[nodata]

But that's for debit cards - I think most banks include the account number in a debit card number. You would still need the CCV number from the back of the card for the attack to work.

[InclinedPlane]

I haven't noticed any other bank which had the same practice.

Also, not all online merchants use CCV. Also consider the risk of creating fake physical CCs, no address or CCV necessary.

[Cushman]

Just checked— my credit union debit card number includes my account number.

[hboon]

CCVs aren't always required for transactions.

[lwhi]

CCV proves the cardholder was present at the time of the transaction. Online merchants are never allowed to store CCV numbers.

[dedward]

edit: CCV proves that you at one time had access to the CCV number.

Online merchants are supposed to comply with PCI-DSS - not store your CCV ever, never transmit your number unencrypted, never store cardholder information unencrypted, plus tons of management controls and audit controls over the same.

In practice, let's just say lazy programming is everywhere. I've seen many people who handle online transactions and violate PCI-DSS to some degree, including storing CCV numbers.

[nodata]

They can ask for them though.

[lwhi]

.. indeed, and they often do.