I also booked a BA ticket that required a telephone booking for the return. The agent mentioned that their system would hold the CVV for one week, and they would have to contact me to get it again if the ticket were not reissued in that time. This also happened last year, they contacted me repeatedly for the CVV, but did not manage to take payment until we checked in at LHR :mad:

I worked in the call center of an online travel agency in 2002-2003 and we needed the CVV for reservations made over the phone.

No. The whole purpose is for exactly what you're doing and I'm shocked any merchant is daring enough to sell to someone who refuses it. Just like a 'bad' chip or a PIN bypass these should be assumed fraud.