Hello,

Can anyone explain me in details how does VISA CVV(1 and 2) and
MasterCard's CVC work? I need a complete explanation on which data is
the source for this value, what algoruthm's are used to encrypt this
value etc etc. A link to some discussion or a standartisation article
would be also useful.


Thank you.

Hi there,

First I'd like to point out the Google Answers disclaimer on the
bottom of the page, and remind you that most of the following
information that was found is strictly to be used for educational
purposes.

The CVV (Card Verification Value) is a sequence of digits constructed
by cryptographic process and written to the magnetic stripe of the
card.  Data such as card number, the expiration date and the service
code is triple encrypted using a special Card Verification key pair,
and selected digits from the results are used to create the CVV.  The
algorithm used in the calculation is  similar to that of PIN
encryption.
For information on how these cards are encrypted, please refer to:
http://www.amarshall.com/crypt101.html

Specifically, CVC (card verification code) and CVV (card verification
value) are encrypted using the Triple DES system.  The Triple DES used
for CVC and CVV uses two single length Keys such that the first Key
encrypts data, the second Key decrypts the results of that encryption,
and the first Key encrypts the results of the description.
For details on the use of DES and 3DES in financial institutions,
please refer to the following white paper.
http://www.pulse-eft.com/upload/EncryptionKeyWhitePaper4_2003.pdf

For a visual representation of how the encryption works please take a look at:
http://www.maxlin.ca/tos/ga/3des.jpg

Since PIN encryption uses same/similar system, here's a sample excerpt
to provide you with a better understanding of how it works:
**
The PIN (Personal Identification Number) is basically encrypted as
follows. The card number is taken as an hexadecimal number and is
encrypted with the DES algorithm using a secret key, which is called
the "PIN key". The first four digits are decimalized (i.e., A = 0, B =
1, ...) and are called the "natural PIN". An offset is added (without
carry) to the natural PIN in order to obtain the customer PIN. The
customer PIN may be changed but the natural PIN cannot. The offset is
what is written in track 3 and I called the "encrypted PIN". Here you
have an example:

Card number: 1234567890123445hex input for DES.
PIN key: 0123456789ABCDEFhex key for DES.
Encrypted card number: 9A466AD30DFE0381hex output from DES.
Natural PIN: 9046.
Offset: 2298 (this number is written on track 3).
Customer PIN: 1234. 
**
The author also recommends the following links:

Breaking the Visa PIN
http://www.gae.ucm.es/~padilla/extrawork/visapvv.html

Original Visa Scheme
http://axion.physics.ubc.ca/atm.html

Discussion on other systems
http://www.gae.ucm.es/~padilla/extrawork/magnews.txt


The CVV, however, is still only an additional security; it is not fool
proof.  Even systems with much higher security, the 96-digit enryption
algorithm, was cracked by hackers and posted on the internet in the
past.
http://www.computeruser.com/newstoday/00/03/11/news4.html 


If you would like more information on the 3DES encryption system, or
would like clarification on any part of the answer, please feel ask
anytime.

Cheers,
Tox-ga

Google search terms: 3des double length cvv card verification algorithm encryption

Visit:

www.primefactors.com

from what i understand this is not something that you can calculate
unless you have access to visa's DES keys.  an in dept explaination of
how the process works can be found here:
http://www.primefactors.com/resources/index.cfm?fuseaction=article&rowid=37

do you think there will ever be a CVV generator?...or is it too
dependant on the DES keys?. . .