A school wants my credit card data including a security code. They've sent me a form to fill in about my card. As I know security code is something that shouldn't be shared publicly. Should I provide it to them?
Asked
Active
Viewed 1.3k times
5 Answers
54
It means that the merchant (here, a university)'s process is to deceive their processor by falsely submitting the charge as a "CVV2 with Magnetic Stripe failure" transaction.
Having the card present during a transaction reduces fraud, so the card issuer and processing network are less likely to incur fraud investigation costs (or even eat the whole charge), and this savings is passed along to the merchant in the form of lower fees.
The merchant is trying to qualify for those lower fees when the card is not actually present at the time of authorization (it's a very high risk situation). In the process, they're putting you at increased risk of fraudulent future charges, and making it more difficult for you to contest those charges (because the thief will have the CVV code which serves as evidence, not incontrovertible, but still strong evidence, of your agreement to the charge).
In the process, they are violating the clear wording of the Visa rules:
Ben Voigt
- 6,797
- 2
- 28
- 30
37
This violates PCI-DSS
They are only allowed to use security code or fullstripe data momentarily during a transaction. They are not allowed to retain it, even for a minute.
Even worse, this form has the fivefecta of the 3 credit card fields, cardholder name and Billing ZIP. That's all you need to plug into most website order forms.
This document appears to be a carrier document for a bunch of things, and is then filed or forwarded on as a proof of payment or somesuch. It sits in their mailbox, sits in some clerk's inbox, gets stacked and piled, gets passed around the university departments, and you know they file it. Retaining this is the height of moronitude, and someone needs to explain it to them.
All it takes is for someone who knows their mechanism to grab a stack and run, then later sit somewhere on campus on their WiFi ordering Macbook Pros. For double laughs, from the Apple student webstore for that university, so it's hard to tell it from a bona-fide student purchase.
Due to the liability shift, the university would be on the hook for the subsequent audit, fines, and every fraudulent charge.
They need to make whatever arrangement they need to make with their bank such that they can run these charges without the security code.
Harper - Reinstate Monica
- 59,009
- 10
- 94
- 199
28
The reason that they are asking for it is because they need it in order to process the credit card payment. They are required by their credit card processor to enter it. If you do not provide it, they will not be able to charge your credit card.
If you want to pay for this service with your credit card, then yes, you should provide them with this code.
An unscrupulous worker at the school could use the information on this form to make fraudulent charges on your card, but that can happen at any time for a whole host of reasons that are out of your control. You need to scrutinize your credit card transactions continuously to look for bad charges and contact the credit card company if they are discovered.
When you find fraudulent transactions, they may be a result of someone from the school, but they could instead be a result of a hacking or skimming event that has nothing to do with this school. You will not be held liable for those charges.
Ben Miller
- 116,785
- 31
- 330
- 429
8
This is completely insecure and personally, I wouldn't supply the info.
As you've reasoned, you will have no idea how your information is used once it's left your hands, and you'll never know if it's been disposed of properly (shredded/destroyed). Furthermore, the fact that they follow such insecure practices tells you that at the institution level they haven't a clue about the importance of protecting private and financial information. That means everyone from the janitor to the school president are going to be putting your information at risk.
If you must do this, some options:
- see if you can pay in person.
- create a temporary credit card number with a very low limit (some cc's offer this feature)
- pay by cash.
James
- 364
- 1
- 7
6
Placing all of the information required to authorize a card not present transaction on a paper form that will be subject to potential mail theft of skimming in the office is not a particularly good idea. Other answers mention things the school should do. This is not a helpful way to think about the problem... you are not the school and have no agency over their practices. Instead, protect yourself.
Consider alternative payment options:
- Money order/cashiers check. Do not give them a personal check, the numbers on the bottom are much more dangerous than the CVV2 code on a credit card
- Cash (get a receipt though!)
- Prepaid Visa card.
They may be less keen on accepting checks or cash because it is not the process, but a prepaid Visa limits your risk to the stored value and you can throw it in the bin afterwards.
le3th4x0rbot
- 898
- 5
- 8