In addition to the card number and date of issue, bank cards also have a so-called “security code” – these are three-digit CVV2 or CVC2 codes that are printed on the back of the card.
This code serves as additional requisites for “card-not-present” payments — that is, mainly for online payments.
Banks sometimes explain that this code is “a PIN code for online payments.”
When I first learned what it was for, I immediately had a question: why is the CVV2 code written on the card and not given in a sealed envelope?
To answer this question, we need to remember that these codes began to appear on cards in the late 90s, with the widespread use of the Internet.
The CVC2 code appeared on MasterCard cards since 1997, while the CVV2 code did not appear on Visa cards until 2001.
In those years, the first online stores, auctions appeared, and, of course, fraudsters immediately appeared who began using other people's bank card numbers to purchase goods and services online.
In order to pay for a purchase, it was enough to know the bank card number, the name of the owner, and the date of issue of the card. At the same time, there were many sources of such data – online stores stored this data themselves, and there were no fewer cases of data leaks then than now.
It wasn't so much the bank customers who suffered from this, but the banks themselves and online sellers.
If someone paid using someone else's card details on the Internet, the cardholder would protest the transaction, and the costs would fall either on the shoulders of the store or the bank.
That is, “security codes” are needed not for the safety of the cardholder, but to reduce risks for the store and the bank.
The additional code was needed to reduce the likelihood of such a situation. According to the rules of payment systems, it cannot be stored.
This means that even if an unscrupulous employee starts working at an online store, he will not find the treasured numbers in the store's database.
And if there is a leak and the database of this store falls into the hands of fraudsters, only card details without CVV codes will be found there.
The CVV code is not intended to confirm the client's identity, and serves simply as another card detail, which is why it is not issued in an envelope, but is applied directly to the card.
Now it seems obvious to us that the CVV code should be kept secret and given out in an envelope as a PIN code (or in a mobile application). But when these codes appeared, in many countries, the PIN code was not used at all when paying with bank cards. When paying by card in a regular store, the transaction was confirmed by signing the receipt. And the very appearance of the code was considered a sufficient measure to reduce the risks of online payments.
You can often find advice that you need to paint over or erase the codes printed on the card. This will really help if you lose your card. But it will not provide 100% protection – there are still online stores where you can make payments, as it was in the 90s – without using CVC2/CVV2 codes.