

Sony Shares More Details On PlayStation Network Breach - Auguste
http://techcrunch.com/2011/04/27/sony-shares-more-details-on-playstation-network-breach/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=Google+Reader

======
mixmax
At first sight it may sound reassuring that the credit card security codes
weren't stolen, but the devil's in the numbers.

If you have one million credit card numbers, then you'll on average get a
thousand succesful transactions if you try a random security code with each
card - they're only three digtis. I don't know how many tries you get before
the card is closed, but from personal experience I know it's more than one,
which affects the probabilities a lot.

~~~
tzs
Visa and MC generally do not actually require the code for online transactions
in the US. Visa does require it for transactions in Europe, though.

I believe that if the merchant does send it, the credit card association
charges slightly less. If the merchant sends it and it does not match, the
result depends on the bank that issued the credit card. Some cause the
transaction to be declined, but many just report back whether it matched or
not, and leave it up to the merchant to decide whether or not to proceed with
the charge.

Arguments for sending it: possible slight lowering of fees; reduced risk that
the sale will lead to a charge back.

Argument against sending it: it is one more piece of data the user can screw
up entering.

