What is the algorithm to generate CVV?
Each issuer has its own. There is everything from algorithms that encrypt card information with secret keys that only the issuer knows. Generating a hash (as far as we know, the most common), to randomly generated key-value tables. As far as we know no one has broken these algorithms, so there is no way to:
- Generate a CVV (Card Verification Value) from the PAN.
- Check if a CVV Code is correct (no check digits) without calling the card issuer.
If with the PAN, we already recommended you never to process it, because the measures imposed by banks are very large, with the CVV, we already advise you to completely forget about the subject. There are very strong restrictions regarding CVV:
In the case of complying with them, the CVV cannot be stored anywhere:
Never on disk, not even in logs:
It cannot be stored in memory when the transaction is finished. Be careful to destroy the object or release the memory it was in. The data is still stored in memory. You have to proactively delete it (overwriting with zeros or nulls, for example).
You cannot send it to any system that does not comply with all this.
CVV processing is very severe. It is not worth keeping it encrypted. Nor nothing alike. If we do, we are committing fraud. In addition to assuming a very high risk, because if it is stolen, the attacker's capacity for fraud would be very, very great.
Removing the CVV, whether of type 1 or 2, never guarantees that the operation has actually been carried out by the owner of the card. Since it is very easy protection to overcome.
Type 1 CVV is on the card's magnetic stripe, so any reading from the stripe, and duplicating it on another, will copy not only the PAN but also the CVV. So, this data is of little use.
The CVV2 is almost easier to copy. A few seconds with the card in hand and a hidden camera and we will have everything copied: PAN, expiration date, and CVV2. So, beware of releasing the card in restaurants.
The industry knows this, so a CVV payment is not 100% guaranteed not to be a fraud.