Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: Why do checkout pages still explain CVV numbers?
13 points by chiefofgxbxl on Oct 29, 2017 | hide | past | favorite | 27 comments
Every time I purchase things online with a credit/debit card the checkout page asks for my CVV number. It is absolutely guaranteed that said CVV entry box has a little [?] next to it to help explain to users what this number is and where to find it.

According to Wikipedia, this number was developed as early as 1995 [0], meaning we've had over 2 decades to become used to them.

So from a technical and design perspective, why don't more forms omit this? Why do we still need to explain this to shoppers? Can't we just put a little lock icon next to the CVV on a card, and then put the same icon on the site. This way that field can be visually matched by the user. From a user experience / product design standpoint, why aren't credit cards better designed to convey this information naturally?

[0] https://en.wikipedia.org/wiki/Card_security_code



"we've had over 2 decades to become used to them"

Every day, there are lots of new online shoppers making their first transactions: young people who have just gotten their first credit card, and older people who have never bought anything online before.

A 21 year old who just got their first credit card yesterday has not had two decades of experience with CVV codes.

Someone who has had their card for years but has never bought anything online before has not had two decades of experience with CVV codes (since they're never used for in-person transactions).

"Can't we just put a little lock icon next to the CVV on a card, and then put the same icon on the site."

A lock icon would be confusing, since a lock icon is already used to indicate a secure web site. And if someone has never used a credit card online before, they may not have noticed the lock icon on their card.

And good luck trying to get all credit card issuers to agree on a standard icon, when they can't even agree on the format and location of the CVV code. For example, on an Amex card, the CVV code is 4 digits, and is on the front of the card.


Agreed on many of your points - a lock icon was a bad suggestion on my part, given its use for HTTPS/SSL indication.

I suppose what I'm really asking here is this:

When you ask someone to enter their credit card number on a checkout page, that number is so glaringly obvious that it doesn't necessitate explanation. Everyone seems to know that it is the 16-digit number on the front of your card. You don't need to explain to people via text and diagrams that it is such.

So why isn't the CVV also self-explanatory? How could we make it so? If things like the card number or expiration date don't require documentation, why are cards not designed to make the CVV easily understandable?


Perhaps because everyone looks at the front of their card every day and in doing so, catches a glance of the expiration and card number. The front of most cards is also much less "busy" than the back, allowing for things to pop out.

Put these numbers on the back of the card, and I think they'd be fairly hard to find for first time buyers. So, to answer your question, maybe the solution is to bring the CVV to the front of the card? ...or does that defeat the purpose?


AmEx has theirs on the front, but I don't know if that says anything about it defeating the purpose or not.

Having it on the back prevents getting both cc number and cvv off single picture.. so I guess that's something.


My Chase Sapphire has both the CC and CVV numbers on the back.

My AmEx cards have a 3 digit CVV seeming number on the back in addition to the four digit one on the front.


We used to have lots of failed transactions until we explained to users that the CVV on an Amex is the 4-digit number on the front.


But why does Amex does it differently with their 4 digit CVV? Goolge search doesn't reveal any good answer. Thats a big confusion. Anyway cards could have put CVV beside the number if they wanted. In that case I think people would have found them.


Confusingly Amex has both a 4 digit CID (Front) and 3 digit CSC (Back). The latter I think is only ever used internally by Amex, not for transaction processing.


Different systems which use different fraud algorithms proposed by different people from the other credit card issuers.


> ..that number is so glaringly obvious that it doesn't necessitate explanation.

Not 2 months ago I had to point it out to my friend because she had accidentally written her signature across it, making it nearly invisible.


I wish all designers of new products would read this answer. It’s amazing how many products assume that all users have the same knowledge.


Why do microwave foods spell out to remove the plastic inner wrapping before cooking? Because not everyone knows what you know.


Part of that is also liability, though. If someone forgets to remove the wrapping and gets sick or even chokes on half-melted plastic wrap, the food manufacturer can at least make a case that they informed users of the safety issue.


So?

You want to get paid? Then you explain everything to the customer about how to pay you online because this is not like a sale in meatspace where the cashier can naturally catch customer mistakes and prompt them.

People may not know what a CVV is. Or they might be tired, sick, distracted, etc.

I have six years of college. I was one of the top students in my entire state in highschool. I also am medically handicapped, getting older and newly back in housing after nearly 6 years of homelessness. I often need seemingly "dumb shit" explained to me.

Why do we need to explain this to you? Do you not already know everything?

(That is not intended as a dig at you. More like "food for thought.")

(Edits made. Reason: I fucking hate autocorrect. Ugh.)


On a side note, can anyone explain to me how the CVV makes online checkout more secure?

Presumably, if someone were to hijack your form, they would be getting the CC number and the CVV. If you lost your card, they would have the CVV. To me it seems like just adding another 3 digits to your card number.


I think the reasoning is that to get your account number and the CVV number, you need to view both sides of the card so it makes it more difficult for a close by observer to steal your details.


A number of cards have the CVV on the same side of the card.(E.g American Express & Chase Sapphire)

Also, if one has the CC number wouldn't it be feasible to brute force the CVV. There are only 999 permutations. You would have a .1% success rate.


On a similar note, why all websites have login and signup forms, with the registration typically on the home page and a (huge) fallback logic to log users in even if they use the signup form?

Plus the fb/google authentication buttons with the same logic twice.

Imo it’s just because “everybody else/the bigs are doing so”, and nobody cares to test a different thing.

Note that this isn’t trivial as it seems, as you may have the fb/google buttons, but the bigs don’t.


I'm in credit cards analytics and while we may think that 2 decades is a long time, I can assure it's not. Credit cards have had a long long history (50 - 100 yrs depending on how you define what a credit card is) and we still haven't had 100% market penetration. Not everyone fully understands how it works and all users care about is that it's something that can be used for payment.


Because if someone gets confused and doesn't/can't make the purchase due to this misunderstanding, this is lost revenue, for no other reason than assuming that a user knows what CVV means.


I refer you to the XKCD comic "Ten Thousand": https://xkcd.com/1053/

You don't want to lose a sale because one of your customers is one of the ten thousand hearing about CVVs for the first time.


You want to have as much info as possible to prevent losing a sale on such a critical step of the checkout flow.


I wonder why they called it CVV and not something more obvious like SECRET (i.e. something self-explanatory).


CVV is simply three letters, I don't see how an icon would fare better.


Not just three letters. AMEX cards have four characters. And the're in the front, not in the back like VISA or Mastercard.


He's saying that the abbreviation (not the content) is just three letters. He's also conveying that using an icon instead of 3 letters doesn't really add much to the user experience.


And us germans, we don't use credit cards much.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: