What's the impact of disclosing the front-face of a credit or debit card?
There are quite a few cases where people are called out for disclosing the front-face of a credit or debit card (e.g. this tweet from Brian Krebs or this twitter account). So I was wondering what the impact of this disclosure for the card holder is likely to be.
From the front of a card, a fraudster could get the card PAN (16-digit number) start date/expiry date and cardholder name. Also for debit cards, the cardholders account number and sort code (that may vary by region).
So the question is, what's the likely impact of the disclosure of this information (i.e. what frauds could be committed).
Some initial thoughts I had were :-
- Cardholder Not Present transactions shouldn't be possible as the CVV hasn't been disclosed
- The card wouldn't be clonable with just that information as there's other information needed for the magstripe.
I've "heard somewhere" that all you need is the front digits - that not all merchants require CVV or even expiration date. But this _really_ needs confirmation.
Allthough the CCV was not disclosed I think guessing it would prove less than difficult. Most CCV codes consist of oonly three digits and have other restraints aswell. Im not certain but it could be a problem. Im guessing though that most banks would give you your money back if a transaction was discovered after being conducted that was not authorized by you.
@HenningKlevjer et al: How does Amazon bill me wihout the CVC / CVV / CVV2? Why does Amazon ask for the CVC/CVV if it bills without it? Also related: Could I be defrauded by a website who has my address, phone number, and credit card number? Is it standard practice to ask a customer to send a photo of their credit card to confirm their identity?
@Gilles Very relevant, although there are no citations. Is is highly likely that it is the card issuer that rules what values are needed and the merchant that decides additional requirements, i.e. a "bad" merchant may allow just the PAN if the credit card issuer in question has a bad authentication assurance policy.
@HenningKlevjer I asked that 1st question he linked to, and the guys there explained that all the relevant stuff would be defined in the [Amazon's] merchant agreement, which is obviously not available for general public. Plus, I wouldn't say, e.g., Amazon is a "bad" merchant and they don't ask for the CVV. The same aforementioned question mentions the reason why they can afford not asking for the stuff -- they keep the fraud rates low enough.
You don't actually need the CVV to perform transactions, they're just required by most retailers as a means of verifying that you have the physical card in your possession.
From Wikipedia (unsourced):
It is not mandatory for a merchant to require the security code for making a transaction, hence the card is still prone to fraud even if only its number is known to phishers.
On most EFTPOS systems, it's possible to manually enter the card details. When a field is not present, the operator simply presses enter to skip, which is common with cards that don't carry a start date. On these systems, it is trivial to charge a card without the CVV. When I worked in retail, we would frequently do this when the chip on a card wasn't working and the CVV had rubbed off. In such cases, all that was needed was the card number and expiry date, with a signature on the receipt for verification.
But wasn't it contrary to policy and rules to accept credit card information from a customer, in person, if they did not have the credit card in their possession? As a cashier, I always knew there were cameras, even intermittently, so I would have been implicated as an accessory if I were to accept payment from a customer without a card, if the customer was physically present in the store.
@FeralOink They had the card, but the chip didn't work and the CVV was rubbed off. I was simply providing an example of where I'd personally seen cards used without CVV. It's possible to set up a fraudulent merchant account and steal cash in this way. It's also possible to find stores that don't require CVV, though it's rare these days.
Okay! That makes more sense. I misunderstood you, thinking that the physical card wasn't req'd for an in-person transaction. Thanks!