39

Is the 3-digit (4-digit for those acolytes of standardization, American Express!) CVV/CSV/CVC calculated from card number and expiration date, or is it merely assigned? I know that once when I got a renewed Visa, it had the same 16-digit account number, different expiration date, and different CVV2.

I've seen some hints that CVV/CSV/CVC can be calculated, but those were in marketing collateral for a credit-card-processing appliance whose name I can't remember maybe 10 years ago. It would seem that compromising such an algorithm would be a very bad thing indeed, but the whole of the credit card industry is riddled with dumb ideas.

Bruce Ediger
  • 4,552
  • 2
  • 25
  • 26

1 Answers1

31

CVV is calculated:

[CVV Generate] verb generates a CVV that is based on the information that the PAN_data, the expiration_date, and the service_code parameters provide. This verb uses the Key-A and the Key-B keys to cryptographically process this information.

Source: https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.wskc.doc/wskc_r_csg.html

This calculation can only be done by the card issuer due to the use of a pair of Cryptographic keys which is known only to the card issuer.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
  • 2
    Why are there only 10 bits of entropy in a cvv? – Awn May 15 '16 at 10:36
  • 6
    @Aurora: Probably for ease of use by a consumer. The risk of brute forcing is low because any attempts to guess it will be noticed and acted upon by the card issuer. For example, they may block that particular merchant and notify the cardholder that attempts have been made on their card so that the card can be reissued. If the PAN and expiry combination have been compromised, that whole card can be pretty much considered leaked and that it shouldn't be used. – SilverlightFox May 16 '16 at 09:57
  • 8
    It seems the risk of a brute force attack is not so low after all :) https://techxplore.com/news/2016-12-seconds-hack-credit-card.html – gabrielmaldi Dec 02 '16 at 19:45
  • Note this answer is about the CVV1 included in the track data, not the CVV2 number which is printed on the backs of cards – William Dunne Mar 12 '19 at 14:20