The card security code (CSC) cannot protect against phishing scams. This scam is where the cardholder is tricked into entering the CSC among other card details via a fraudulent website interface. This type of fraud has grown and has the reduced the effectiveness of the CSC as an anti-fraud device. The growth of this type of scam has seen growth since building legitimate looking web sites has become easier and quicker to deploy.

Another scam is where an individual has hacked a merchant database and has obtained the card account information and then uses this information to provide proof of authenticity when asking the victims for this missing information for online transaction frauds.

Since the Payment Card Industry Data Security Standard (PCI DSS) do not allow to store the CSC be stored by the merchant for any length of time a merchant who needs to bill a card regularly would not be able to provide the code on each transaction following the initial transaction. In order to accommodate this payment gateways, have added “periodic billing” feature is a part of the initial payment authorization process information data.

Since It is not mandatory for a merchant to require the security code for making a transaction some card issuers will generally charge a merchants higher card processing rates where the CSC not validated and when any fraudulent transactions without CSC validation investigations are more likely to be resolved in favor of the cardholder at the cost of the merchant.

One of the first anti-scam measure introduce to protect the merchants against card fraud from online purchase scams is the card sekurity code(CVC or CVC2). Introduced for the growing number of purchases where the card is not present or Card Verification Value (CVV or CVV2), allowing validation of the card number presented is the original produced by the issuer. Supplying the card security code(CSC) in a transaction is intended to verify that the customer has the card in their possession.

Security benefits

For “card not present” transactions merchants are forbidden from storing the CVV2 once the individual transaction is completed. The idea here is if a database of transactions data is ever compromised, without the CVV2, the stolen information has limited value for online credit frauds. The online payment gateways as part of the Payment Card Industry Data Security Standard (PCI DSS) do not allow to store the CVV2 code, therefore access to these web-based payment interfaces may provide access to complete card numbers, expiration dates, and other transaction information without the CVV2 code.

The PCI standard applies to larger merchants who stores, processes and transmits card holder information and. These merchants have the resources to develop their own credit processing solution or are credit card service providers who service smaller merchants with point of sales (POS) devices or online credit card processing web interfaces.  Since the CSC is not contained on the magnetic stripe of the card, it is not typically included where the card is presented and handled in a POS device. Some merchants may require the code for their own security standards. These are usually larger merchants chains who use this code to validate a presented card for protection against duplicated cards. Usually these larger merchants have negotiate better rates from card payment processors based on the lower risk they represent to card issuers, who provide them the interchange services.