How does Amazon bill me without the CVC / CVV / CVV2?

  • The card in question is a VISA, if that's of any importance. I've noticed this only on Amazon. All other sites I've purchased something from, ever, have needed the CVC code for the card. However, I know I never entered the CVC on Amazon when I added my card to it, and this has been bugging me ever since. How do they successfully charge the card without the CVC code?

    IIRC, PCI compliance has nothing to do with whether you use the CVC code or not, it's about dealing with credit card data securely. It's up to a business whether they use CVC codes or not.

    CVC isn't required though often payment handlers will give you a discount for using CVC so quite a lot of people choose to do it, there are also the fraud benefits mentioned below. It might be worth noting that here in the UK I have to use CVC for Amazon - it's possible that they're doing some risk assessment and allowing no-CVC if they deem you less risky enough.

    @AndySmith funny thing -- I actually order through the UK store when I need stuff that's not deliverable electronically, and they don't ask me for the code. Must be at least somewhat individual then...

    @GdD If you read the PCI DSS requirements it clearly states you are not allowed to store CVC/CVV/CVV2 codes. See page 8 https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

    @AndySmith I'm in the UK and I don't have to use it, I do have Amazon Prime however so maybe they don't require the CVC for people have that extra service.

    @TC1 - One of the thing Amazon does to verify you actually have the card on file is request you enter the entire credit card number again after a period of time.

    What use is CVV / CVC if it can be stolen by a phishing attacker?! (http://en.wikipedia.org/wiki/Card_Verification_Value#Limitations)

    @user30291 A plain card number (and name) is much easier to get compared to the same plus the CVC, just because they are handeled separately. Normally, the CVC is even handeled more secure, but that's not even required to make it more save. It's like with a door that has a second lock of a different type, both easy to pick.

    when CVC first appeared it was considered proof that who provided it had the card. it was as if it made credit cards 2FA'd. of course, it didn't. it just added a few more bits of entropy and diluted a fairly dense space. about all it protected against was those who try to guess numbers (the assignment density issue). i guess Amazon is willing to take the risks. they will probably ask for CVV or other info from IPs determined to be more risky or high price purchases.

    Hm, I am quite sure I entered my MasterCard CVV, maybe you have the secured by visa redirect thing active?

  • atdre

    atdre Correct answer

    8 years ago

    That code isn't necessary. This may cause more fraud and more chargebacks, but Amazon keeps those numbers low so that they can offer a faster shopping experience such as one-click.

    The only thing necessary to make a purchase is the card number and, in all but rare cases, expiration date, whether in number form or magnetic. Most systems require more information (such as matching full name, bank phone number, physical billing address with zip code, et al) so that they can deal with fraud and/or chargebacks, and sometimes this is enforced by the issuing bank.

    Where is the procedure defined? Is it card specific (e.g., VISA, Master etc.) + bank enforcements?

    I believe that the procedure(s) end up being defined in the merchant's contract with the payment processor (someone like Paymentech or Heartland or BillMatrix).

    @TC1 - It would defined with Amazon's merchant contract agreement.

    You certainly **DO** need the expiration date to charge any card. We charge cards manually all the time, but this is impossible without the expiration date. I would assume it's used as sort of a "control" since card numbers can easily be generated by trying numbers and feeding them into the Luhn algorithm. However the expiration date cannot be validated programatically.

    @Mike I think we need some citations.

    @deed02392 After researching it a bit, I found this site which says "big players in the U.S. consumer-sales industry have developed informal agreements with credit-card issuers that allow charges to be made to consumers' credit cards without specifying the expiry month and year". So it looks like the big guys get to do whatever they want while small merchants (like us) don't have these special agreements. So what I said above is not entirely true.

    And this is precisely why I prefer to request a new card number when a card expires. I don't want ANY entity able to bill me unless I specifically add/update my credit card info.

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM