Q: What is the point of having a security code on a credit card? How does it create “security” when a criminal can just steal that number too?
A: If you look where it’s located, you will see that the security code is printed (not embossed) on your credit card.
Visa, MasterCard, and Discover
It’s on the back of the card. The security code’s location is always on the right. Sometimes it is within the signature box and other times, there is a separate box just for the code. Either way it’s always the 3 digits furthest to to the right. For Visa this is called the “CVV2” and MasterCard it’s the “CVC2.” Discover calls theirs “CID.”
You will find the code on the front. You will usually find it on the right side, but on some of their credit cards it might be on the left. It is a 4-digit number and sometimes referred to as the CID or “unique card code.”
How do they protect you?
When you use your card in-person and swipe it for a purchase, the security code on the credit card is usually not involved (though some stores like Sears do choose to use it even for in-person transaction). The only data that is being transmitted is your account number, expiration date, and name on card.
On the other hand, if you are trying to make a “card not present” purchase (such as over the phone or internet) then the card’s security code is required. However, the merchant is typically not allowed to save that security code – they can only use it in real-time to fulfill your purchase.
This means that even if the store where you swiped your card were to save the account number, expiration date, and name on card, they would not be able to process a “card not present” transaction. Furthermore, the internet or phone retailer can’t either, since they didn’t save your code.
How do they not protect you?
This code is a fraud deterrent, it doesn’t make your account fraud-proof (obviously). A crooked store employee or business owner could manually write down the security code on a credit card and use it in conjunction with the other account data – he would then be able to process “card not present” transactions.
Now you may be asking “I order from Amazon all the time and never get asked to re-enter my security code?” That’s correct – for merchants we are doing recurring business with, there is a loophole that allows them to save all your account data, including the security code. For legit merchants this isn’t a problem, but for shady businesses where you unknowingly signup for a recurring membership or recurring product shipment, this can be an issue. However the biggest risk would be if someone hacked these merchant’s databases where your code is stored.
Should you really care either way?
If you live in the United States, fortunately there is a federal law which caps your maximum liability at only $50. However with most credit cards you won’t even pay that and they give you zero liability.
So having your account information stolen and fraudulently used is a headache no doubt about it, but at least you can rest assured knowing that you probably won’t be responsible for a dime of it. However, please note that if you choose to enroll in a membership/auto-shipment program those purchases might not necessarily be considered fraud.