Bypass with wrong cvv of debit card and getting OTP

But shouldn't it suppose verify before I get the OTP? What's the reason, Isn' it a security issue?

This is absolutely NOT a security issue! quite the opposite it's a protection.

Lets go through the steps.

  1. You put in card details.
  2. You put in CVV
  3. You put in the OTP.

The payment is processed if and only if the combination of all of it are correct.

Now assume a scenario where it tell's you the CVV is wrong before the 2FA that is just going to simply give the attacker a chance to better attack.Now the attacker knows the CVV is wrong and can simply change that.While in the correct scenario attacker will have to break 2 Factor authentication to gain that information


As well as the general rule of not giving the attacker information by rejecting too early, there are some things specific to the payment industry which are somewhat relevant.

Although often presented to the customer as mandatory, the authentication information on a payment is generally used to evaluate risk and to assign liability.

For instance:

  • A payment with no CVV provided at all may be accepted by the issuing bank, but if challenged as fraudulent, the merchant will be liable for the refund. If the payment had been fully authenticated, the card scheme or issuer will assume that liability instead.
  • A payment with an incorrect CVV but correct address, interactive one-time password, and order details consistent with previous behaviour may be accepted as "low risk" by a fraud scoring system.

The reduction of security in both cases is traded for the convenience to the customer. The new version of 3-D Secure (branded as "Visa Secure" and "MasterCard ID Check") is explicitly designed around this idea, with a large amount of automated information capture up-front meaning that interactive authentication will simply be skipped if the transaction is already considered low-risk. The CVV entered is now just one piece of data in this complex analysis.


Developer here. I have worked with a couple systems that send OTP's. Neither required the CVV in order to send it.

As per Vipul Nair's answer, it is good practice to not let an attacker know some input is wrong until the end, so as not to leak what might be wrong. I'd like to add that usually online shops may keep your PAN and other data in their databases, but they are not allowed (by law or by the card issuer) to store your CVV. In some (not all) cases it is the store that sends an OTP, so they would not have a way to validate with your CVV anyway.