On 9 June 2012 22:42, Scott Howard <sc...@doc.net.au> wrote: > There is no way to "derive" the CVV2 number. It is little more than a > random number assigned to the card. > [...] > It is verified by comparing it to the known CVV2 number stored by the > credit card company/bank that issued the card. > > I don't think this is correct - I believe the Wikipedia entry is accurate:
---snip--- CVC1, CVV1, CVC2 and CVV2 values are generated when the card is issued. The values are calculated by encrypting the bank card number (also known as the primary account number or PAN), expiration date and service code with encryption keys (often called Card Verification Key or CVK) known only to the issuing bank, and decimalising the result ---snip--- http://en.wikipedia.org/wiki/Cvv2 I suspect the issuing banks can share their CVKs with the card scheme operators (Visa, MC, Amex) if they want them to validate transactions on their behalf. Aled
