Two nights ago I made a purchase from a website, and it didn’t ask for my CVV. Now, I woke up to an email asking for it. It hasn’t gone through my account yet. Is this as shady as I’m making it out to be?
Here is the text of the e-mail message I received:
Dear Katelyn,
We are ready to process your order but we need the additional three digits located on the back of your credit card on the strip where you sign your name. Please supply us with this number so that we can expedite your order.
DO NOT respond directly to the email with your information.
I cannot stress that enough: DO NOT respond to the email with any valuable information. If you decide to send them the CVV number to process the order, go to their website (do not click on a link in the email), and reach out to them using a customer service email or "Contact Us" number and ask them directly if they have requested this information. If they did, call them over the phone and share the CVV that way, rather than in an email.
This sounds like it could be phishing, where a scammer pretends to be someone you've done business with, and asks you for information that can be valuable. Usually it's for a bank user name and password ("Your password has been compromised. Click here to reset!" -- Never ever click there). If we're honest, I don't think this is phishing (a scammer would need your CC details for the CVV to be of any use), but it could be and it's important to develop safe habits.
A merchant uses that code to process the payment and verify possession of the card if they aren't handed the card in person (i.e. internet purchases). So if they didn't ask for it before, that was probably a mistake and at the very least opens them up to more liability. If they're new to accepting credit card payments, it's possible that they're still figuring everything out and it's an honest mistake. But that's the sort of thing they really should figure out after running a couple of orders (of course, a scammer would have that figured out too, so I wouldn't consider that a red flag per se). (NB: Apparently, the requirement isn't as strong as I originally thought (see comments), but I would consider needing the CVV the norm)
I might be willing to give them a benefit of the doubt if it's a new and small operation (and more businesses have become internet based the last few months for obvious reasons), but I'd be extremely wary of responding directly to the email with any personal or remotely valuable information for the reasons stated above. Reach out to the company directly through the website to confirm, preferably with a phone call. It's not perfect, but much more secure with hopefully just a little more effort.
Once a vendor such as Amazon has verified the CVV and postal code once, there's strictly no need to do it for subsequent purchases.
– Alnitak Jul 14 '20 at 11:23It may not indicate fraud but it suggests incompetence/amateurism on the part of the business. This is not the normal flow for accepting credit card payments -- have they just started doing so?
Ben Miller says:
They could just as easily have been mishandling the code if they had asked for it at checkout.
But asking for it at checkout is likely part of a standard software process. Asking for it in an email suggests an unusual, manual, "roll-your-own" process that is likely less secure than a standard one. Even if you won't be liable for any fraud, it's a sign that the business may also be amateurish in other ways (quality, customer service).
Even if this is an innocent request it's wrong.
PCI-DSS regulations (which have a global reach) are extremely strict about the management of card data. Certain values cannot be retained at all and some must be encrypted both in transit and at rest. The CVV is one of the more protected fields, so the fact that they're asking you to send it by e-mail is already a breach.
At the very least, they don't know what they're doing. This could be captured by a secure web form (most small companies just get an acquiring service to host the page for them), but e-mail capture is definitely not on.
In my opinion, this really depends on the website. If the website is not really a storefront, but is - for example - a local (local to somewhere, anyway) gaming store that sells Magic/Pokémon cards online, something like that, where they take your information through the website but actually enter it in to their POS system by hand, then this is an entirely reasonable thing. This isn't a great way to do things - no part of a system where they enter information into POS that they collected another way is, and it's almost certainly not compliant with how they ought to be doing things - but it's not surprising, either, and probably not fraudulent in that case; they simply forgot to require the code during the checkout process.
However, if the website seemed to be complete with payment information built in, then I would be more wary. That makes it sound a lot more like phishing, to me.
All things considered, though, this seems somewhat low likelihood to be phishing, and high likelihood to be a store that's ... not highly secure. I would not email them back, but instead call them. If they're like I describe and doing things manually in their POS system - then it's possible you can handle this over the phone. Avoiding the CVV code being in email is one major benefit, and secondly you confirm that the email really did come from them by contacting them via a different method (and look up their phone # online, don't use the email you were sent.)
Adding to @davidfulton's answer...
The CVV is a "proof of possession" indicator. If you know the CVV, then it means the card is in your hand and you are reading it off the card. It should never be permanently recorded anywhere. When I'm talking to a customer service agent and they ask for the CVV, my response is "are you writing it down or are you inputting it into a computer?" If it's the former, I don't give it to them.
A properly constructed credit card processing system will handle the CVV properly (and these systems get audited all the time). Writing it down on a piece of paper or putting it in an email is just wrong.
Anyone who knows your CVV and your card number can prove that he/she "possesses" your card.
And yes, PCI-DSS is very fussy about what a merchant can do with card information and CVV information in particular. They should never be asking you to put it in an email.
As a web developer I know that a store's web site should never store your credit card number. It should be passed to the payment gateway directly and never be stored. If the store still has your credit card number 2 days later to use with the CVV they are mishandling your payment information. Otherwise it is a scam. Don't send your CVV, contact the store to see what is going on (they may have been compromised).
CVV is never disclosed unencrypted, i.e. via email. It can only ever be disclosed through a secure credit card processing page. Its probably illegal for the company to request a CVV via email.
Let me ask you these questions:
If you can answer yes to all these questions, then go ahead and give them the code. If you do not give them the code, your order will be cancelled and you will not be receiving your item.
I expect someone to comment at this point and suggest that what they are doing is illegal/improper, and that they shouldn’t need the code. I would say to them (and to you) that this company would not be asking for the code if they didn’t need it to process your order. If you would have provided it at checkout if asked, then you should provide it now.
They will also suggest that the company is mishandling the code. They may or may not be, but that is not really a concern of yours. They could just as easily have been mishandling the code if they had asked for it at checkout.
If it turns out that someone at this company is a crook, or if they get hacked and your card number & code get stolen, you will not be liable for the fraudulent charges. So while it is good to be cautious, if you have no reason to suspect the company/website is fake, I would say go ahead and give them the code.
this company would not be asking for the code if they didn’t need it - email can be spoofed. Easily. It's not necessarily coming from the company. Surely you're aware of spoofed emails purporting to be from $bank? you will not be liable for the fraudulent charges - sure... but in the mean time there's additional balance on your card, you have the headache of getting charges reversed, may need a new card (and need to update the number stored in auto-update and with auto payments), etc etc etc.
Of course, e-mail can be spoofed. That’s why I started the answer the way I did (see third bullet) ... which implies that your average person can determine whether an email is spoofed. Note the comment from @chrylis-cautiouslyoptimistic- saying that even a highly experienced admin can't always tell.
– Mark
Jul 14 '20 at 20:58
Using cards in person or by post, by phone or by WWW since before CVV evolved I don't recall a vendor re-contacting me like that.
Why would they. Security requires websites not to complete check-out with details missing… Imagine "Would you like to Enter your CVV, or is that too much trouble just now?"
Incomplete orders are normally held for a short time; prolly not more than 24 hours, giving the buyer a chance to log back in finish the transaction.
Long before two days the sale should "die" and it's rarely a real nuisance to start another.
– Robbie Goodwin Jul 16 '20 at 20:48