Hi there,
First I'd like to point out the Google Answers disclaimer on the
bottom of the page, and remind you that most of the following
information that was found is strictly to be used for educational
purposes.
The CVV (Card Verification Value) is a sequence of digits constructed
by cryptographic process and written to the magnetic stripe of the
card. Data such as card number, the expiration date and the service
code is triple encrypted using a special Card Verification key pair,
and selected digits from the results are used to create the CVV. The
algorithm used in the calculation is similar to that of PIN
encryption.
For information on how these cards are encrypted, please refer to:
http://www.amarshall.com/crypt101.html
Specifically, CVC (card verification code) and CVV (card verification
value) are encrypted using the Triple DES system. The Triple DES used
for CVC and CVV uses two single length Keys such that the first Key
encrypts data, the second Key decrypts the results of that encryption,
and the first Key encrypts the results of the description.
For details on the use of DES and 3DES in financial institutions,
please refer to the following white paper.
http://www.pulse-eft.com/upload/EncryptionKeyWhitePaper4_2003.pdf
For a visual representation of how the encryption works please take a look at:
http://www.maxlin.ca/tos/ga/3des.jpg
Since PIN encryption uses same/similar system, here's a sample excerpt
to provide you with a better understanding of how it works:
**
The PIN (Personal Identification Number) is basically encrypted as
follows. The card number is taken as an hexadecimal number and is
encrypted with the DES algorithm using a secret key, which is called
the "PIN key". The first four digits are decimalized (i.e., A = 0, B =
1, ...) and are called the "natural PIN". An offset is added (without
carry) to the natural PIN in order to obtain the customer PIN. The
customer PIN may be changed but the natural PIN cannot. The offset is
what is written in track 3 and I called the "encrypted PIN". Here you
have an example:
Card number: 1234567890123445hex input for DES.
PIN key: 0123456789ABCDEFhex key for DES.
Encrypted card number: 9A466AD30DFE0381hex output from DES.
Natural PIN: 9046.
Offset: 2298 (this number is written on track 3).
Customer PIN: 1234.
**
The author also recommends the following links:
Breaking the Visa PIN
http://www.gae.ucm.es/~padilla/extrawork/visapvv.html
Original Visa Scheme
http://axion.physics.ubc.ca/atm.html
Discussion on other systems
http://www.gae.ucm.es/~padilla/extrawork/magnews.txt
The CVV, however, is still only an additional security; it is not fool
proof. Even systems with much higher security, the 96-digit enryption
algorithm, was cracked by hackers and posted on the internet in the
past.
http://www.computeruser.com/newstoday/00/03/11/news4.html
If you would like more information on the 3DES encryption system, or
would like clarification on any part of the answer, please feel ask
anytime.
Cheers,
Tox-ga
Google search terms: 3des double length cvv card verification algorithm encryption |