30

I got a new credit card today (replacing the old one which was worn out) and I noticed something new - all the numbers have now moved to the back of the card, leaving the front empty. Apparently it's been trending for a while now, and I do agree that it looks nice. However I had always believed that there was also a security aspect to the old design - having the card number and CCV on opposite sides of the card meant that you cannot glean all the sensitive information from a single opportune photograph.

Was I wrong or have there been some new developments in the industry that make this kind of protection unnecessary? Or maybe it was decided that it's never been a significant risk?

Vilx-
  • 1,127
  • 10
  • 14
  • 6
    FWIW, American Express always had the CVV on the front of the card (so on the same side than everything else). – Relaxed Feb 28 '22 at 14:12
  • Indubitably, putting all numbers on one side is necessarily less secure.

    Who doubts that, please explain…

     – Robbie Goodwin Feb 28 '22 at 23:41

5 Answers5

19

The numbers-on-the-front design was necessitated by offline credit card processing, in which the card was put on to a device that imprinted the card on to a piece of carbon paper for later processing. This is the reason why the numbers were embossed/raised from the rest of the card. See the below image for an example.

Credit Card Imprinter

-- Image source: Wikipedia --

Since "nobody" uses this method of card capture for transactions any more, there's no need to have the embossed numbers on the front of the card. This definitely simplifies the design of the card. Aside from that, keep in mind that online transactions typically have a number of layers of security implemented by vendors and banks that may include confirming the Postal Code of the billing address, two-factor authentication for unusual transactions, manual flag and review by fraud detection agents, etc. Just because someone gets a snap of the back of your card doesn't mean they can necessarily use it for long.

In person purchases require either NFC or chip transactions. The more prominent concern regarding the newer cards are not gaining the numbers on the card, but using a NFC reader to capture the NFC data, which can then be used with a relatively inexpensive device, such as cards designed to mimic multiple physical cards at once. That said, I believe the newest batch of cards use a challenge-response system, so NFC capture isn't as big of a deal as it used to be.

Overall, the position of the numbers on the card doesn't matter. There are plenty more security features that most people don't even realize are in play when they use these chip cards. And, of course, virtually every Visa and Mastercard you'll be offered have a zero-liability fraud guarantee. If someone somehow successfully "steals" your card, you can get that money back (though, in practice, it usually takes 1-2 months, so it's a major pain for the paycheck-to-paycheck people out there).

phyrfox
  • 764
  • 4
  • 8
  • This reminds me of an article I read years back with someone recounting anecdotes from a friend, who was a prostitute, who would do a low-tech version of this with carbon paper and a spoon. But I definitely remember the device above, as well as doing something like that as a bank teller (with the similar delay in processing). – Sean Duggan Feb 26 '22 at 17:54
  • 15
    Hmm, I don't recall needing to enter my postal code when purchasing things online with card. Although in practice I do supply it both to the merchant (for shipping address) and my bank (for sending my card/correspondence). But I don't think the part where I enter my card data has ever requested a postal code. – Vilx- Feb 26 '22 at 18:05
  • 2
    @Vilx- Here's an example from Nintendo: https://imgur.com/LpdjaFh. Most of the time, it's transparent, because your address is already on file (e.g. Amazon). Here's an API provider's blog post about postal codes: https://paylinedata.com/blog/what-is-a-postal-code-on-a-credit-card. Generally speaking, most places you buy from online require a postal code that matches the card's billing address (at least, in my experience). – phyrfox Feb 26 '22 at 18:42
  • 2
    Interesting that the sample picture is a Hebrew, presumably from Israel, machine. Hebrew is written right to left instead of left to right. But of course credit card numbers are the same worldwide, so left to right, and the phone number 03-5726333 is left to right. The only English in this picture is the VISA logo. The Hebrew on the edge means "Even better, VISA". This machine was clearly supplied by VISA. But it was just a mechanical device - every merchant used the same one for VISA/MasterCard/AmEx/etc. – manassehkatz-Moving 2 Codidact Feb 27 '22 at 01:25
  • 3
    "Aside from that, keep in mind that online transactions require the credit number, expiry date, CVV, and the postal code for the customer" This is only true for some users, it is common in the united state but not in Europe. – Dragon Creature Feb 27 '22 at 14:02
  • 5
    I do remember several services requiring post code, but they're are in overwhelming minority. 99% of online transaction I did were without any code or address. I also worked on transaction processing software and none I've seen ever listed that as requirement. PAN and expiry date are the only required fields. CVV is asked 95% of time, but it is actually optional for some major merchants too. – Oleg V. Volkov Feb 27 '22 at 22:46
  • They usually ask for the zip for the card when I order food. Which is stupid because that's where it's going, along with the rest of my address. Always, at the gas pump. – Mazura Feb 28 '22 at 02:08
  • Using my Israeli credit card, I've never had to enter my post code for validation, on neither local or international sites. We're usually asked for the Israeli ID number (similar to US SSN, but not considered secret). – Jonathan Feb 28 '22 at 08:37
  • To those speaking of how postal code isn't a guarantee, I'm more than willing to concede that it might indeed be a regional thing or just some odd fluke of the vendors that I use. I've amended that paragraph to be less assertive on that point. – phyrfox Feb 28 '22 at 10:11
  • 1
    might also be worth mentioning that under the old design, a single picture of the back of the card could get all of the necessary information from a card, since the embossing was typically achieved by a card stamping process from the back of the card, as opposed to an additive buildup on the top of the card. Thus not providing the security from photography that the OP assumes. – illustro Feb 28 '22 at 13:37
  • @Mazura That's true if you are ordering for yourself. But what if a relative is treating you for a gift or the boss paying for an office party? Or even yourself, but delivered to work. (OK most of my relatives who would do such a thing, plus my office, are all in one zip code, but that isn't typical, I don't think.) – manassehkatz-Moving 2 Codidact Feb 28 '22 at 18:49
12

The numbers on the back mean that the numbers are hidden when the card is in the chip reader. Since the card can be in the reader for anywhere between seconds and minutes, the numbers are well hidden. Now even when the numbers are on the front of the card part of the 16 digit number is hidden by the reader, but the last four+ digists might be exposed.

So putting all the numbers on the back helps.

mhoran_psprep
  • 139,546
  • 15
  • 193
  • 389
  • 14
    I'm not saying this is wrong but at least national retailer Walgreens chip readers need the card chip-down, and iPad+chip dongle terminals flip from the seller to the buyer for the buyer's tip entry and finger-signature, so the card orientation could be either way when the card is in. Are there any references to this as a deliberate security consideration? – user662852 Feb 25 '22 at 19:32
  • @user662852 - I don't have any references to back it up, it was just something firmly lodged in my mind. I don't know where the idea comes from, I could have made it up myself. – Vilx- Feb 26 '22 at 02:00
  • 1
    Anyways, the number on the front is useless alone, isn't it? You need the CCV to do any purchasing. – Vilx- Feb 26 '22 at 02:02
  • 1
    @user662852 Which nation are you referring to? I've been to a number of Walgreens in my area (Colorado, USA) and all of them require chip-side-up. – phyrfox Feb 26 '22 at 13:50
  • 3
    The new POS POS at Walgreens make me insert it the three wrong ways it's possible before I get it right. – Mazura Feb 28 '22 at 02:11
  • They have USB 2.0 based card readers, @Mazura? – FreeMan Feb 28 '22 at 17:20
  • @phyrfox USA and I finally remembered to note the brand of the POS system was Equinox. Do your local Walgreens use a POS like this? The product video shows card going chip side down https://www.equinoxpayments.com/products/luxe8500i/ – user662852 Jun 12 '22 at 00:25
6

Printing on the back is cheaper, and more and more transactions happen by NFC - touching the card to the terminal or holding it near it, or using your phone; in all those cases, you can hold the card so nothing is visible to anyone.

Aganju
  • 37,683
  • 7
  • 57
  • 119
4

Overall, this change slightly increases security.

Sadly, it's still pretty common for some merchants to not even validate anything beyond just the CC number and expiration date, and because of this it's better to not have anything showing on top of the card, which was still pretty standard until a few years ago.

The biggest change here is when the card is in your possession, make a conscious effort to keep it face up so passersby can't snap a picture of it. When it's not in your control, this doesn't really reduce security much because if someone is trying to steal your CC info, having to snap two pictures instead of one probably isn't enough to deter them.

Side Note: I used to work as a cashier in 1990 and we used a carbon copy device like the one shown in phyrfox's answer. If it wasn't a customer I recognized I was instructed to ask to see their driver's license, and I would have to write down that number along with their phone number in case the card was declined, which we wouldn't find out about until that evening.

TTT
  • 47,155
  • 7
  • 99
  • 151
  • 1
    Credit cards have such a WEIRD history. This day and age when everything is constantly online many of the choices made earlier seem bizarre. But they did make sense at the time when they were made. – Vilx- Feb 27 '22 at 01:07
  • 3
    @Vilx- yeah. As a cashier I had to look at the card manually to make sure the expiration date was in the future. One time I accidentally didn't notice a card was expired, and when the card was declined, the manager called the bank and they approved it. :) – TTT Feb 27 '22 at 01:19
2

There have been issues of people posting photos of their shiny new cards online (see https://twitter.com/needadebitcard) - particularly as some fintechs have very pretty cards, or are exclusive. Putting the numbers on the back makes it possible to have this bring in new users without being such a large security issue.

davidsheldon
  • 256
  • 1
  • 4
  • 4
    So it helps protect stupid and vain people from themselves. I'm not sure if that's a benefit or not... – FreeMan Feb 28 '22 at 17:21
  • The war against stupidity can never be won... But I guess this doesn't hurt either. – Vilx- Feb 28 '22 at 17:25
  • On the other hand, we kinda do come back to the issue of everything being in one place. Someone just needs to ask them to show what the other side of the card looks like. – Vilx- Feb 28 '22 at 17:27