CVV number on paper form

dub_nerd

Frequent Poster
Messages
1,968
This is definitely not a scam, but I'm concerned about the safety aspect. At Christmas I filled in a form for a well-known mid-size charity to make a donation by once-off credit card payment. They got back to me apologetically in January to say their procedures had to change at the request of the banks, and now they needed the CVV number along with the credit card number.

My understanding is that the CC number and CVV number should never be provided together for an offline transaction, because: "Handing over your CVV for purchases completed offline serves no purpose other than providing someone with the opportunity to steal the information. Because if they were to do this, they'd have everything they need to go ahead and make a bunch of fraudulent online transactions - on you!" (link).

I told them the other day that I wasn't happy putting the two numbers together on a paper form. (In fact, I don't want to do it over the phone either because I suspect they may not have the electronic systems to keep the two safely separate). Apart from figuring out a different way to donate (I probably have a cheque book gathering dust somewhere) should I be warning them that they're going to lose donations with the credit card/paper form approach? They are a very solid charity, one of the few with practically 100% volunteer staffing -- I wouldn't like to see them suffer because of a rickety system.
 

RedOnion

Frequent Poster
Messages
3,290
Suggest to them that they talk to their bank / card processor about PCI compliance.

If they don't have an online method to accept payment, they should look into that.
 

dub_nerd

Frequent Poster
Messages
1,968
Thanks RedOnion, on checking I see that they do have an acceptable online payment method. The paper form still intrigues me though. Thanks for the pointer to PCI. I googled my way to the Payment Card Industry Data Security Standard (PCI DSS) and I read in section 3.2.2:

The purpose of the card validation code is to
protect "card-not-present" transactions—Internet
or mail order/telephone order (MO/TO)
transactions—where the consumer and the card
are not present.

If this data is stolen, malicious individuals can
execute fraudulent Internet and MO/TO
transactions.

So it seems that requiring the CVV on a mail order form is considered acceptable. It seems to me like a weak point in the process, and I certainly won't be doing it myself ... but apparently it's not verboten in the industry. Interesting.
 

RedOnion

Frequent Poster
Messages
3,290
It's a fascinating area once you learn about it - one of my insurance brokers announces switching to an unrecorded line when taking credit card details over the phone. Whereas others you know the entire call is recorded.
 

Buddyboy

Frequent Poster
Messages
522
On a side note, I always scratch out the CVV number on my physical cards (paranoid much? :)) so that if the card is lost /stolen the finder/thief does not have enough information to make an online transaction. I have the number recorded elsewhere in case I have a senior moment and can't remember it.
 

Cervelo

Frequent Poster
Messages
458
On a side note, I always scratch out the CVV number on my physical cards (paranoid much? :)) so that if the card is lost /stolen the finder/thief does not have enough information to make an online transaction. I have the number recorded elsewhere in case I have a senior moment and can't remember it.
An AAM "Top tip of the day" ;)
 

odyssey06

Frequent Poster
Messages
1,612
On a side note, I always scratch out the CVV number on my physical cards (paranoid much? :)) so that if the card is lost /stolen the finder/thief does not have enough information to make an online transaction. I have the number recorded elsewhere in case I have a senior moment and can't remember it.
Great idea... Are you just using coin to scratch that out?
 

Buddyboy

Frequent Poster
Messages
522
Yes, a penknife, then mark over it with a black indelible marker.

If I ever need it for a physical purchase, e.g. the NCT centre ask for it, then I just tell it to the person when they are putting in the card. Never had a problem.

And also got a Revolut virtual card for any purchases from Aliexpress an the like.
 

peemac

Frequent Poster
Messages
648
Unless you use a pin number (physical transaction) or 3d secure (verified by Visa) , then it is up to the place receiving the money to prove it is a valid transaction

Personally I have no issue providing a cvv number if I know who I'm providing it to.
 
Top