Watch for the CVV Request

Our Latest Episodes and Show Updates

HH81 - La Aurora 100 Anos Lancero and Four Roses Marriage... After saying goodbye to the Mind of Men podcast, Mike and Jim return to the Havana Hut with an all new cigar and libation review. La Aurora 100 Anos Lancero Four...

Episode 127 - Tech Update 2010 - What We Use Day to... This week on the show, we revisit one of our favorite topics - the tech that we use everyday. We're light on front end stories, so we can make time to jump into the main...

Episode 128 - Gettin' Near the End... This week, we talk about a bunch of things, but the most important is the announcement that we are approaching the end of the Mind of Men as a regularly scheduled podcast. ...

Episode 129 - The Penultimate Show The guys get together for the final "regular" show before the final episode of the Mind of Men, which will be happening the third week of June. If you have any questions,...

Episode 130 All Good Things.. This week, the guys get together for the very last show of the Mind of Men. Listen now: [audio:http://media.libsyn.com/media/mindofmen/MINDOFMEN130.mp3] The...

Posted by : Jim Posted on : 13-08-2007

Category : Privacy & Security

Okay, so I was paying my bills yesterday and came across something interesting. One of the bills from the U Mass Memorial Medical Group gives me the option to pay by credit card. Okay, cool. I like that option since I get points for every credit purchase, so I might as well take advantage of it. Looking over the form, it asks the usual information:

Card Type (Visa/MasterCard)
Card Number
Expiration Date
Amount
Signature
CVV2 Code

Okay, wait a minute on that last one. The CVV2 code? This is the little 3 digit number printed on the back of your Visa/MasterCard or the four digit number printed on the front of the American Express card. No harm in providing that right? Wrong. With the addition of that code, a credit card thief has all that they need to encode the mag stripe on a fake card. The CVV2 code was intended to serve as a validity check for a non-person to person transaction such as over the phone. The intent is that the CVV2 information is to be entered directly into a secure processing system, validated and immediately destroyed. According to the Payment Card Industry (PCI) Data Security Standard (DSS), the CVV2 information is one of the things that must never be stored. Some data such as card number and expiration date can be stored as long as it is encrypted, but the PCI DSS expressly forbids the storage of the CVV2 number encrypted or not.

So what does that mean for our example? Well, like it or not, if I were to supply my CVV2 number and send it in, UMass Memorial Medical Group has now violated the PCI Standard. As long as this piece of paper is sitting in their facility, they are technically storing this non-storable data. Never mind that something sitting in the bottom of a mailbag is largely inaccessible – what happens if a mailbag falls off the back of a truck or some of the envelopes get lost? We have a data breach. The bottom line is that the CVV2 should never be written down anywhere. A vendor does not need this information to process payment unless they are using a secure entry system as discussed earlier. You should never commit your CVV2 number to paper and you should question anyone who insists that you do. Granted, as I said in my last post, if your credit card gets stolen, it’s really more the bank’s problem than yours, but it is good to get in the habit of protecting your privacy regardless of your ultimate liability. Companies are lazy and will only change their practices when held to account. Let’s start making some trouble.

Don't miss a single post! Subscribe to my RSS feed