36

Most popular web services like PayPal, Google Wallet, and others do not mask CVV numbers, eg: (<input type="password">).

As I read, the CVV is a security feature and it seems logical to mask it in order to hide it from prying eyes. But I haven't see any web service that masks this input.

Gray
  • 748
  • 4
  • 15
Paul Annekov
  • 463
  • 1
  • 4
  • 6
  • 3
    You need to be a little more clear, are you asking "Why is the input field for the CVV value not masked?" – Shane Andrie Mar 30 '15 at 15:15
  • You'll have to ask them, I guess. I could see how masking the cvv could be potentially valuable, but masking input hurts user experience (slightly), so maybe they felt it was not worth doing. It only helps to mitigate shoulder surfing. Here's a good article related to masking passwords: https://www.schneier.com/blog/archives/2009/07/the_pros_and_co.html – Gray Mar 30 '15 at 16:08
  • 5
    I think this question would be easier to answer if it was not as opinion-based. Maybe instead of "why doesn't google do it," ask "should we be masking CVVs?" I think then the answers can give researched opinions rather than speculating on why google doesn't do it. – Gray Mar 30 '15 at 17:31
  • @Gray actually "why doesn't google do it" has probably a factual answer (but we do not know it) and "should we be masking CVVs?" is opinion based. – Jeff Mar 30 '15 at 18:17
  • 1
    @Jeff I guess I was thinking about modeling the question off of something like this one: http://security.stackexchange.com/questions/33470/what-technical-reasons-are-there-to-have-low-maximum-password-lengths . It could be "why does my bank do this?" vs. "what are some good reasons to do this?" One we can answer, one we cannot. – Gray Mar 30 '15 at 18:27
  • 3
    One additional reason for not using password input types over what the answers have mentioned is that in modern browsers you can't disable autocomplete on password fields, so it would get cached in the browser if they did that... – Rory McCune Mar 31 '15 at 10:16
  • If they are watching over your shoulder they can read it off the back of your card as you do! – JamesRyan Mar 31 '15 at 13:13
  • @JamesRyan: you assume that the user has to read it from the card, which is not always the case. Besides, being readable from both the card and the screen makes it easier for the snooper. – Martin Argerami Mar 31 '15 at 13:33
  • 2
    I'd note that most don't mask the actual credit-card number either, which is even more valuable than the CVV since there are some times when you can use the CC number without the CVV, but not vice versa. – Jon Hanna Mar 31 '15 at 13:35
  • I would say mask the CVV code while making payments else any one can see on terminal screen as its just a 3 or 4 digit code. So, i would recommend to mask it. – Balanand Pinni Feb 23 '19 at 14:39

3 Answers3

61

Most likely answer:

  • They don't have to (it's not a PCI requirement)
  • It's better from a UI/support standpoint

Let's keep this in perspective. This is the number that's printed, on the back of the card, right where minimum-wage cashiers are instructed to visually inspect when performing a POS transaction. Absolute secrecy from physical bystanders is clearly not the intended control for the CSC!

Pay attention rather to the aggressive controls the PCI DSS imposes to ensure it's never stored by anyone in the processing chain. They are not concerned with onesie-twosies being shoulder-surfed, they're concerned with the people who steal credit card databases getting away with the CSC too.

gowenfawr
  • 72,355
  • 17
  • 162
  • 199
  • 1
    "they don't have to" - totally agree! – paj28 Mar 31 '15 at 09:03
  • 2
    Keep in mind you're also probably physically holding and looking at the card as you're entering it in, too. If anyone just glanced at it, they'd be able to see it. The only thing a password mask does is prevent information disclosure to peepers, which wouldn't even be prevented in this case. – Kaslai Apr 01 '15 at 17:40
  • Has this policy changed? Per this OWASP document, it says CVV fields MUST use `input="password"`. https://www.owasp.org/index.php/Handling_E-Commerce_Payments#Displaying_portions_of_the_credit_card ```For online forms, you must use a "password" type field for CCVs to provide some protection against shoulder-surfing. Some browsers cannot tell the difference between this and a login form, and will offer to remember the details. This is not good, because it interrupts the checkout process and many users click "Yes" without thinking and thus violate their card holder agreement.``` – Craig London Apr 13 '17 at 16:11
  • @CraigLondon PCI policy hasn't changed; it isn't explicit on this issue. The guidance in the OWASP page you've linked to cites PCI 3.2.3 and 3.4, neither of which says anything regarding the forms presented to cardholders. I think what you're reading is an advisory "MUST" from OWASP, but one that's tied to "best practices" and not PCI requirements. – gowenfawr Apr 13 '17 at 16:23
  • "They don't have to" isn't a reason. They equally don't have to _not_ mask it. Furthermore, if they were using this as an excuse then, surely, they would equally be using as an excuse not to mask the user's password in the login form. – Stewart Jun 19 '20 at 13:30
  • Moreover, bear in mind that paying through a website is a very different situation from paying in a shop. If you're in a room with other people, they will see your card number and CVV on the computer screen far more easily than they would see the physical card in your hand. – Stewart Jun 19 '20 at 13:36
40

First, it's important to understand that security is not binary. It is not an "on" or "off" concept, but a continuum or risk management options, and each decision comes with a cost. Either the additional cost of controls or mitigation as you move toward the "secure" end of the spectrum, or the cost of exploitation as you accept more risk towards the "insecure" end.

There is nowhere this is more true and more evident than in systems that deal with credit cards. When an entity that deals with credit cards makes a risk decision, there is a trade-off between accepting the cost of fraud when the system is less secure, and accepting the cost of lost revenue when the system is more secure, as users are prevented from making legitimate transactions, either because the system will not let them, or because it becomes harder to use.

So, in any system like this, when you have a question about why something doesn't seem to be as secure as it could be, it's generally safe to assume that the answer is because the cost of fraud due to the choice in question is less than the cost of lost transactions for the more secure alternative. It it shockingly critical to sales that systems be as easy as possible to use, and even small tweaks to usability can have a drastic effect on the number of transactions that are abandoned and never completed.

For the specific aspect in your question, why don't they mask CVVs? It seems to me that the opportunity for additional fraud here is quite low, as the CVV is only one of the pieces of data you'd need in order to commit fraud, and masking it would deal only with the smallest subset of cases where a malicious actor had all of required the data except for the CVV, but could only view the CVV on the screen and not from the card itself, or from the keyboard as it is entered. I suspect that the additional risk to frustrating users who enter the CVV incorrectly and can't tell while still small, is significantly higher.

Xander
  • 35,616
  • 27
  • 114
  • 141
4

If you think about the 'expected' usage, the CVV is simply supposed to mean that you physically have the card (so you can see both sides).

With that starting point, the user will type in the card number from one side, then turn over and type the CVV.

I appreciate that many people will have memorised the CVV and/or 16-digit number, so the assumption above may not be valid, but the expectation is that they will have the card visible to copy the number (unlike a PIN or password which is expected to be stored in their head), so the shoulder-surfer could also see the CVV without much effort.

For my own 'most-used' card, the 16 digits are quite hard to read on the front, the CVV is easier to read from a distance.

rolinger
  • 143
  • 4