[153656] in North American Network Operators' Group
Re: CVV numbers
daemon@ATHENA.MIT.EDU (Aled Morris)
Sat Jun 9 18:13:31 2012
In-Reply-To: <CACnPsNUJXHdEeKc7OnWAD9e8Gqv+VD=v-+KxwZjFHYcWQJQoPA@mail.gmail.com>
Date: Sat, 9 Jun 2012 23:12:56 +0100
From: Aled Morris <aledm@qix.co.uk>
To: Scott Howard <scott@doc.net.au>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 9 June 2012 22:42, Scott Howard <scott@doc.net.au> wrote:
> There is no way to "derive" the CVV2 number. It is little more than a
> random number assigned to the card.
> [...]
> It is verified by comparing it to the known CVV2 number stored by the
> credit card company/bank that issued the card.
>
>
I don't think this is correct - I believe the Wikipedia entry is accurate:
---snip---
CVC1, CVV1, CVC2 and CVV2 values are generated when the card is issued. The
values are calculated by encrypting the bank card number (also known as the
primary account number or PAN), expiration date and service code with
encryption keys (often called Card Verification Key or CVK) known only to
the issuing bank, and decimalising the result
---snip---
http://en.wikipedia.org/wiki/Cvv2
I suspect the issuing banks can share their CVKs with the card scheme
operators (Visa, MC, Amex) if they want them to validate transactions on
their behalf.
Aled
