I never understood the idea of CVC. Every website asks for it - so it seems like an extension of the card number. Why isn't there an app (or some digital way) to verify the card is mine, like authentication systems have 2FA? It will change for every transaction, unlike CVC.
I moved back to Finland after years in the USA, and found out that credit cards from Finnish banks now require a 2FA system for online payments. It works fine. The online purchase enters a short flow with my bank, they send a request to the bank’s app on my phone, I approve it there and the purchase flow returns to the vendor’s site.<p>Everything about banking in the USA was seemingly decades behind my experiences in Northern Europe, so it may take a while for American banks to figure out credit card 2FA… (They still regularly use paper checks in America. Bank transfers don’t exist. Many operations require a visit to a bank branch, of which there are absurdly many. I’m surprised they didn’t have mechanical calculators.)
I'm not sure where you are but USA is very lax compared to the rest of the world. Obviously someone has crunched the numbers and decided a little more fraud that gets easily refunded means the customer is more profitable that strict security that could frustrate people. I've had a card with the extra Bank verification step and I stopped using it. Maybe the lower interchange fees in Europe makes the difference.
Took a trip to the US recently and was astounded at how many places charged my card without any PIN or verification requirements. The seeming normality of service staff taking your card out-of-sight is also unnerving - staff typically don't even lay a finger on your card in Europe. The US is truly in the dark-ages when it comes to payment security.<p>It seems this is yet another example - didn't even realise US cards didn't have 2FA for online transactions.
One thing to note is that payment systems are never supposed to store the CVC number, so a data breach shouldn't include that number if the vendor does things correctly. This does make it slightly different to being a 'longer card number'.<p>In the UK, they also have additional verification steps, which can cause some issue when they go async to a payment system that expects to get a verification immediately.<p>I've had Apple take payment twice because the 2FA verification text took too long to come through from a phone order for collection and I ended up buying the item in the store.
The CVC essentially is an extension of the card number that is only required when making purchases when the physical card is not present.<p>The CVC is smaller in size and located on the rear of the card to defeat snooping via over the shoulder/cctv/cameras..
I wouldn't want it. In my 15 years of using a credit card I've had fewer than a handful of times where there was a fraudulent transaction on my account. The credit card company covered me, and in total I don't think it has exceeded a few hundred dollars. And in that same time I've made thousands of transactions. The addition of a 2FA step for every one of those transactions would be an enormous cost increase on my attention and time.
In India, all online transactions require providing an OTP sent to mobile. Retails transaction require entering PIN on the terminal. You can make transactions below 5000 INR using NFC swipe, but that is optional and can be disabled.<p>UPI, India's smartphone/app based payment system also requires entering a PIN to make the payments.
The thing about 3-D Secure is that it uses your phone number to verify it's 'you' making the purchase, but if your phone is lost/stolen and you get a new SIM, you're locked out of making any purchases with any cards tied to your old number. You can always update your details on the card provider's site so there is that. Another thing: SMS is not secure and a SIM-swap away from someone being able to make purchases in your name. I wish SMS just got deprecated as a form of verification. It's 2022, come on, we can do this!
Stripe provides SCA as a standalone product. They connect with the bank issuer of the CC, prompts the Challenge asked by the bank, and then Stripes sends if it's ok or not.
Happens most of the time I spend a few hundred dollars or more with N26 (Germany), Revolut, ING Direct (Australia) and Nubank (Brazil). OTP via their mobile apps (or SMS fallback).<p>1. Ye, it'd be great if I could configure it to do 2FA on all online transactions. Does anyone know what exactly triggers 2FA?<p>2. I have an account with BTG Pactual (Brazil) and their virtual card gets a new CVC after each transaction, pretty cool.
In Germany: 1) register a credit card for online transactions at <a href="https://www.sicher-online-einkaufen.de/" rel="nofollow">https://www.sicher-online-einkaufen.de/</a>, 2) activate with an activation code sent by post, 3) every transaction or 1st of every recurring transactions has to be approved via bank's online app (in my case Volksbank via touchid).
First World problem, literally. I've read that swiping cards is still widespread and magnetic strip is mandatory and chips are optional, but I wonder whether people in USA still sign their cards.<p>Paying online without a code from SMS or push notification is an exception, usually happens when you save your payment method when buying something through a well known giant like PayPal or Steam.
To everyone mentioning 3D Secure et al, I've only used them on the payments side, but it doesn't resemble the 2FA systems that the original poster was asking about. What's going on when the browser does stuff just before the payment is accepted?
In Turkey, where I live, online transactions require 2FA. An sms is sent for you to enter the pin or a notification is sent to your online banking app asking for approval. I thought this was a standard procedure in online banking.