What's the impact of disclosing the front-face of a credit or debit card?

You don't actually need the CVV to perform transactions, they're just required by most retailers as a means of verifying that you have the physical card in your possession.

From Wikipedia (unsourced):

It is not mandatory for a merchant to require the security code for making a transaction, hence the card is still prone to fraud even if only its number is known to phishers.

On most EFTPOS systems, it's possible to manually enter the card details. When a field is not present, the operator simply presses enter to skip, which is common with cards that don't carry a start date. On these systems, it is trivial to charge a card without the CVV. When I worked in retail, we would frequently do this when the chip on a card wasn't working and the CVV had rubbed off. In such cases, all that was needed was the card number and expiry date, with a signature on the receipt for verification.


Aside from the already mentioned attacks involving unauthorized usage of a credit card, the credit card information can also be used for social engineering and identity theft.

As a somewhat current example, see how Mat Honan got hacked last summer : http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/

In his case, Apple only required the last digits for his credit card (which his attacker obtained from Amazon) in order to give up the account. It stands to reason that other vendors may be duped if an attacker were to provide a full credit card number including expiration dates.


You would need CVV and expiration date for verification, although expiration date is on the front face of a card. Also required is the billing address, or at a minimum, the zip code of the billing address, neither of which are on the front or back of the card.

However, this depends on whether you're buying something retail, in person versus online. If you are working in retail where the card details can be manually entered, which is definitely an option unless there are policies against it, or maybe a POS machine that won't allow it (although that hasn't been my experience, as magnetic strips get demagnetized by women's magnetic purse fasteners A LOT), there would be the potential for fraud. There would be no need for billing zip code or billing address. It would require the complicity of the cashier as well as the customer though. This is why: Even though the card info can be entered manually, it is NEVER acceptable to take the information from a person who hands you a piece of paper with their card details.

On the phone, or online, you will need name, card number, expiration date, CVV (4 digit for AmEx, 3 digit for Visa/MC) and billing address (and shipping address) for a physical delivery. If you are ordering something that doesn't need to be delivered, and remember, you have now restricted your options for illegal purchases significantly, you would still need billing zip code, even though you wouldn't need address etc.

What can you buy online or on the phone, with name, card number, CVV and zip code? Well, iTunes cap's monthly purchases at $5,000 per month as a default. So you could buy a lot of iTunes music, or premium membership to expensive porn sites, or lots of cloud storage, or online games. But even if you were to do any of that, you would still need to use the services from somewhere that was associated with an IP address. I doubt that it is practical to play games via Tor, same is true for streaming porn, though I am not certain. And if you bought iTunes songs, Apple would need to know enough identifying information about you that it wouldn't be safe. You couldn't buy stuff via PayPal or Amazon, as you'd need to take physical delivery of the items, which would be incriminating, whether to you or someone else who acted for you.

And all of this would be moot without the billing zip code, which is not on the front of the card. I don't have any sources, just experience working at a casino, on a huge 500 person ship, for a year. And I purchase lots of clothes and things online. I'll look for something to cite, but it tends to be a result of widely observed electronic payment practices rather than technological impossibility.

EDIT:
See the answers to this question What is the use of stolen credit card details? The answers are based on access to mass quantities of cards, or willingness to allow someone to get in trouble for taking delivery of your purchases (the answer referred to that as "a rube"), or rather elaborate eBay card swapping schemes. It wasn't straightforward. (Many are in pursuit of credit card information, but I often wonder what most people can actually do with it, other than cause inconvenience and fear. ZeuS or SpyEye is the exception, as it appears disturbingly versatile).