41

A school wants my credit card data including a security code. They've sent me a form to fill in about my card. As I know security code is something that shouldn't be shared publicly. Should I provide it to them?

enter image description here

Green
  • 549
  • 1
  • 4
  • 7
  • 30
    Are you paying them for something, and using a credit card to do so? Or was this an unexpected request for your information? – yoozer8 Dec 20 '18 at 12:53
  • 5
    It seems to me you might be thinking they are asking for what we call in the UK "a PIN number" because you say it "is something that shouldn't be shared publicly". You definitely shouldn't share the security code you use to pay for items in a shop, or get money out of an ATM, with anyone, ever. But, that's not what they are asking for here. It is a badly worded form, imho, and should make clear that they are asking for the last three digits from the signature strip on the back of the card. If you comply, it'll mean the school can charge your card, but the charge will be recorded. – lukkea Dec 20 '18 at 17:35
  • 1
    Consider editing the institution's name out of the post, then flagging your post asking a moderator for a revision purge. You don't want this institution coming after you for damages to their reputation. – corsiKa Dec 21 '18 at 22:13
  • Probably more than half of all merchants I interact with do this, and nearly all doctor and dentist offices (e.g. when receiving a bill). Similarly to the common practice of prohibiting certain symbols in password fields, I just write it off as inevitable overhead you have to pay to live in today's society. – MooseBoys Dec 21 '18 at 23:30
  • 1
    While the top-voted answers are accurate, they don't answer the obvious question: What can the customer do when faced with such a form? Can a customer report the merchant for doing this? – krubo Dec 22 '18 at 17:50

5 Answers5

54

It means that the merchant (here, a university)'s process is to deceive their processor by falsely submitting the charge as a "CVV2 with Magnetic Stripe failure" transaction.

Having the card present during a transaction reduces fraud, so the card issuer and processing network are less likely to incur fraud investigation costs (or even eat the whole charge), and this savings is passed along to the merchant in the form of lower fees.

The merchant is trying to qualify for those lower fees when the card is not actually present at the time of authorization (it's a very high risk situation). In the process, they're putting you at increased risk of fraudulent future charges, and making it more difficult for you to contest those charges (because the thief will have the CVV code which serves as evidence, not incontrovertible, but still strong evidence, of your agreement to the charge).

In the process, they are violating the clear wording of the Visa rules:

enter image description here

enter image description here

Ben Voigt
  • 6,787
  • 2
  • 27
  • 29
  • Comments are not for extended discussion; this conversation has been moved to chat. – JohnFx Dec 23 '18 at 03:40
  • 3
    To summarise my downvote, which I stand by despite other discussion: there are several reasons they might be asking for this information, and even if they are all morally or legally wrong, this answer provides no evidence for its assertion of one specific reason. The answer could be greatly improved by removing the overconfident "this means that..." summary, and listing some of the other possibilities (e.g. misuse of am e-commerce PDQ for convenience). – IMSoP Dec 24 '18 at 12:15
37

This violates PCI-DSS

They are only allowed to use security code or fullstripe data momentarily during a transaction. They are not allowed to retain it, even for a minute.

Even worse, this form has the fivefecta of the 3 credit card fields, cardholder name and Billing ZIP. That's all you need to plug into most website order forms.

This document appears to be a carrier document for a bunch of things, and is then filed or forwarded on as a proof of payment or somesuch. It sits in their mailbox, sits in some clerk's inbox, gets stacked and piled, gets passed around the university departments, and you know they file it. Retaining this is the height of moronitude, and someone needs to explain it to them.

All it takes is for someone who knows their mechanism to grab a stack and run, then later sit somewhere on campus on their WiFi ordering Macbook Pros. For double laughs, from the Apple student webstore for that university, so it's hard to tell it from a bona-fide student purchase.

Due to the liability shift, the university would be on the hook for the subsequent audit, fines, and every fraudulent charge.

They need to make whatever arrangement they need to make with their bank such that they can run these charges without the security code.

Harper - Reinstate Monica
  • 58,229
  • 10
  • 91
  • 195
  • 9
    Incorrect. Words of PCI "PCI DSS does not prohibit the collection of card verification codes/values prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes/values once the specific purchase or transaction for which it was collected has been authorized." They can collect the information on paper, as long as it is shredded after they obtain authorization. – user71659 Dec 21 '18 at 19:51
  • @user71659 on second read of that, I see where that makes sense, but I find it difficult to believe the text imagines extended retention of that data, on paper, sent through mail, intercampus mail, handled in offices etc. for days. Maybe if it was handled in the same manner that they handle cash payments, but I really do not think that is the case. – Harper - Reinstate Monica Dec 21 '18 at 20:33
  • Did OP ever indicate the intention is to print this form and fill it out on paper? We all seem to have assumed that. They could well expect it to be filled electronically and e-mailed to them; in which case it is basically impossible to actually destroy the information after use in a PCI compliant way. While it's possible this could be part of a technically compliant with regulation if not intent process (the form is printed and shredded properly immediately after use), the process would be burdensome and unlikely to actually be followed. – Affe Dec 21 '18 at 23:56
  • @user71659: Another strike against your idea that it can be stored for an arbitrary length of time until the transaction is processed: Cards that have dynamic CVV codes – Ben Voigt Sep 19 '19 at 22:10
  • @BenVoigt By golly, I think you might be right. – Harper - Reinstate Monica Sep 19 '19 at 22:15
27

The reason that they are asking for it is because they need it in order to process the credit card payment. They are required by their credit card processor to enter it. If you do not provide it, they will not be able to charge your credit card.

If you want to pay for this service with your credit card, then yes, you should provide them with this code.

An unscrupulous worker at the school could use the information on this form to make fraudulent charges on your card, but that can happen at any time for a whole host of reasons that are out of your control. You need to scrutinize your credit card transactions continuously to look for bad charges and contact the credit card company if they are discovered.

When you find fraudulent transactions, they may be a result of someone from the school, but they could instead be a result of a hacking or skimming event that has nothing to do with this school. You will not be held liable for those charges.

Ben Miller
  • 115,533
  • 30
  • 329
  • 423
  • 13
    Good answer, altough I wonder why this school is still using paper to process credit card payment. Online payments on secure page are safer than on paper. Where I live, you can pay college charges directly on the college's website (talking about cc payment). – Gainz Dec 20 '18 at 12:47
  • 2
    @Gainz I smell the stench of dark or shadow IT. And while there often are times when going around central IT is necessary; doing so for anything financial makes me cringe. – Dan Is Fiddling By Firelight Dec 20 '18 at 15:40
  • 13
    "If you do not provide it, they will not be able to charge your credit card." is flatly wrong. They may be unable to process it as a "Card Present" transaction, which may cause higher fees from their processor, but the only mandatory information is card number and expiration date -- even zip code mismatch is a warning not a fatal error. And the more information you provide, the stronger the bank's case that you authorized the use of your card (as opposed to initiating a single transaction). OP will be liable for transactions made by someone he authorized to use his card. – Ben Voigt Dec 20 '18 at 17:36
  • 5
    @BenVoigt I disagree, and I believe you are mistaken. The security code is not a secret PIN, it is not proof that you authorized a charge, and it will not make you liable for a fraudulent charge. – Ben Miller Dec 20 '18 at 17:45
  • 22
    @BenVoigt is correct, this answer is totally wrong and should be removed. Card verification numbers are not supposed to be stored. They are not secret (i.e. the customer can give them to a vendor), but recording them in non-volatile media (i.e. paper, database, etc.) would make this vendor non-PCI-compliant. The only reason they would need them would be to miscategorize their transaction. "Card-on-file" and "recurring" transactions don't require them. – SaSSafraS1232 Dec 20 '18 at 21:30
  • 5
    The CVV may not be a "secret" but it is forbidden to be stored, including on paper or electronic forms. The school's process is flawed at best. – stannius Dec 20 '18 at 21:37
  • 1
    @SaSSafraS1232 Even if the school is not “supposed” to do things this way, it does not invalidate any of my answer. The fact is that if the OP wants to pay via credit card, he’ll need to provide the security code, and it’s really not an issue as far as the OP is concerned. Credit cards are inherently insecure, and consumers are not liable for fraudulent transactions. – Ben Miller Dec 20 '18 at 21:44
  • @BenMiller: It's not about "proof you authorized a charge", but about proof that you authorized the person who made the charge to use your card information. If you let someone use your card for one purpose, you're liable for any charge they make with it. If you hand someone a card to pick up lunch for your team, and they pop into the jeweler's on the way, the bank will not consider that fraud. You would own what your card paid for, and have a civil case against the person who pocketed it -- but the bank will not get involved. This situation looks to the bank like loaning out your card. – Ben Voigt Dec 21 '18 at 00:41
  • 4
    "If you do not provide it, they will not be able to charge your credit card." Not true. Some (all?) credit card processors would still accept it, they would just charge higher transaction fees (both to encourage on-boarding onto cvv, and to cover increased rates of fraud). Amazon doesn't ask for it, for example (at least where I am). – Alexander Dec 21 '18 at 01:39
  • @BenVoigt Your hypothetical is not analogous to the OP’s situation here. – Ben Miller Dec 21 '18 at 02:18
  • 10
    @SaSSafraS1232 No, you're totally wrong about CVVs. CVVs may not be stored after authorization. Visa's exact words "Never retain full-track, magnetic-stripe, CVV2, and chip data subsequent to transaction authorization.*" As long as they shred the form after authorization, they are in compliance. There is no requirement about "non-volatile media". And note their asterisk: "In certain markets, CVV2 is required to be present for all card-absent transactions." – user71659 Dec 21 '18 at 03:48
  • 1
    It's about 10 years since I worked in this field, but I did handle the certification of online credit card handling software with various UK card issues via real-time card authorisation. At that time, it was the decision of the merchant as to whether they accepted a transaction or not, based on the returned indication from the card issuer as to whether the CVV2 and Address Verification fields matched. Once you've had a CVV2 match from a known customer (i.e. on first transaction) there was no need to send it on subsequent ones. – Alnitak Dec 21 '18 at 11:16
  • @BenVoigt """If you do not provide it, they will not be able to charge your credit card." is flatly wrong." Well, not flatly wrong. They may be able to get an authorization (there is no rule that issuers must require a CVV2), but it's quite likely that a missing CVV2 will result in a decline. "They may be unable to process it as a "Card Present" transaction" That makes no sense. If they are asking for the CVV2, that indicates a card not present transaction. With a card present transaction, the CVV1 is expected. – Acccumulation Dec 21 '18 at 20:36
  • "which may cause higher fees from their processor" It's mainly the network/issuer that charges higher fees. "the only mandatory information" The term "mandatory" is vague. Does it mean "what is required for the network to refuse to accept it" or does it mean "what is required for the issuer to accept it"? " If you let someone use your card for one purpose, you're liable for any charge they make with it." That is simply false, and shows that you have no idea what you're talking about. Stop posting nonsense and misinforming readers. – Acccumulation Dec 21 '18 at 20:36
  • @Acccumulation: If the network gives an authorization acceptance, the merchant may then choose to decline it, but that is their choice. BenMiller is wrong to describe that as "not able to charge the card". As for claiming I have no idea what I'm talking about, educate yourself by googling "If you permit any person to use your card". Banks treat giving out the card number and authorization code together as informally creating an authorized user, who can then perform multiple transactions and you are liable. – Ben Voigt Dec 21 '18 at 20:46
  • @BenVoigt Again, the situation you present of giving your number to a friend/family member is not the same as giving your number to a merchant and having it misused or stolen after the fact. – Ben Miller Dec 21 '18 at 20:49
  • @Acccumulation: And no, this order form is not supposed to create an authorized user, but from the information available to the bank (entity has account number and all the authorization codes) it looks like it, leaving OP with the undesirable task of proving he didn't give permission. – Ben Voigt Dec 21 '18 at 20:50
  • @BenVoigt "If the network gives an authorization acceptance, the merchant may then choose to decline it" The network doesn't authorize transactions, the issuer does. "BenMiller is wrong to describe that as "not able to charge the card"." If the issuer declines the transaction, then it is reasonable to refer to that as "not able to charge the card". And issuers are free to decline any card not present transaction without a CVV2. "As for claiming I have no idea what I'm talking about, educate yourself by googling" If you have a specific cite, present it. Telling me to google it is not a cite. – Acccumulation Dec 21 '18 at 20:57
  • "Banks treat giving out the card number and authorization code together as informally creating an authorized user" The term "authorized user" refers to a person who is officially added to an account, such as a spouse, and is allowed to use the card as a normal cardholder. – Acccumulation Dec 21 '18 at 20:58
  • The first result that comes from googling "Adding an authorized user" is here "... The authorized user receives a credit card with his name on it, and he can use the card just the same as if he were the primary account holder ... To add an authorized user, contact your credit card issuer by phone or by logging on to your online account. The card issuer will need the authorized user's personal information, including their name, address, date of birth, and social security number, to process the request..." – Acccumulation Dec 21 '18 at 20:58
  • With every comment, you are simply adding more and more evidence that you don't know what you're talking about. – Acccumulation Dec 21 '18 at 20:58
  • @Acccumulation: The fact that ordering a card for someone establishes an authorized user does not mean it is the only action that creates an authorized user. (A -> B therefore /A -> /B) is one of the most basic logic fallacies around ("Inverse fallacy"). Bank of America calls this situation "Persons using your account" but Northwest Bank has the same rule under the exact title "Authorized Users". – Ben Voigt Dec 21 '18 at 21:33
  • @Acccumulation: And I certainly never said that the authorization acceptance was decided solely by the network, of course the card issuer was involved. But the merchant never contacts the issuer directly, they receive the authorization from the network through the API of their own merchant processor. There may be numerous other parties involved, such as digital wallets. None of those are relevant to the merchant. – Ben Voigt Dec 21 '18 at 21:37
  • @BenVoigt My cite doesn't say that ordering a card establishes an authorized user, it says that establishing an authorized user causes a card to be sent to them. I.e. "if authorized user, then receive a card". It logically follows that if they don't receive a credit card with their name on it, they are not an authorized user. This is known as the "converse". – Acccumulation Dec 21 '18 at 21:50
  • Now, you could claim that this issuer is an outlier, and most other issuers have other policies, but you pretending that I am engaging in the inverse fallacy shows either your lack of understanding of my comment, a lack of understanding of logic, mendacity, or some combination of the three. Your comments are becoming quite tedious. Nonsensical comments delivered in a condescending tone is not a pleasant combination. – Acccumulation Dec 21 '18 at 21:50
  • "And I certainly never said that the authorization acceptance was decided solely by the network, of course the card issuer was involved." If by "give", you meant "passes on", that is very poor wording that is bound to cause confusion. – Acccumulation Dec 21 '18 at 21:56
  • @Acccumulation: You are describing one action, for a process that both establishes an authorized user and sends a card. This is not necessarily the only rule for creating an authorized user. When you have an example that I cited for you, and I threw in the word informal in front of authorized user, that maybe should have alerted you to the fact that I'm talking about a different process than the "call your bank and create an authorized user" you're thinking of. But your lack of familiarity does not mean it doesn't exist -- it's right there in the T&C. Your citation is not a T&C. – Ben Voigt Dec 21 '18 at 22:44
  • Let us continue this discussion in chat. – Acccumulation Dec 21 '18 at 22:58
8

This is completely insecure and personally, I wouldn't supply the info.

As you've reasoned, you will have no idea how your information is used once it's left your hands, and you'll never know if it's been disposed of properly (shredded/destroyed). Furthermore, the fact that they follow such insecure practices tells you that at the institution level they haven't a clue about the importance of protecting private and financial information. That means everyone from the janitor to the school president are going to be putting your information at risk.

If you must do this, some options:

  • see if you can pay in person.
  • create a temporary credit card number with a very low limit (some cc's offer this feature)
  • pay by cash.
James
  • 364
  • 1
  • 7
6

Placing all of the information required to authorize a card not present transaction on a paper form that will be subject to potential mail theft of skimming in the office is not a particularly good idea. Other answers mention things the school should do. This is not a helpful way to think about the problem... you are not the school and have no agency over their practices. Instead, protect yourself.

Consider alternative payment options:

  1. Money order/cashiers check. Do not give them a personal check, the numbers on the bottom are much more dangerous than the CVV2 code on a credit card
  2. Cash (get a receipt though!)
  3. Prepaid Visa card.

They may be less keen on accepting checks or cash because it is not the process, but a prepaid Visa limits your risk to the stored value and you can throw it in the bin afterwards.

le3th4x0rbot
  • 898
  • 5
  • 8
  • 2
    +1 for solving the real issue, since just saying "hey, your policy is bad, and you need to change it" is unlikely to have any effect, particularly since the people that the prospective student is likely to be able to speak to are unlikely to be people who have the authority to make a change. – Beska Dec 22 '18 at 18:17