What is the point of a CVV on a credit card?

Question

According to Google:

A CVV is the three- or four-digit number on your card that adds an extra layer of security when making purchases online or over the phone. It serves to verify that you have a physical copy of the card in your possession and helps protect you if your card number falls into the hands of hackers and identity thieves.Dec 18, 2019

I fail to see how that is secure at all. Every single time I share my CC # with a processing agent, they also ask for the CVV. Therefore anyone who has heard me read out my number has also heard me read out my CVV. The two go together. All the time. They are never separated. Therefore the statement "it serves to verify that you have a physical copy" is not at all true.

Why hasn't this false "security" feature been obsoleted and replaced with more modern security features. I'd like to see it retired.

Answer 1

There are two reasons why it’s more secure. The first is that when you use your card in person the merchant never gets your CVV, and so if their data is compromised your card number can’t be used for online transactions since your CVV isn’t attached to it. And the second is that PCI rules prohibit merchants from storing your CVV, so even if an online retailer suffers a database compromise your CVV should still be safe since they only had it for long enough to verify a transaction and didn’t store it.

In summary you should be worrying about database leaks, not about someone overhearing you and memorising the nineteen digits you are reading out, and a CVV is a reasonably effective and minimally inconvenient way of protecting you from those.

Answer 2

They are never separated. Therefore the statement "it serves to verify that you have a physical copy" is not at all true.

They are. The CVV is never stored by the merchants. So while someone can get your card number from statements you threw in the trash or from a data dump leaked from your grocery store, the CVV is only stored on your actual physical card. It also changes every time your card is reissued. Some issuers generate a new CVV every time the card is printed (even if nothing else changes), others only generate a new CVV if something changed (expiration, mostly).

Why hasn't this false "security" feature been obsoleted and replaced with more modern security features. I'd like to see it retired.

It is not at all false. It's a simple and effective method to confirm that you do in fact possess the card you're trying to use. While the magnetic stripe version has been deprecated in favor of the EMV chips, the printed version persists because it's both inexpensive and very effective.

However, it's effectiveness depends on merchants both requiring it and not storing it. While not storing it is a contractual obligation (merchants caught storing CVV2 may end up being dumped by their processors and sued by their consumers), using it to begin with apparently is not. Some online merchants process transactions without ever asking for CVV2 from the customers.