Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 12 years ago.
Improve this question
I am working on a payment form. What is that 3-digit code on the back of the card called? I can't find a consistent reference as to what to call it.
It is called the Card Security Code (CSC) according to Wikipedia, but has also been known as other things, such as the Card Verification Value (CVV) or Card Verfication Code (CVC).
The second code, and the most cited, is CVV2 or CVC2. This CSC (also known as a CCID or Credit Card ID) is often asked for by merchants for them to secure "card not present" transactions occurring over the Internet, by mail, fax or over the phone. In many countries in Western Europe, due to increased attempts at card fraud, it is now mandatory to provide this code when the cardholder is not present in person.
Because this seems to be known by multiple names, and its name doesn't seem to be printed on the card itself, you'll probably (unfortunately) still need to tell your users how to find the code - ie by describing it as the "3 digit code on back of card".
2018 update
The situation has not improved, and is now worse - there are even more different names now. However, you can if you like use different terms depending on the card type:
"CVC2" or "Card Validation Code" – MasterCard
"CVV2" or "Card Verification Value 2" – Visa
"CSC" or "Card Security Code" – American Express
Note that some American Express and Discover cards use a 4-digit code on the front of the card. See the above linked Wikipedia article for more.
You can't find a consistent reference because it seems to go by at least six different names!
Card Security Code
Card Verification Value (CVV or CV2)
Card Verification Value Code (CVVC)
Card Verification Code (CVC)
Verification Code (V-Code or V Code)
Card Code Verification (CCV)
It's got a number of names. Most likely you've heard it as either Card Security Code (CSC) or Card Verification Value (CVV).
Card Security Code
From Wikipedia,
The Card Security Code is located on the back of MasterCard, Visa and Discover credit or debit cards and is typically a separate group of 3 digits to the right of the signature strip.
On American Express cards, the Card Security Code is a printed (NOT embossed) group of four digits on the front towards the right.
The Card Security Code (CSC), sometimes called Card Verification Value (CVV or CV2), Card Verification Value Code (CVVC), Card Verification Code (CVC), Verification Code (V-Code or V Code), or Card Code Verification (CCV)[1] is a security feature for credit or debit card transactions, giving increased protection against credit card fraud.
There are actually several types of security codes:
* The first code, called CVC1 or CVV1, is encoded on the magnetic stripe of the card and used for transactions in person.
* The second code, and the most cited, is CVV2 or CVC2. This CSC (also known as a CCID or Credit Card ID) is often asked for by merchants for them to secure "card not present" transactions occurring over the Internet, by mail, fax or over the phone. In many countries in Western Europe, due to increased attempts at card fraud, it is now mandatory to provide this code when the cardholder is not present in person.
* Contactless Card and Chip cards may supply their own codes generated electronically, such as iCVV or Dynamic CVV.
The CVC should not be confused with the standard card account number appearing in embossed or printed digits. (The standard card number undergoes a separate validation algorithm called the Luhn algorithm which serves to determine whether a given card's number is appropriate.)
The CVC should not be confused with PIN codes such as MasterCard SecureCode or Visa Verified by Visa. These codes are not printed or embedded in the card but are entered at the time of transaction using a keypad.
Related
Most of our staff work remotely in different countries of the world.
Often several staff work (on different aspects) of the same case.
At the moment the person who initiates the cases has to email the office manager who has to inssue a case number which then has to be shared with different staff members to make sure they use the same Case number in their forms and correspondence.
I was wondering whether it would be possible to:
Have a page on our website (accesible to our staff only)
Where the person initating a case goes to
The staff member is asked to enter his initials (eg DH or RD)
Then automatically a code is generated (RD001, DH001, etc.), it will be helpful for other purposes if the number is always 5 characters long (e.g. RD001, RD025, RD234, etc...).
These numbers need to be sequential (so if RD got the number RD001 1 hr ago, or 1 day ago, he needs to get RD002 the next time he requests a number), so the page needs to remember the last number that was issued for that staff member (they need to be sequential per staff member).
That number is then emailed to the relevant staff members who need to be aware that this number has been issued
Is that possible?
Sure it's possible, but what you are asking is actually a complete solution development. You've to hire a developer, who will create a system with authentication AND authorization, cases management (new case, details of the case, etc...) and so on.
But overall, it's a trivial job : )
EDIT: If your question is exclusively considering only HTML, then I really don't think this is possible, since your "number" should be generated and accessed from anywhere. Then, you have to make it globally accessible.
Also, it's really important that only your staff, and only the ones with rights to do that, could access and/or generate new numbers, hence the authorization/authentication need.
EDIT 2: Another possibility is search for a already made solution. I believe that should exist even online services with your requirements, like some online CRM or something like that.
I am trying to write a PC application (Windows, .NET) that identifies students on the basis of some card equipped with RFID identification to build lecture attendance registers. Currently I have a Stronglink SL040A RFID reader (http://www.stronglink-rfid.com/en/rfid-modules/sl040.html), which operates as a HID and sends the data as a series of keystrokes.
The system works perfectly with older cards like Mifare 1K classic (even with PayPass credit cards). The new student cards (and identity cards) issued by the Hungarian authorities, however, contain Mifare PlusX 4K chips, which seem to send a new key every time one uses the card. I have tried experimenting with the settings the configuration tool of the reader offers, but to no avail. I can make the 1K classic cards send a much longer key by changing the end block parameter but the PlusX 4K keeps sending the shorter, and painfully non-consistent, keys.
I am a physicist without a deeper understanding of these chips and RFID authentication in general – I am just trying to make a job done that seemed easy at the beginning. I have no intention of cracking or abusing these cards in any way, I am just trying to find some block of data on the card that stays consistent upon each use, does not require complicated authentication protocols but is unique between different cards.
Is it possible or is it against the philosophy of these chips? If possible, shall I have to buy a new reader or can I make it do what I need?
Your thoughts are much appreciated.
From the MiFare PlusX 4K datasheet:
Section 8.2:
There are three different versions of the PICC. The UID is programmed into a locked part
of the NV-memory reserved for the manufacturer:
• unique 7-byte serial number
• unique 4-byte serial number
• non-unique 4-byte serial number
Due to security and system requirements, these bytes are write-protected after being
programmed by the PICC manufacturer at production.
...
During personalization, the PICC can be configured to support Random ID in security
level 3. The user can configure whether Random ID or fixed UID shall be used. According
to ISO/IEC 14443-3 the first anticollision loop (see Ref. 5) returns the Random Number
Tag 08h, the 3-byte Random Number and the BCC, if Random ID is used. The retrieval of
the UID in this case can be done using the Virtual Card Support Last command, see
Ref. 3 or by reading out block 0.
From what you have described, it appears that the cards are running in Security Level 3, and unfortunately, the backwards-compatible part of the card only exists at lower security levels. The mentioned command of Virtual Card Support Last is also only available after level 3 authentication.
I'm afraid what you want to do appears impossible unless you can use the ISO/IEC 14443-4 protocol layer, which I think would let you authenticate at level 3? The relevant data appears to be in section 8.7, and involves AES authentication.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
I am planning to use an HID barcode reader to spool data then it will be read as a data source for Microsoft Access? Is this possible? Can I do it in the background? Thanks.
To answer your question, if you have a barcode reader that creates a .CSV or .TXT file with a list of barcodes, yes, you should be able to import the list into Access. (Any valid .CSV file, and most well-structured .TXT files.)
This Stack Overflow post shows how to load a CSV file using VBA.
And here's how to do it manually.
Questions about the specific model are off-topic for this site but since I was the one that asked for that information, I did look into it quickly...
Symcode MJ2090
It looks like this product is made specifically for sale on Amazon/eBay, and every page I clicked has the identical copy/pasted description.
It raises an alarm for me that the "standard description" doesn't specify how the data is output to the computer other than "USB, No Driver Required".
Also, the Chinese manufacturer's sketchy site gave me browser security warning, and then doesn't even list this product in their list of BCR's. Perhaps it was a failed product that they unloaded cheap to resellers.
I've bought cheap USB electronics in the past (recent example: SIM Card reader/writer) which, while one would assume include the software necessary to use the product, that's not always the case, and since the description didn't actually say it includes software, they didn't break any rules and the item is now nonreturnable due to delay, etc.
Technically, if I was so inclined (and skilled in the correct areas) I could write software to communicate with my device, but that would be the equivalent of writing a printer driver from scratch.
My point is, be 100% sure how the device send the data to the computer before purchasing, or else shell out a few extra bucks for a known brand name instead of a no-name product.
I didn't look very closely but when searched eBay for USB barcode reader, sorted by "lowest price + shipping", the first result was this one is $18 USD (free shipping) and specifically says:
Supported Interfaces: RS232 / PS2 keyboard / USB
...although it's wired.
Or this one is $25 USD (free shipping) is wireless and says it:
Supports instant upload mode and storage mode(store 200 barcodes).
..which sounds promising, but "supports" doesn't mean it "does it"... however it's easy to contact the seller and find out.
Price aside, looking at a reputable store, I think this $80 USD model would work for you, but you'll need to check the documentation from the [reputable] manufacturer (Motorola) into it further to confirm. (I've never bought one.)
Or, I betcha this $10000 model will work too. :-)
This question already has an answer here:
GETCHALLENGE issue(6D00) in EMV for MasterCard
(1 answer)
Closed 5 years ago.
In the case of GETCHALLENGE Request (0084000000), we are getting the positive response in the case of VISA\DEBIT card, but for AMEX and MASTERCARD we are getting the response as 6D00 (Instruction code not supported or invalid).
Not all instructions are supported by all card products. Different card products also support different transaction types, off the top of my head (so take my answer with a grain of salt) get challenge should online be necessary for offline transactions with asymmetric crypto where the terminal needs to identify itself to the card. It's possible (though not likely nowadays) that the card doesn't have a crypto coprocessor capable of handling this, so that code path is disabled. It's also possible that the MC and Amex EMV scheme specifics require a different transaction flow and you're not fulfilling the prerequisites for get challenge.
Without konw the sequence of commands you're sending to the card and the profile on the card, it's difficult to provide more information than the 6D00 is already providing.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I want to allow my customer users to enter their credit card information so that I can charge them every month.
I wonder how one should save this information?
Should it be saved in the MySQL database ("user" table) or is this kind of information too sensitive and need to be stored in another place?
I have no experience of this and would be glad if someone could advice me how to accomplish this.
Thanks.
As mentioned above, do not store credit card information in a database. It's a recipe for trouble. Doing so will make you a very attractive target for hackers and, if they are successful in retrieving them, end your business and potentially ruin your life as well as the lives of those whose credit card numbers are stolen.
Having said that, here are three things to consider:
1) Your best bet is to use a payment processor/payment gateway that offers recurring billing. An example of this is Authorize.Net's Automated Recurring Billing service. Once you set up the subscription they will automatically bill the user every month for you automatically and let you know the results of the transaction. It saves you a ton of work and relieves you of the liability of storing credit card information.
2) If you do store store credit card numbers you must follow PCI guidelines. These guidelines are set by the payment card industry and define what you can and cannot do. It also defines how credit card information must be stored. You will need to encrypt the credit card numbers and you should, but are not required to, encrypt related information (expiration date, etc). You will also be required for ensuring that your web server and network are secure. Failing to meet PCI compliance will result in losing your merchant account and being banned from having a true merchant account forever. That would limit you to using third party processors which are less flexible. Keep in mind that PCI guidelines are a good start but hardly a "how to" when it comes to online security. Your goal would be to exceed the recommendation (by a lot).
3) State and country specific laws supersede PCI compliance. If you suffer a breach and credit card numbers are stolen you risk criminal prosecution. The laws vary from state to state and are constantly in flux as lawmakers are only just beginning to realize how serious of a matter this is.
As far as encryption goes make sure you read up on which encryption algorithms are secure and have not been broken yet. Blowfish is a good start and if you use PHP the mcrypt library is recommended (example).
The safest way is to NOT store the credit card information on your system, but let a 3rd party payment provider do it for you.
It's not required that you use a 3rd party payment provider like PayPal, etc. – but you need to be PCI compliant if you are going to store payment card information. Read this article about BC Ferries, who face substantial fines for not keeping up to date with PCI compliance to grasp how serious it is to be PCI compliant.
My current employer is going through PCI compliance – it's not a trivial process, and requires staff for auditing. Enforcement depends on the country and state/province laws – Canada IIRC requires you to be PCI certified by a PCI employed committee, while some states in the US allow for PCI compliance auditing companies to serve in place of the PCI committee.