How does Amazon bill me without the CVC / CVV / CVV2?
The card in question is a VISA, if that's of any importance. I've noticed this only on Amazon. All other sites I've purchased something from, ever, have needed the CVC code for the card. However, I know I never entered the CVC on Amazon when I added my card to it, and this has been bugging me ever since. How do they successfully charge the card without the CVC code?
IIRC, PCI compliance has nothing to do with whether you use the CVC code or not, it's about dealing with credit card data securely. It's up to a business whether they use CVC codes or not.
CVC isn't required though often payment handlers will give you a discount for using CVC so quite a lot of people choose to do it, there are also the fraud benefits mentioned below. It might be worth noting that here in the UK I have to use CVC for Amazon - it's possible that they're doing some risk assessment and allowing no-CVC if they deem you less risky enough.
@AndySmith funny thing -- I actually order through the UK store when I need stuff that's not deliverable electronically, and they don't ask me for the code. Must be at least somewhat individual then...
@GdD If you read the PCI DSS requirements it clearly states you are not allowed to store CVC/CVV/CVV2 codes. See page 8 https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
@AndySmith I'm in the UK and I don't have to use it, I do have Amazon Prime however so maybe they don't require the CVC for people have that extra service.
@TC1 - One of the thing Amazon does to verify you actually have the card on file is request you enter the entire credit card number again after a period of time.
What use is CVV / CVC if it can be stolen by a phishing attacker?! (http://en.wikipedia.org/wiki/Card_Verification_Value#Limitations)
@user30291 A plain card number (and name) is much easier to get compared to the same plus the CVC, just because they are handeled separately. Normally, the CVC is even handeled more secure, but that's not even required to make it more save. It's like with a door that has a second lock of a different type, both easy to pick.
when CVC first appeared it was considered proof that who provided it had the card. it was as if it made credit cards 2FA'd. of course, it didn't. it just added a few more bits of entropy and diluted a fairly dense space. about all it protected against was those who try to guess numbers (the assignment density issue). i guess Amazon is willing to take the risks. they will probably ask for CVV or other info from IPs determined to be more risky or high price purchases.
That code isn't necessary. This may cause more fraud and more chargebacks, but Amazon keeps those numbers low so that they can offer a faster shopping experience such as one-click.
The only thing necessary to make a purchase is the card number and, in all but rare cases, expiration date, whether in number form or magnetic. Most systems require more information (such as matching full name, bank phone number, physical billing address with zip code, et al) so that they can deal with fraud and/or chargebacks, and sometimes this is enforced by the issuing bank.
Where is the procedure defined? Is it card specific (e.g., VISA, Master etc.) + bank enforcements?
I believe that the procedure(s) end up being defined in the merchant's contract with the payment processor (someone like Paymentech or Heartland or BillMatrix).
You certainly **DO** need the expiration date to charge any card. We charge cards manually all the time, but this is impossible without the expiration date. I would assume it's used as sort of a "control" since card numbers can easily be generated by trying numbers and feeding them into the Luhn algorithm. However the expiration date cannot be validated programatically.
@deed02392 After researching it a bit, I found this site which says "big players in the U.S. consumer-sales industry have developed informal agreements with credit-card issuers that allow charges to be made to consumers' credit cards without specifying the expiry month and year". So it looks like the big guys get to do whatever they want while small merchants (like us) don't have these special agreements. So what I said above is not entirely true.
Amazon pays a slightly higher rate to accept your payment without the CVV, but the CVV is not strictly required to present a transaction - everybody uses CVV because they get a lower rate if it is present (less risk, less cost). Nobody who knows what they are doing will store your CVV - if the card networks suspect that you are storing CVV, you will have forensic auditors on your site REALLY fast.
Where is the procedure defined? As noted above, it's the bank that boards the merchant account and there is a wide range of flexibility depending mostly on the merchant's track record for many good transactions and very few chargebacks. You and I might not be able to process transactions without an exp date, but Amazon surely can if they want to...
Not true, rate is the same wether or not you provide the CVV, braintree recently confirmed that.
Amazon cannot charge without the expiration 'if they want to'. I've had many cards expire with Amazon and they won't ship without it, even though the # is the same. Here is an example of a minimal API call through a credit card processor: https://www.braintreepayments.com/docs/ruby/transactions/create#minimal_example
@Nimbuz With Braintree, yes, because they are both the payment gateway and the merchant bank and charge a flat rate. If you had a large volume and independent merchant bank and payment gateway, I do believe you may be able to negotiate a discount for opting to use CVV and lowering your charge-back rate.
I have personally implemented payment forms at least twice and both times, the fee for running a transaction without CVV was higher than the fee for running the transaction with CVV. I can't say whether Braintree charges higher fees without a CVV nor whether Amazon has negotiated a deal without extra fees or with fees low enough to find acceptable.
The CVC (sometimes "CVV" or "CVV2") is supposed to indicate whether the card is present at the time of the transaction. Card companies require that it never be stored or recorded, but rather passed directly from the customer to the merchant gateway and then immediately forgotten. Therefore, any time you give that number to a merchant, they're supposed to use it immediately and then immediately forget it.
Since this number is theoretically never recorded in any database, having this number present at the time of the transaction should indicate with greater certainty that the card itself is truly present and therefore that the transaction is not fraudulent. As such, providing this number decreases the probability of the transaction being rejected.
Alternately, a transaction submitted without the CVC indicates that the transaction was submitted using previously stored credit card information, but the card was not itself present at the time of the transaction.
Some merchants ask you to provide this number when saving a card on file. What they should be doing with the verification code if they do so is requesting verification from the bank that the code does in fact match, but then they should not store the CVC code in their database. The purpose would be to ensure that you're not storing on file a stolen credit card--primarily for the merchant's safety.
If a merchant does in fact store this code and a card company finds out, it's big trouble and can result in some steep fines.
This question has been sufficiently answered.
However, one more fact I believe to be interesting and relevant is that even if a merchant collects your CVV2 and discovers that it is incorrect, the merchant may still charge you at their discretion.
The issuer may return several pieces of information to the merchant (e.g. authorization or rejection, address verification service (AVS) and CVV2 match responses). AVS tells the merchant how well the billing address supplied by the cardholder matches the billing address on record. A rejection notice overrides any decision the merchant may make to accept the transaction, while the treatment of AVS and CVV2 responses are up to the discretion of the merchant .
Molloy, I., Li, J. & Li, N. 2008, "Dynamic Virtual Credit Card Numbers" in Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 208-223.
Reference 23 in the paper cited above is:
Visa International Service Association: Rules for visa merchants - card acceptance and chargeback management guidelines. Technical report, Visa International Service Association (2005)
This also answers a closely related question (that of charging with an incorrect CVV2, as opposed to no CVV2 at all) that I believe was marked as a duplicate of this question incorrectly.
I confirm that Amazon strangely doesn't make use of CVC (also "CVV" or "CVV2"), however there's nothing magical about Amazon itself, it's all up to the bank to accept payments without this security code.
For instance in my case I wasn't able to associate a master card as a payment method because my bank probably didn't accept charging without this code. I asked for assistance at Amazon and was replied:
Thank you for your interest in Amazon Web Services. I'm sorry for the trouble you're having activating your services. Most Amazon Web Services require a valid credit card to be added to your account.
I've checked your account and found that we were unable to authorize your credit card for your recent sign-up.
- Amazon is not set up to accept the CVV2 security code associated with credit cards. Your bank may be able to temporarily lift this requirement.
As you see they suggest asking my bank to temporarily lift this requirement so that they can charge without using the CVC.
So again, some banks may accept not using this CVC, some may not, most probably will whitelist Amazon only because it's Amazon.
based on another answer, merchants are not permitted to store the CVC. yet quite many are able to do automated charges. that has to be w/o CVC or they stored it. but at least they know it went through the first time. and with the expiration date they know when to stop doing that.