We have all grown accustomed to the modern-day conveniences of credit card payments. Whether it’s calling to order a pizza or buying a plane ticket online, today’s consumers know the routine. To make a payment, retailers ask cardholders to provide their credit card number, expiration date, name on the card, and lastly, the 3- or 4-digit Card Security Code (CSC) code on the back of the card.
What is a CSC code and why does it matter?
The CSC is used for verification purposes and is required to complete a payment transaction. A CSC code provides an extra layer of protection, ensuring the merchant that a fraudster is not using your credit or debit card information to make a purchase.
The CSC code cannot protect you if your card is lost or stolen, but if someone has accessed your credit or debit card information and attempts to make purchases in your name online, retailers will not allow the purchase to go through if they do not also have your card’s CSC code.
CSC Codes and Their Many Names
CSC codes differ by name depending on the credit card company. Known as a Card Verification Value (CVV) on the Visa network and a Card Verification Code (CVC) on Mastercard, these three-digit CSC codes are printed in small boxes beside the signature strip on the back of cards. On American Express and Discover cards, the CSC number is known as a Card Identification Number (CID). Unique to its brand, AmEx is also the only company with a four-digit CSC code printed on the front of its cards. Terms like CVV2 or CVC2 refer to CSC numbers generated through a second-generation process that makes it harder for them to be guessed by cybercriminals.
How do Card Security Codes (CSC) Work?
Designed to validate legitimate cards during transactions, in 1997 all debit cards were required to use CVC codes, and all Visa cards were outfitted with the technology by the beginning of 2001.
Since a consumer must be in possession of a card to obtain a CSC number, these verification codes were designed to make it harder for criminals to use stolen cards during transactions. For this reason, PCI Standards prohibit CSC numbers from being stored.
Though account names, numbers and expiration dates can be stored on a merchant’s servers, CSC numbers must be reentered before every transaction, no matter how many times a consumer has shopped with a particular merchant. Designed to be unknown to everyone but the card owner and the card company, CSC numbers are also never embossed, copied or printed on receipts.
CSC Codes Protect Against Card-Not-Present Fraud
Online sales became widely popular in the last few years, and even with the pandemic in the rear-view mirror, Ecommerce sales continue to grow, with a reported revenue of 33% of all retail sales.
This growth has not gone unnoticed by cyber thieves, and as a result, card-not-present (CNP) fraud has also risen, costing Ecommerce merchants billions of dollars.
Nilson’s recent report on worldwide card fraud shows the amount of money lost to card-not-present fraud in 2019 was four times greater than it was in 2018, and in 2020, losses were 6 times greater than in 2019.
In 2020, CNP fraud accounted for 79% of all credit card fraud incidents. Since then, ecommerce merchants within the U.S. have reported a 140% increase in fraud attacks – more than one-third of card losses globally.
Now more than ever, CSC codes play an important role in protecting online transactions and other situations where the physical card is not available.
By requiring CSC verification codes during the authorization process, the card issuer validates or invalidates the code during the approval process. Most payment systems are set up to automatically reject transactions where the CSC code doesn’t match the card number.
Beyond CSC Codes – Evolving Solutions for Ecommerce Transactions
As CSC codes prove, payment security is a constantly evolving industry and savvy merchants must stay one step ahead of hackers and criminals to secure customer’s payment data.
While protecting sensitive card data is a top priority for Ecommerce merchants, the grim statistics on fraud damages and the increased – and successful – efforts by cybercriminals only prove that data breaches are here to stay.
Luckily, there are security solutions available for Ecommerce merchants that not only meet PCI Standards, but also devalue sensitive card data, rendering the data useless to hackers in the event of a breach.
Bluefin specializes in security and payment solutions for Ecommerce, including our 3D Secure customer authentication solution, our anti-fraud scoring tool, and our ShieldConex® data security platform for the vaultless tokenization of all data entered online, including Personally Identifiable Information (PII), Protected Health Information (PHI), ACH account information and payment data. Learn more about how our products can help secure your organization or contact us today to speak with a member of our business development team.