4

This question is similar in spirit to Why do some online stores not ask for the 3-digit code on the back of my credit card?.

I don't see how asking for the credit card's expiration date as well as the number can possibly provide any extra security. As far as I know, the number and the expiration date are always given together when making online or telephone purchases by credit card, so I can't imagine any even vaguely realistic scenario in which a thief could get the number without also getting the expiration date. Unlike with the security code, you don't even need to turn the credit card around to get the expiration date, and are no rules against storing the expiration date along with the number.

If the point is just to increase the possible number of data combinations in order to prevent brute-force guessing, then it would be far more efficient to just make the number two digits longer. (Since credit cards usually expire 3-5 years after being issued, the expiration month only multiples the number of combinations by 36-60, whereas two extra digits would multiply by 100). That would also make the data format more consistent, simplify the data entry and storage.

tparker
  • 807
  • 7
  • 15
  • My first guess was to ensure that the card isn't already expired. But what's to stop the customer from lying? – RonJohn Jul 05 '17 at 01:00
  • 4
    @RonJohn Well, they check with the credit card issuer at the point of sale before accepting the payment, right? If the card were already expired, then the payment would get rejected. – tparker Jul 05 '17 at 02:40
  • 1
    you can get the number without the date if you have an old bill from my garbage. Or if you have my expired card which I threw out when I got the new one. (Well, not me personally, I shred my bills and cut my credit cards into little pieces, but not everyone does.) – Kate Gregory Jul 05 '17 at 12:09
  • 1
    @KateGregory Do your credit card bills really contain the complete credit card number? That seems like the security risk, not failing to ask for the expiration date. Why would they do that? And as discussed below BobbyScon's answer, when a credit card expires I don't think the company ever issues a new card with the same number. – tparker Jul 05 '17 at 17:58
  • your cc company clearly varies. Yes, paper bills did and presumably still do include the entire number. And yes, my number stays the same when I get a new card with a new expiry date. This is my normal. And the people who make all these rules live in the expanded normal that covers all you experience, all I experience, and a whole lot else besides. They make rules to cover all those normals. Now you know. – Kate Gregory Jul 05 '17 at 18:01
  • @tparker - you're confusing 2 conversations. The new card with a different number generally only happens when a card is reported lost or stolen (Bobson originally said he wasn't sure that was the case). All of my cards have retained the same number when I received a new card with a new expiration date. – BobbyScon Jul 06 '17 at 00:05
  • @BobbyScon You're right; my mistake. Nevertheless, if a thief digs your expired card out of the trash, then the new card's new expiration date will be completely trivial to predict by just looking up how long that company's cards are issued for. I can't really see this preventing a theft, but it is a point in the pro-security column. – tparker Jul 06 '17 at 00:12
  • One point regarding the CVV/security code: some cards have them printed on the front (Amex for example). Some cards have expiration printed on the back. So that's not really a point for or against one data point being more hidden than the other. – BobbyScon Jul 06 '17 at 00:24

3 Answers3

8

tldr; There is a potential security benefit to expiration dates (vs longer numbers), but the main reason they exist is probably just leftover from when they were actually needed.

First, here's a security benefit an expiration date has beyond just making it harder to guess:

Expiration dates make it much easier to detect attemps to guess CC numbers.

Imagine that someone is trying to brute force CC numbers. If they didn't need to provide an expiration date they would keep trying different numbers until they hit one that works. From the bank's (or processor) point of view, they only see successful transactions, or invalid account attempts. For those that are invalid there is nothing they can do.

Now consider that the would-be theif is trying account numbers with an expiration date: once they have an account number, they must loop through all the possible expiration dates for that account. Now when the bank (or processor) detects invalid account attempts due to incorrect expiration dates, they now know this account has potentially been compromised, and can keep an eye on it. This makes the fraud-detection algorithms much more effective.

Security benefits aside, it's likely that expiration dates made a lot more sense back in the days when transactions weren't approved or denied immediately; they were carbon copied with a swipe machine and processed sometime in the future. Back then the cashiers actually had to look at the expiration date and make sure the card was still valid before accepting it as payment. Even if expiration dates aren't actually needed anymore, there are enough minor benefits besides security to keep them around, such as giving banks a reason to send you a new card with an updated look and feel, or additional technology embedded (chip), or even just to force you to notify the bank of your current address so you can receive the new card.

TTT
  • 47,155
  • 7
  • 99
  • 151
5

It actually is an extra level of security, exactly as you described. It's not a lot, but it is an extra data point that can be checked against. Someone stealing a card number now has to steal the expiration date data as well, which isn't always the case and not all retailers store expiration data, they simply use it as a checksum.

The expiration date itself serves a few purposes, but primarily as a way for CC issuers to ensure your card is physically operational longer. Mag stripes and lamination wear down after a few years, so having the card expire triggers a new card being sent to you. If you don't destroy that card, and someone else finds/steals it, they won't have the new expiration date to use for the validation process.

Adding more digits to the card numbers is not a simple feat. There is, however, a movement from some of the major companies to start using up to 19 digits on a credit card. (Note that 19 digit cards have existed for a while, but are relatively rare). Even still, longer card numbers really aren't any more secure. Thieves steal the whole card number and it's not just a random generator (although that does exist as well). It's just as easy to steal a 19 digit number as it is a 16 digit number. The expiration date is still a point for validation, regardless of card number length.

Depending on the agreement between the vendor (the store you're purchasing from) and the payment processor, they may be required to gather expiration, CVV, and zip code. For card not present, they may even require mailing address. All of these combine to add even more layers of security, or really, risk reduction. The vendors will pay different per transaction fees based on how much, or little, information they collect.

At the end of the day, there are tons of things the industry could do to decrease risk, but the factors that come into play are largely, if not entirely, logistical.

BobbyScon
  • 14,034
  • 3
  • 45
  • 62
  • 1
    Do I understand the last sentence of the first answer in your second link correctly when I interpret it to mean that starting later this year, credit cards will have a minimum of 19 digits? Since that change already provides dozens of times more additional protection than the expiration date, why don't they stop requiring it since they're going through a massive logistical overhaul anyway? – tparker Jul 05 '17 at 02:34
  • 2
    I would be interested to see if anyone at any point actually ran a cost-benefit analysis of whether the tiny extra security provided by requiring the expiration date is worth the extra cost and inconvenience. Or whether that requirement has ever prevented a single case of credit card theft. I strongly suspect the answer to both questions is no. – tparker Jul 05 '17 at 02:37
  • 2
    @tparker - Technically, every piece of current software should support up to 19 digits. There are some debit cards that long, and that's the current maximum defined in the standard. Not everything actually does, but it's supposed to. – Bobson Jul 05 '17 at 02:47
  • @BobbyScon - You may want to add that in the case of a lost card, it's easier to issue a new one with the same PAN but different expiration date, than to issue one with a totally new card number. The old one will still stop working, but anything that saved the card number won't have to replace it. – Bobson Jul 05 '17 at 02:50
  • @Bobson I strongly doubt that any serious credit card issuers would issue a new card with the same number but a new expiration date to someone who lost their old card. It would be trivial for someone with the old card to guess the new combination. Besides, what's the advantage of not needing to update the number if you need to update the expiration date anyway in order for the new card to work? Issuing a new card with the same number but a new expiration date wouldn't give you any convenience gain relative to changing the number, but it would open up a huge security risk. – tparker Jul 05 '17 at 06:12
  • @tparker - I'm pretty sure it happened to me, but I could be misremembering. I think recurring payments only need the expiration date to set it up, and will keep going as long as the number is valid, but again, I could be wrong. And don't forget that the bank sees every attempt to use the card. It'd be pretty obvious if someone was trying to guess the expiration date with repeated attempts. – Bobson Jul 05 '17 at 12:07
  • @tparker - Yes, it does appear that some card issuers may start using up to 19 digits. I didn't read that much into that last sentence as there was no source to back it up, but I am finding other articles mentioning it. I'm updating my answer to reflect. Note that expiration date will still be needed. It's important to note that the requirement for an expiration date is not global. It really comes down to the "card not present" part of the agreement between the vendor and the processor. Why remove an extra data point? Thieves can steal a 19 digit number just as easily as a 16 digit number. – BobbyScon Jul 05 '17 at 12:32
  • @BobbyScon Thieves can also steal a 16 digit number and an expiration date just as easily as a 16 digit number and no expiration date. – tparker Jul 05 '17 at 17:18
  • @tparker - Perhaps. But stolen CC numbers aren't always the source of fraud. TTT's answer relates to that. I'm not saying the expiration date is a big fraud prevention mechanism, but why get rid of an extra data point? Why ask for billing zip code or the CVV? As with the CVV, it helps to reduce the risk that the person using the card has it physically present. The key here is reducing risk, not eliminating it. – BobbyScon Jul 05 '17 at 17:32
  • The reason to get rid of the extra data point is the general principle in information security that the system (as opposed to the keys) should be as simple as possible, because every new wrinkle in the system potentially opens up new avenues of attack. If the security weakness is purely combinatorial, then it's always better to lengthen the key than to change the system itself. – tparker Jul 05 '17 at 18:19
  • The billing zip code and CVV really do provide extra security, because they are more difficult to obtain than the number. The expiration date does not. Turn your question around - why not require even more separate data points that are also listed on the front of the card - like its color? Because doing so would be inconvenient, possibly insecure, and add negligible security. Without a specific vulnerability that the expiration date patches that other numeric codes wouldn't, the only reason to keep it seems to be status quo bias. – tparker Jul 05 '17 at 18:22
  • @tparker - zip and CVV are all stored in the same place expiration dates are when it comes to card not present transactions. The CVV is a 3 digit number on the back (or 4 digits on the front). The expiration is 4 digits on the front (or in some cases the back). Granted, Zip and CVV aren't stored in the mag strip, but your focus in on CnP transactions, so that's really a moot point. If a card number is used on a counterfeit card, they also have to add the expiration, which is not always available to data thieves. It is security, just to a lesser extent than other pieces. – BobbyScon Jul 06 '17 at 00:12
3

I don't see how asking for the credit card's expiration date as well as the number can possibly provide any extra security.

Expiration dates were never intended at all to provide any extra security. You're working with a flawed premise. A lot of infrastructure was put in place before the advent of instant account verification. At this point (Visa cleared $8,200,000,000,000 of transactions in 2016) changing the data collection practices of the entire system is no small task, no matter how redundant or unnecessary you feel it is.

Expiration dates are about limiting the issuing bank's risk. Collecting and/or recording the expiration date is about limiting or removing the liability on the transaction at the verious steps between charge and payment to the vendor in the case of a chargeback. Vendors are under contract not to accept payment from or even attempt to charge a card that has expired and, in the case of stored card data, should not charge account information that has expired. Even if expired account information should fail if an authorization is attempted. And even though present day credit account renewals involve little more than reissuing a card with a new expiration date.

Not every piece of credit card data is as about fraud prevention, though there are tangential anti-fraud uses like reaffirming the expiration date or last 4 of the card number to help ensure the mag strip data matches the physical card info. To reiterate, expiration dates have absolutely nothing to do with security and everything to do with liability.

quid
  • 48,976
  • 11
  • 99
  • 161
  • 2
    Are you explaining the motivation for having expiration dates, or for giving the expiration dates to the seller at the point of sale? I understand the justification for the former - it's the latter I'm confused about, and I don't see why the seller can't just check whether your card's expired when they run it. – tparker Jul 05 '17 at 06:16
  • @tparker Sellers requesting it at the point of sale are likely doing so to verify it against the one collected by the mag strip reader, same goes for verifying the last 4 of the card number. If the data is entered in to the POS system it's likely so the vendor has a record that the data was verified by the cashier. This check assists in weeding out "dupe cards" (cards where the mag strip has been overwritten with new data) – quid Jul 05 '17 at 06:23
  • 1
    My question is about sales made online or over the phone - there's no mag strip reader. – tparker Jul 05 '17 at 06:50
  • @tparker, If the question is about questions made over the phone how on earth is the seller supposed to check whether your card is expired? (as you mention in your first comment to my question) They check by asking you the date. Vendors are not supposed to attempt to charge expired cards. – quid Jul 05 '17 at 14:32
  • 1
    When you buy things online, the web site checks with the credit issuer whether the card is valid and unexpired before accepting the payment. Similarly, when you buy things in person, the cashier doesn't just swipe the card - they always wait a moment to see whether the payment went through correctly. I assume the same is true for payments made over the phone. – tparker Jul 05 '17 at 17:29
  • When an online vendor submits data for payment it includes the expiration date because expiration date is collected from the buyer. When a cashier swipes the card the reader collects the expiration date for submission. When you submit payment information over the phone you include expiration date. Sure a person can lie, but that doesn't mean the hundreds of millions of dollars of deployed infrastructure aren't expecting an expiration date to be bundled with CC info for processing. Why do you think the expiration date is strictly a fraud prevention tool? – quid Jul 05 '17 at 17:45
  • AND, by contract vendors are not supposed to attempt to charge expired cards. AND by contract card holders are not supposed to attempt to use expired cards. (the same as consumers are not supposed to write checks against accounts that don't have sufficient funds) The vendor is supposed to be the first line of defense to turn down an expired card, because the bank has relinquished its liability as of that date. – quid Jul 05 '17 at 17:52
  • 1
    I'm not sure that it's a fraud prevention tool. But I don't see the point of the system having been designed to need the expiration date in the first place - the vendor always checks with the bank whether the card has sufficient credit before accepting the payment, and that check would also reveal if the card is expired. Providing the expiration date seems redundant. – tparker Jul 05 '17 at 17:53
  • 2
    It's definitely not intended to be a fraud prevention tool. The vendor wants a record that it believed it was attempting payment from an account presumed to be valid at the time. The vendor, the processing agent, the network and the bank, etc all have some sort of liability on the transaction and each step along the way wants to have it's ducks in a row if something goes sideways. Just because there is some sort of precharge verification performed by doesn't mean you can skip the record keeping. And more than account number and amount is submitted for verification anyway. – quid Jul 05 '17 at 18:05