Should I allow CVC of 000 in our system? [duplicate]
I’ve reviewed multiple threads on reasons why 000 should be allowed and why it shouldn’t:
All 0s (zeros) in a bank card’s CVC code
https://news.ycombinator.com/item?id=18768801
In summary, reasons 000 should be allowed:
- Poor validation (validation bug) due to a lazy programmer since CVC should be a string, not an int, so this is a bug that needs to be fixed
- If threat is brute force, a system only using values 001-998 is less secure than one using 000-999
Reasons 000 as a CVC should not be allowed:
- Bias in guessing matters as much as bias in generation, with users who are trying to pass a fraudulent transaction will highly guess the CVC with values 000 and 123
- A system such as a booking one will be connected to other brokers whose systems may have poor validation so 000 is blocked on purpose from the top
- According to Bard, its response to “Is accepting a CVC of 000 considered PCI compliant?” is “No, accepting a CVC of 000 is not considered PCI compliant”.
I am leaning towards NOT allowing a CVC of 000 due to it not being PCI compliant.
Continue reading Should I allow CVC of 000 in our system? [duplicate]