nanog mailing list archives

Re: CVV numbers

From: Aled Morris <aledm () qix co uk>
Date: Sat, 9 Jun 2012 23:12:56 +0100

On 9 June 2012 22:42, Scott Howard <scott () doc net au> wrote:

There is no way to "derive" the CVV2 number.  It is little more than a
random number assigned to the card.
[...]
It is verified by comparing it to the known CVV2 number stored by the
credit card company/bank that issued the card.

I don't think this is correct - I believe the Wikipedia entry is accurate:

---snip---
CVC1, CVV1, CVC2 and CVV2 values are generated when the card is issued. The
values are calculated by encrypting the bank card number (also known as the
primary account number or PAN), expiration date and service code with
encryption keys (often called Card Verification Key or CVK) known only to
the issuing bank, and decimalising the result
---snip---
http://en.wikipedia.org/wiki/Cvv2


I suspect the issuing banks can share their CVKs with the card scheme
operators (Visa, MC, Amex) if they want them to validate transactions on
their behalf.

Aled

Current thread:

Re: CVV numbers, (continued)
- Re: CVV numbers Lynda (Jun 09)
  - Re: CVV numbers Owen DeLong (Jun 09)
    - Re: CVV numbers Alexandre Carmel-Veilleux (Jun 09)
    - Re: CVV numbers Wayne E Bouchard (Jun 09)
    - Re: CVV numbers Barry Shein (Jun 09)
    - Re: CVV numbers John Adams (Jun 09)
    - Re: CVV numbers Scott Howard (Jun 09)
    - Re: CVV numbers Matthew Palmer (Jun 09)
    - Re: CVV numbers Jimmy Hess (Jun 09)
    - Re: CVV numbers Scott Howard (Jun 09)
    - Re: CVV numbers Aled Morris (Jun 09)
    - Re: CVV numbers Barry Shein (Jun 10)
    - Re: CVV numbers Barry Shein (Jun 10)
    - Re: CVV numbers Jay Ashworth (Jun 09)
    - Re: CVV numbers Owen DeLong (Jun 10)
    - Re: CVV numbers Gary Buhrmaster (Jun 10)
- Re: CVV numbers Joel Maslak (Jun 09)
  - Re: CVV numbers Stephen Sprunk (Jun 09)
  - Re: CVV numbers Scott Howard (Jun 09)