Why We Don’t Use CSC Codes

In case you didn't know..

When buying things with a credit card online, you may have noticed on a lot of websites an area to enter the CVV2 value on your credit card. Officially, they’re known as “CSC” values (Card Security Code), but Visa calls them CVV2 codes, Mastercard calls them CVC2, and Discover and Amex call them CIDs. For the fun and simplicity of all involved, I’ll just use “CSC” the rest of this post. CSC codes are supposed to help fight fraud because in theory somebody would have to physically have the card in order to know the CSC code.

You may have noticed that DreamHost doesn’t ask for CSC codes.

There are two reasons for this. I’ll tell you reason number two first.

Reason number two is CSC codes don’t do a thing to help fight fraud.

The problem is, about 99.9% of all stolen credit cards used for purchasing things (like say, Web Hosting!) online are gleaned through the use of “phishing” scams. Those spams you get that claim to be from Paypal or Ebay or Wells Fargo or Bank of America. And, the Nigerians and Vietnamese not being total buffoons, they ask for the CSC code for your credit card too! So basically, anybody signing up for stuff online with a stolen credit card is either going to have the physical card (and therefore the CSC code), or will have the CSC code (and therefore have the CSC code).

In theory, using the CSC codes will stop that oh-so-popular case of credit card fraud where somebody goes searching through a trash can for receipts with people’s credit card numbers on it. Except, in practice these days just about all stores mark out the first 12 digits of your credit card number on their receipts.

In theory, using the CSC codes will stop that even-more-so-popular case of credit card fraud where somebody “hacks” into a merchant’s database of stored credit card numbers and compromises a bajillion cards all at once. Despite this being a very infrequent event compared to phishing scams, even when this doesCSC codes don’t help at all.

Why not? Well, think about it. Why is a merchant keeping all these bajillion cards in the first place? The only good reason is to be able to automatically rebill your credit card without you re-entering it every time. And that implies that they either don’t need to use your CSC code to charge your card (which is true.. they’re optional), or else they also have to store your CSC code… so it’ll get stolen too!

Either way, if the crooks get access to that database, you’re still cooked!

And now, the real reason DreamHost doesn’t ask for your CSC code.

Credit card processing online is a convoluted world. Every time you make a payment online with a credit card, there are four separate institutions making things happen. First, the website you enter your credit card at uses an online Point-of-Sale service like VeriSign’s Payflow Pro to pass your information electronically to a Merchant Bank (also know as an Acquirer) such as Cardservice International, who in turn uses a Processor such as FDMS Nashville to handle the actual credit card network and finally deposit the money into your Bank Account at a place like Bank of America.

All of this makes it an absolute pain in the bung to get anything changed in your credit card processing. So once you’ve got a system up and working, I whole-heartedly advice you to never touch it again.

WE haven’t!

We’ve gotten Cardservice to lower our rates a few times as we’ve grown, but other than that, our credit card system has been pretty much untouched since the late 90s… a simpler time when there were no CSC codes!

We originally got our merchant account through a place called WebOrder or something like that. I can’t really remember anymore.. they were an all-in-one place which also provided a secure site for ordering and all that. They were good for us back then because they didn’t have a set-up fee or any set monthly fees, and yet they also didn’t have horrible per-transaction rates. Before them we didn’t even need a merchant account because we were using some place that handled everything and just sent you a check every month, minus 15%. How generous of them!

Unbeknownst to us at the time, WebOrder (or whatever) set us up with a merchant account at Cardservice International, who used FDMS Nashville as our processor. This was all hidden from us, and we sure didn’t care! Things were fine for a while, until they were bought by Cybercash (or maybe we just switched to them?), another Internet Payment Gateway, and we had to change our stuff to start connecting to them. This was okay though, because it was a lot more professional to use our own SSL certificate instead of linking over to “https://secure.weborder.net/” or whatever it was.

Then, a year or so later, Cybercash got bought by VeriSign (for sure), and our hidden Cardservice International account came with us. This actually didn’t change a thing, as VeriSign kept supporting the old Cybercash MDK.. we’ve been using it ever since! Of course, it means that we can’t use all the advanced features of Payflow Pro.. features such as CSC support! And that’s it!

(One semi-funny aside.. when signing up for WebOrder, I used where I was living at the time as the phone number.. my parent’s home phone. Little did I know six years later it would still be showing up on people’s credit card bills! We were never able to figure out who could change it.. VeriSign passed us to Cardservice, Cardservice to FDMS Nashville, FDMS to VeriSign.. oh well.)

But, it’s time for a change.

Recently Bank of America came to us offering to be our Merchant Account (they’re already our Bank Account)… with much lower rates than Cardservice had ever been willing to give us. So we decided to make the switch! Which is why I’m suddenly so knowledgeable about all this stuff.

You see, when trying to switch VeriSign to use our new Merchant Account, we were informed that since our account was originally set up through Cardservice International, we are unable to switch our Merchant Account away from them. Instead, we just have to sign up for an entirely new Payflow Pro account with VeriSign directly.

And, to use a new account we have to use the new Payflow Pro SDK

Which I guess means Goodbye, Cybercash.

Hello CSC codes!