Getting Your Financial Ducks In A Row Rotating Header Image

My credit card meets Carly Rae

CVV code

So, is it just me? I try not to be too terribly difficult to work with. I go along with most requests without any roadblocks, but every once in a while something comes up that just drives me bats.

Problem is, this seems to be something that crops up more and more often. All too often I come across this issue – maybe not every day, but very regularly. What is it that I’m talking about? Let me borrow a line from Ms. Carly Rae Jepson to help explain:

Hey! I just met you…
(And this is crazy)
… but here’s my number,
so call me maybe?

Okay stop being freaked out that I happened to know the lyrics to that song. I just happen to know things, among those things are the lyrics to many a song, inane or otherwise described. Ask anyone who has taken a long road trip with me – included in my repertoire is the complete lyrics of CW McCall’s Wolf Creek Pass. As such, the Pass often makes an appearance on such trips.

It’s all in the cards

Wow, I can sure digress, can’t I? Let’s get back to what I was talking about before – the matter that just drives me crazy these days. I’m talking about credit card processing.

Recently I was signing up for a conference, filling out the form to pay for it. This particular conference had not invested the effort into online processing, opting instead for a Word doc with a simple form to be filled in and emailed. Of course the form asked for all of the pertinent credit card information, including the name on the card, the full card number, expiration date, and zip code. Then, the pie’ce de re’sistance: the CVV code. This is the 3- or 4-digit code from the back of your card.

I recognize why this code is there, it’s for the card not present sort of transactions that we all encounter these days, providing an additional bit of security to ensure that the person using the card actually has possession of the card. I agree with the use of it when necessary, but I also know that it’s not always necessary.

I process credit cards regularly from clients paying for services over the phone, and my processor has clearly noted that use of the CVV code is optional when processing a transaction. Since this is the case, I never require the client to give up this information over the phone. In these circumstances, it serves no purpose (but that’s still not what my problem is).

It’s all about the security itself. In these days of online access for just about everything, it is just irresponsible to request all of this information in a manner that is so unsecured as an email-attached document. In the case of the outfit that is running the conference I mentioned earlier, there is literally no excuse: they have infinitely-adequate resources to enable this transaction to be completed online in a secured fashion.

However, they chose to use the unsecured method of the Word doc. So when I got to the blank requesting the CVV code, I simply wrote to call if absolutely necessary. Not long after I sent the email, there was a response email asking me to call with the code. Busy at the time, I called back a couple of hours later. The person who I needed to talk to had left the office for the weekend, and she had left instructions with her backup to take the number. Still okay with me, until the backup said I’ll just write this down on the application and give it to her on Monday.

Crap. I told her no thanks, I’ll send a check. Which is exactly what I did.

The problem

The problem here is that the CVV code is really your only last defense. If you give that away, especially in a fashion that provides an enduring record, you may as well have sent your credit card over to whoever it is.

When you enter your CVV code in a secured automated processing system, the code is only held for a moment, passed over to the processor and then eliminated. Because of this, if the system you’re using is fully secure, you are not giving up control over the information.

On the other hand, if the numbers are written down, you have given up complete control over your card and its defenses. When this is coupled with the prospect of living on a Post-It note attached to your file over the weekend, you can see why I was squeamish.

Processors are required to only maintain the CVV code until the transaction is complete and, per my own experience, it’s optional.

Here’s my adaptation of Ms. Jepson’s lyrics:

Hey! I don’t know you (maybe you’re in an Internet cafe’ in a third-world country?)…
(and this is crazy)
… but here’s all of my credit card numbers (including my CVV),
so rob me blind, maybe?

How it’s supposed to work

So, back to the thing that drives me bats. It’s actually two things:

  1. If you’re processing credit cards other than over the telephone, go the extra mile and install your processor’s online transaction system in a secured location. This way your system will handle all of the security, and you don’t have to worry about a breach. Better yet, use a third-party secured system such as Paypal or Intuit to handle the processing so that there’s an additional buffer between you as the proprietor and the processor of the information.
  2. If you must handle card transactions offline, do it over the telephone while entering the information into the processor’s system. But by all means don’t ask your customers to submit their last defense information via unsecured email and Word doc attachments. And most of all, don’t leave someone behind to handle this information by just writing it down to be left on your desk over the weekend.

As a consumer, you can insist that only a third-party processor is used (such as Paypal), or even better, you could use one of the virtual or one-time-use credit card numbers.  These are available from lots of sources, such as your own credit card issuer, and even paypal contact.  The one-time-use card allows you to ensure that the number is only used for that particular transaction and never again.  How secure is that??

As it becomes more pervasive in our world we’ll continue to run across these situations. Even though I don’t like to do it, I do give the number out when I know the transaction is being processed directly. But this only happens when there is no secured online option – or better yet, a Paypal option. Absent this, I’d prefer to send a check, or at last resort take my business elsewhere.  Or maybe I’ll put in the effort to get on board with the one-time-use card option.

Get involved!