Credit cards--we’re all used to the setup: sixteen digits in groups of four (15 if you’re using an Amex), a four digit expiration date separated by month and year and a three or four number code on the back, often referred to as the CVC or CVV (card-verification code or card verification value).  

But what do those numbers really mean? And how can anyone expect customers to know what the appropriate use of each number is? Consider this question posed to the online magazine Consumerist, where a Dunkin Donuts customer was asked to read her CVC code aloud in front of other customers. Aren’t we asked to protect these numbers at all cost? But then again, how can we protect them when everyone is required to provide them constantly to complete regular, even trivial, transactions?

Here’s what a credit card number is made up of:

• Main Card Number: Your main card number is actually two numbers - a six to eight digit IIN or Issuer Identification Number (A.K.A. why all your Visa cards start with the number four), plus your personal account number with that credit card (which is why you give the last four digits to refer to a specific card).
• Expiration Date: This date is written in anticipation that your card might get worn out at some point and need replacing, not that your account with the company will magically vanish. It also serves at yet another fraud protection layer, adding another piece of information to have before a card can be charged.
• The Security Code: This three or four digit number was designed for “card-not-present” transactions - i.e. when you’re ordering something online or over the phone and the merchant can’t be sure you have the actual card in your hand.

In addition to these numbers, most cards now contain a chip which is an additional layer to ensure your card that can’t be easily obtained by a credit card skimmer and duplicated. In the Dunkin’ Donuts situation, clerks were being asked to put in the code on the back of the card probably because the stores didn’t have chip readers yet. And although most big retailers have them now, over half of small businesses still don’t have chip technology, making their transactions more vulnerable to fraud.

Some cards, like American Express, go even further, not encoding their four-digit security codes on the card’s magnetic strip--when you swipe your card, a machine won’t be able to pick up this information.

So when should you, and shouldn’t you, share that security code? Credit bureau Experian shares some tips:

• Don’t give the number to any business you didn’t initiate contact with.
• Don’t give out your security code to any business that seems sketchy or you’re unsure of.
• Never provide the code to someone who calls you or emails you, unless it’s in response to a transaction you initiated and you understand why you’re being contacted.

In the context of increasingly escalating data theft, what do security codes have to teach us about how to keep our customer’s data safe?

1. Does your company have a good reason for each piece of data you request from customers? If a client asked you why a piece of data was needed, what would your answer be? If you don’t have a real need for it, do not collect it. Every piece of unnecessary data puts your customer at risk.
2. What data do you rely on as “secure” when, in reality, it could easily obtained by fraudsters? We often rely on Social Security numbers to verify a person’s identity, despite the fact that they’re given out to almost everyone, making them a lot less secure than we’d like to think.
3. What other hold-over practices do you still use, despite the fact that they offer little or no security benefit to you and your customers? When industry-standard policies like the scheduled mandatory password change are being challenged, it’s time to reevaluate your own practices and eliminate those that introduce friction while offering little or no benefit.