Your credit card has a 16-digit number on the front, plus an expiration date, and another three-digit code on the back. We all know in a vague way that the code on the back (also known as the “CVC” or “CVV”) has something to do with making transactions safer or reducing fraud, but other than that we don’t give it much thought — and while we might expect to have to share that number when shopping online, we certainly don’t expect to be asked to read it out loud when making an in-person purchase at a crowded coffee shop.
And there’s a reason you should be concerned about being asked to read this number aloud in public — because it’s not supposed to happen. But, as one Consumerist reader explains, that didn’t stop a Dunkin’ Donuts employee from demanding that she say her three-digit number in front of all the other customers.
A Weird Encounter
Nora* recently told us about a strange experience she had at a Dunkin’ location in New York state. She was buying three drinks and three gift cards, so the purchase came to about $80.
“I swiped my MasterCard and thought all was going well until the clerk asked for the CVV,” Nora tells Consumerist.
Nora checked with the clerk to see if the employee meant the last four digits on the front but no, she reports, the clerk did indeed mean the three-digit code on the back.
This struck Nora (and us) as strange. Even more bizarre: When she declined to read the numbers aloud, the clerk turned her terminal around to show Nora the register screen.
“She [said] that she had to have that information to complete my transaction and if I preferred I could input it into the BIG screen — for all to see — myself,” Nora says.
Uncomfortable with the transaction, Nora declined and left. She went to another nearby DD location — and made an ATM pit stop along the way, to get cash just in case the scenario repeated itself.
At the second location, “We ordered the same thing and I asked the clerk, if I used my credit card, would she have to have my three digit code? She said yes, so we paid cash,” Nora says.
…Is That Right?
This policy struck us as being just as unusual as Nora thought it was, so we reached out to both Dunkin’ Donuts and MasterCard to see what was up.
A spokesperson for Dunkin’ confirmed that this is, indeed, its nationwide policy:
“It is Dunkin’ Donuts policy to have franchisees ask guests for the CVV number for transactions that meet certain criteria. This security process was implemented as one of the measures used to protect our guests and franchisees from fraudulent credit card transactions,” the spokesperson said.
However, asking the customer to shout it out loud or type it in where it can be seen? That is not so much a part of the policy, and should not have happened.
“The crew member should enter the CVV number,” the spokesperson said, adding, “The franchisees have been notified and plan to retrain the team on the correct procedures.”
Meanwhile, the merchant agreements for both Visa and MasterCard make repeated references to checking the three-digit code (called the CVV2 for Visa, or the CVC2 for MasterCard) for card-absent transactions, as in a purchase online or by phone — but barely mention it for in-person, card-present transactions at all.
Visa only recommends capturing the data when the magnetic stripe swipe fails, and even then it specifies, “The storage of CVV2 is strictly prohibited subsequent to authorization.”
MasterCard’s merchant agreement is less clear, but a spokesperson for the company was very explicit on the matter when we asked.
“It’s difficult to think of a reason why an employee would ask a customer to recite their CVC2 code for an in-store transaction,” the spokesperson said. “As you note, the codes were created to help authenticate cardholders for online and over the phone purchases.”
MasterCard’s rules say the CVC2 is supposed to be used for remote transactions only, the rep added, and then outlined for us the procedure an in-person retailer should follow when a customer pays in-person by MasterCard:
- Check the valid date and the expiration date on the front of the card
- Compare the [16-digit account number] on the card with the number displayed on or printed from the terminal (unless a hybrid POS terminal is used)
- Compare photo on the card (if applicable) with the person presenting it
- Confirm the signatures match
So Why Is This Happening?
Nora’s theory was that these procedures were in place because the Dunkin’ locations did not have chip-enabled card readers in use — and theory that doesn’t seem far-fetched to us.
When credit card data gets stolen through use of a skimmer or a hack, the thief generally gains access to the 16-digit number and the expiration date on the front of the card. From there, fraudsters can cheaply and easily create “clone” cards to swipe in stores to make purchases at everyone else’s expense.
That’s where the code on the back comes in: that data is intended to reduce fraud, by making sure that the card in use is the actual original that has the right contents on the back. And that’s why when the merchant can’t actually literally see or handle the card — such as when you’re buying online — they’re supposed to ask for the code.
But even having employees verify its presence themselves, quietly, doesn’t strike Nora as an effective long-term solution.
“I don’t see their ‘plan’ or ‘procedure’ of having the clerk handling the cards and flipping them over really being practical and working,” she tells Consumerist — and good old-fashioned human nature is pretty much why.
“Often, the cashiers never touch the card, as the customer swipes the card,” and it never leaves their hand to begin with, Nora says. “Then add in busy mornings, people lined up anxiously waiting for their coffee fix… are they really going to take that extra step? No, the cashiers are just going to verbally ask for the code and people will give it to them.”
Sooner or later, Nora thinks, someone is going to be defrauded because their code is out in the wild — and at the very least, it’s just not optimal security.
Completing the rollout of chip-and-PIN terminals nationwide would solve this particular problem, as the whole point of the EMV system is that the chips inside the cards, necessary to complete the transaction, can’t be snagged or duplicated by hacks or skimmers.
In the meantime, for customers who want a morning Dunkin’ Donuts fix but don’t want to deal with strange credit card shenanigans, the chain has a mobile payment app.
*name changed at the customer’s request
Editor's Note: This article originally appeared on Consumerist.