We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
3-digit security code question
cottager
Posts: 934 Forumite
in Credit cards
Are there any rules about being obliged to give out the 3-digit security code from the back of a card? -- or what a recipient must do once they're in possession of it?
Faxed a lengthy (otherwise I would have phoned it) order through to a company not so long ago and there was a box for the code on the form. When it's asked for you feel obliged to fill it in, so I did but was uncomfortable about it -- if I'd known about the MSE forums then I'd have probably asked first.
I don't have a problem entering it securely online, nor quoting it over the phone, but somehow writing it down and imagining a piece of paper lying around at the other end for all to see for goodness knows how long seemed pretty dangerous, if there was no policy to destroy such things immediately (and properly, by shredding).
I thought a 'Customer not present' transaction could be done without the code and only the card number, but maybe that's now out of date?
BTW, I don't know why I imagine giving out the code over the phone would be any safer than sending it by fax! -- but somehow this *felt* more risky.
Faxed a lengthy (otherwise I would have phoned it) order through to a company not so long ago and there was a box for the code on the form. When it's asked for you feel obliged to fill it in, so I did but was uncomfortable about it -- if I'd known about the MSE forums then I'd have probably asked first.
I don't have a problem entering it securely online, nor quoting it over the phone, but somehow writing it down and imagining a piece of paper lying around at the other end for all to see for goodness knows how long seemed pretty dangerous, if there was no policy to destroy such things immediately (and properly, by shredding).
I thought a 'Customer not present' transaction could be done without the code and only the card number, but maybe that's now out of date?
BTW, I don't know why I imagine giving out the code over the phone would be any safer than sending it by fax! -- but somehow this *felt* more risky.
~cottager
0
Comments
-
Customer not present requires the code, it replaces the signature/PIN in effect (usually with extra info such as postcode numbers and house number to verify the card on a PDQ)0
-
If you're suspicious, call the company and ask and/or get a new card from your issuing bank.
Some websites (Amazon.co.uk is a big one) do not use the CVV2. This may be because of practical issues (merchants are not allowed to store it, and not every card carries one yet), but as pointed out by HeadInSand it's basically a way of affirming that you are in fact in possession of the card, meaning an additional layer of protection. You CAN still do transactions without the three digit number, but they (i.e. the merchants concerned) shouldn't allow them, really.0 -
The postcode and house number are optional, it will quite happily accept a transaction with just the security code - it will warn you about the missing info but will still accept it...0
-
-
paperclip4201 wrote: »i've never seen this - im always asked for a billing and delivery address
Yeah your asked as it allows a extra verification check but the PDQ machine will accept a customer not present without this extra info...0 -
I thought a 'Customer not present' transaction could be done without the code and only the card number, but maybe that's now out of date?
I thought that the whole purpose of introducing the 3 digit code was just for this reason - 'customer not present' transactions.
It's a step towards proving that the customer is actually in possesion of the card and not just a copy of the 16 digit number / expiry date.0 -
Thanks to all...
ShelfStacker: I've no reason to be suspicious about the order or the company, goods received promptly and no one seems to have raided the card since. It was only an example to ask if they actually needed the code to put the transaction through, for future info in case of being in the same situation again.
I know the solution: if I'm uncomfortable don't do it, and if I do the risk is mine; so mailing or faxing card numbers all round the country is avoided if poss. But occasionally it's necessary, and when it is there's some danger the details fall into the wrong hands; but it's been like that for a long time and we're used to weighing it up fairly adequately.
Much newer is the security code, and I'd never before been asked for it in writing. Online and verbally certainly, but it seems *way* more risky to me to commit it to something tangible like a faxed or mailed order form. So, it surprised me to be asked in those particular circumstances as I thought the rules about what a supplier should ask for may be different.
A piece of paper floating about in someone's premises with not only my card number but also my 'additional layer of protection'? -- surely a potential horror story? That's what made me feel uneasy, no longer the only person in possession of it. Sure, when given online or verbally I'm not either, but somehow that seems safer. Even over the phone I'm usually aware it's being entered straight onto a computer, and quite often (e.g. querying something, when they have to go back in the process) card details must be given again as evidently they can't be retrieved from a previous screen. That seems reassuring and why even verbally usually feels safer to me, but maybe I'm being totally naive?
Don't you think in writing it's quite different? I feel my card number and postcode and everything else we've grown accustomed to passing on in paper form (if we must) is fair enough. Clearly this carries risk as well; but if they're obliged to ask for, and I'm obliged to give, my code too... well, it just seems a much worse security hole. That's why, in a 'written down' scenario only, I wondered if they actually *had* to have the code; because if they didn't, I could choose to omit it?
Maybe not so worrying if all suppliers are legally required to ensure tangible or 'hard copy' card details were securely destroyed once the transaction was put through, but are they? ShelfStacker mentions merchants aren't allowed to store them, but in an online context. What happens when it's physically written down, and does the rule apply to any and all suppliers who handle orders like this? That's really what the second part of my question was trying to find out.~cottager0 -
I don't think merchants are supposed to store the CVV2 at all - electronically or on paper. I'm sure I've seen paper forms where they ask you to write the CVV in a corner of the form with a tear off line so that their staff can destroy it after keying the transaction.
I guess it comes down to how confident you are in the merchants data security practices.The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.1K Banking & Borrowing
- 253.5K Reduce Debt & Boost Income
- 454.2K Spending & Discounts
- 245.1K Work, Benefits & Business
- 600.7K Mortgages, Homes & Bills
- 177.5K Life & Family
- 258.9K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards