Ignore Calls that are asking for your Credit Card Details

We have a total of 4 credit cards in our family. Out of these 4 cards, 3 are Visa cards issued by HDFC bank and the remaining one is MasterCard issued by State bank of India.

Websites that don't ask for cvv code

Recently my aunt had a very weird experience with her State bank of India credit card. Before I go into further details I’d like to mention that the mobile number that is associated with this credit card is/was only available with:

  • The bank i.e. SBI. The number was linked with my aunt’s savings bank account and credit card.
  • A very popular mobile recharge/wallet service.

Apart from these two, the number was not given to any other person (except family members), organization or company. This number is always meant for personal use only and for receiving transaction related alerts from the bank.

Last month my aunt recharged her number using this XYZ online recharge service and used her State Bank of India credit card to pay the final amount. She also saved her card details within the service. I’m pretty sure that this particular service sold her mobile number to low lives who calls people to collect bank related information by harassing them or by giving them false information about their card.

I am unable to mention the name of this particular service here in this post because I don’t have any solid evidence against them and I seriously don’t think that someone from SBI sold my aunt’s number! However my only suggestion for you is to recharge your number using your operator’s official website.

On Sunday (!!) morning at around 10 AM my aunt received a call on her mobile from New Delhi (+9111xxxxxx). The person on the other end of the phone said that he is speaking from SBI’s credit card division and congratulated her on earning around 5000 (which is untrue by the way) reward points and for maintaining a good track record (probably CIBIL score). To this she said OK.

Now he said that the bank is permanently discontinuing its reward points system and my aunt needs to urgently redeem all of her reward points (5000+) as cashback into her SBI’s savings account! To this also my aunt said OK.

Now he said that for converting all the reward points into cashback, he needs to verify my aunt’s credit card details. By verification he meant that he wanted to know all the information that is printed on the card, as he needs to match this information with the information that is displayed on his computer screen. To this my aunt said a big NO!

He said that she can fully trust him as he’s speaking from SBI’s credit card division and he can also send a 6 digit OTP (One Time Password) for IVR verification to the mobile number registered with the card. To this my aunt said OK.

Now this person sent a 6 digit OTP code (valid for 30 minutes and one time) to the mobile number registered with the card and the sender’s name that was displayed on the screen was VM-SBICRD! Because of this text message my aunt became 100% assured that this call is from SBI’s card division and gave him the card number, name and expiry date.

Websites that don't ask for cvv code

The low life at the other end of the phone now started pressing her for CVV code (Card Security Code). To this my aunt said: Why do you want my card’s CVV code? I have already given you enough information i.e. my card number, expiry date and name. Just match this information with the information that is being displayed on your computer screen.

To this the low life started using sentences like Tum logon ko samjhana bahut mushkil hai. Dimaag kharaab ho gaya hai mera (It’s very difficult for me to explain things to you people. My brain is spoilt)! After this my aunt disconnected the phone and contacted me.

When I heard her entire story, I said to her that if she receives a call from that person again, then there’s no need to answer the phone. Also if he calls from some other number and asks for card details again, then just hang up the phone.

If that day my aunt had given her card’s CVV code, then the person at the other end of the phone could have transacted endlessly on foreign websites as they don’t ask for Visa/MasterCard Secure Code. And we had to pay the entire bill for the purchases made by that low life.

Also as per my best information gathered from the internet, these low lives have also partnered with some so-called Indian e-commerce stores. The payment gateway of these stores are used to run your card and in this way the whole pack of these low lives enjoy your money/products purchased from your money.

What if you are a victim of this SCAM and have already given your card’s CVV code?

If you have also received such calls and have given all card details of yours, especially the CVV code, and now thousands of Rupees are being deducted from your card then follow these steps:

1. First of all remain CALM – Believe me PANIC mode isn’t going to help you at all. You need to act calmly.

2. Call your bank’s card division (E.g. SBI’s Credit Card Division Contact) and narrate your entire story to them. They may ask you to send/submit a written complaint to them/your home branch and after proper investigation they may reverse the debited amount back to your card. However keep in mind that this process may take some days/weeks, so have patience. I am 100% sure that your card issuing bank will help you with your problem.

Note: When you report this type of incidence to your bank, they may temporarily/permanently block your card. You can also block your credit card by going to your net banking account, provided that your bank has given you such option in your account.

If credit card’s customer care department or your home branch is unable to resolve your issue, then feel free to shoot an email to Nodal Officer/Appellate Officer of your bank. If these high level officers are unable to resolve your issue, then you need to file a written complaint with RBI Ombudsman (aka Banking Lokpal) of your area.

3. You need to lodge a FIR with your nearest police station also. Chances are very high that your case will be handled by Cyber Crime Department of Police. You can also take help from a lawyer or some knowledgeable person who has knowledge about these type of issues. However keep in mind that if you go to the police, then your matter may get stretched for many weeks/months. So have patience and let the police work.

Important Note: If you have lodge a FIR with police then I am not sure whether RBI Ombudsman will handle your case or not. You need to get information about this by directly contacting the Ombudsman office of your area.

What precautions should I take to avoid these type of calls?

Here’s a list of precautions that you should take:

  • Don’t tell your credit/debit/ATM card or bank account details to anyone on phone, text message, Whatsapp/Facebook messages, Email etc. in any case.
  • STOP using online mobile recharge/wallet services. My personal question to you is that why do you use these services in the first place? Why don’t you use your mobile operator’s official website to recharge your number or pay your postpaid bills? If you do so only to get free coupons of popular outlets/shopping websites and some points in your wallet, then may god bless you. If above incidence happens to you then be ready to visit your bank/police station frequently.
  • Stop posting your mobile number and credit card/bank account details (!!) randomly on sites like Twitter, Facebook, Usenet groups, blogs, forums, job sites etc.
  • Don’t SAVE your credit card/bank account details on any website. Even popular websites gets hacked.
  • Transact only on trusted and popular websites on the internet and stop transacting on NSFW/Porn websites because their payment gateways are also responsible for leaking card information to low lives.
  • Keep your computer clean by scanning it with an anti-virus and anti-spyware/malware application with updated definition. You can use Avira free anti-virus and SUPERAntiSpyware for scanning your machine.
  • If these type of calls don’t stop then just change your mobile number and try not to circulate it everywhere!
  • Seriously return your credit card as you don’t have proper information about card security at all – Sorry for the pessimism!

If you want to read more about other people’s experience on this same fraudulent activity, then head over to this webpage: http://www.complaintboard.in/complaints-reviews/sbi-credit-card-l3720.html (Sorry I don’t want to link to that particular website!). If you read through all the complaints posted on that site, then you will be able to determine following things yourself:

  • People are still posting their 16 digit credit card number and 10 digit mobile number publicly – STOP it for god’s sake!
  • Low lives are offering shoes, holiday trips, t-shirts and other goods to cardholders in exchange of their expired reward points/CVV code.
  • People are getting calls from Visa and MasterCard as well (LOL) and they are also deducting money from their credit card after PROPER verification.
  • Even girls/women are participating in scamming card holders – Women empowerment is everywhere!
  • People are frequently posting their grievances on that particular website, but why? Does it look like a website run by any bank or Government of India? Do you think that someone is handling their grievances? Seriously STOP posting your grievances on these so called consumer forum websites and approach your bank/police station directly.

Should You Use the Card Security Codes: CVV2, CVC 2 and CID?

Websites that don't ask for cvv code

Credit card security codes are used by all four major U.S. payment card brands to help their merchants prevent e-commerce fraud. The underlying idea is that, by being able to provide the security number that is printed on the card she is using to make a payment online, the customer proves that she is in physical possession of the card at the time the transaction is taking place. As these numbers are not encoded into the card’s magnetic stripe and merchants are not allowed to store them into their transaction logs, criminals are having a much harder time getting their hands on them, which is what makes using them so valuable. And that’s why you should ask your customers to provide their cards’ security codes at your own website’s checkout.

Now, there is no universal standard governing the use of card security codes and each payment network maintains its own set of rules. However, these are all quite straightforward and anyway, they have more things in common than differences as will become evident if you keep reading. Many merchants still refuse to include a security code field in their online checkout forms, because they believe that doing so may confuse some of their customers or otherwise put them off and lead to lost sales. I believe that this fear is unfounded and that a merchant stands to lose more from not asking for the code than she stands to gain from it. Hopefully, by the end of this post, you will have come to agree with me.

Once again, the security codes are used to help verify that a customer is in a physical possession of her credit or debit card during a non-face-to-face transaction. As these numbers are not to be found in the card’s magnetic stripe, they cannot be “read” by a point-of-sale (POS) terminal and are therefore not used in face-to-face transactions.

The security codes are given different names and abbreviations by the various payment networks and are placed at different locations within their cards, as noted in the table below:

Description and Location

CVV2 — Card Verification Value 2

The last three digits of the number printed in the signature panel on the back of the card.

CVC 2 — Card Verification Code 2

CID — Card Identification Number

CID — Card Identification Number

The four-digit number located above the card number on the front of the card.

Now let’s look into each individual brand. First, here is Visa’s CVV2:

Websites that don't ask for cvv code

Here is MasterCard’s CVC 2:

Websites that don't ask for cvv code

Here is American Express’ CID:

Websites that don't ask for cvv code

And finally, here is Discover’s CID:

Websites that don't ask for cvv code

As already noted, each brand maintains its own security standards, but for the sake of simplicity, I will now give you an outline of a card transaction process, which will broadly apply to each one of them. If you look hard enough, you may find some inaccuracies when my process is applied to any given network, but these will be insignificant and, at any rate, they will not change anything when it comes to the way card security codes are used for fraud prevention purposes. Look at this as just a simplified model, not necessarily a point-by-point description, of how the transaction process works.

It is best, I think, to outline the basic fraud prevention guidelines and best practices for card-not-present transactions as a whole, as it is difficult to separate one element from the others. So here they are:

1. Authorize all card-not-present transactions. Authorization is required on all non-face-to-face transactions, without exception, as they are considered “zero-floor-limit” sales. An authorization approval should be obtained before any merchandise is shipped or service performed.

2. Ask for the expiration date. Although it is not as absolutely mandatory as the authorization requirement, you should ask your customers for their card’s expiration, or “Good Thru”, date and include it in your authorization requests.?á Including the expiration date helps verify that both the card and transaction are legitimate. An e-commerce or MO / TO order containing an invalid or missing expiration date may indicate a counterfeit card or an unauthorized use.

3. Ask for the security code. This is the item in which we are particularly interested right now, so I will spend some more time on it. Here is how security codes should be used in the transaction process:

  1. Ask your customer for her security code. Do not use any of the abbreviations in the table above, as she may or may not know what they mean. Instead, your websites should offer help locating the code on the card for the different brands or, if taking a phone order, just tell your customer where she should be looking for it.
  2. Include the code into the authorization request. This should be an automated process, but check with your processor to make sure it is part of it, along with all other transaction data (the account number, card expiration date, cardholder name and address, etc.).
  3. Include a code indicator. One of the following indicators should be included in your authorization request, whether or not you are submitting a security code as part of it:

Security Code Presence in Authorization Request

websites that don't ask for cvv code

Websites that don't ask for cvv code

What is the CVV Number?


CVV is an authentication procedure established by credit card companies to further efforts towards reducing fraud for internet transactions. It consists of requiring a card holder to enter the CVV number in at transaction time to verify that the card is on hand.The CVV code is a security feature for "card not present" transactions (e.g., Internet transactions), and now appears on major credit and debit cards. This new feature is a three- or four-digit code which provides a cryptographic check of the information embossed on the card. Therefore, the CVV code is not part of the card number itself.

The CVV code helps ascertain that the customer placing the order actually possesses the credit/debit card and that the card account is legitimate. Each credit card company has its own name for the CVV code, but it functions the same for all major card types. (VISA refers to the code as CVV2, MasterCard calls it CVC2, and American Express calls it CID.)

The back panel of most Visa/MasterCard cards contain the full 16-digit account number, followed by the CVV/CVC code. Some banks, though, only show the last four digits of the account number followed by the code. To aid in the prevention of fraudulent credit card use, we now require the 3 or 4 digit code on the back of your credit card. When you submit your credit card information your data is protected by Secure Socket Layer (SSL) technology certified by a digital certificate.