UPDATE!
Crossed words in this article are supposed to be treated as false, please ignore them!
Read more about this here in an updated article!
Watch out for this option when you’re purchasing games on Steam:
If you have selected this option Steam will remember your security code you provided earlier – I did not agree to remember this code – and right after you “Buy” a game by clicking the proper button you won’t be prompted if you want to use PayPal, VISA (or any other payment method) and you will buy any game instantly. Best way to check this is to buy any random DLC for a game you don’t own and you will see that it will try to purchase the game automatically.
We encourage you to send a support ticket to Valve to make this optional to remember the security code. You can use this pre-made e-mail message:
Hello!
I am concerned that Steam Store saved my credit card’s security code on an external server after I selected “Save my payment information so checkout is easy next time”. In the past this option only saved my name, address, phone number and still asked me about credit card number, security code and it’s validity.
Also by selecting this option Steam Store prevented me from chosing other payment methods than VISA.
Please make this optional and do not save my credentials next time (but save my name, address etc – just like it was before).
Thank you for your help,
XXX
Update #1:
Sure you can remove your details from My Account section in the store but that is not the point. Steam shouldn’t remember expiration date, security code and the card number itself.
Update #2:
Thanks to our friend ld13 we managed to find interesting information from VISA’s website:
Avoid CVV2 Storage. All merchants are prohibited from storing CVV2 data. When asking a cardholder for CVV2, merchants must not document this information on any kind of paper order form or store it on any database.
Source: http://usa.visa.com/download/merchants/rules_for_visa_merchants.pdf (Page 12)
CVV2 storage. The Visa U.S.A. Inc. Operating Regulations prohibit merchants and/or their agents from storing the Card Verification Value 2 data (security code printed within or immediately to the right of the signature panel) after transaction authorization.
Source: http://usa.visa.com/download/merchants/rules_for_visa_merchants.pdf (Page 60)
Card Verification Value 2 (CVV2)
A Visa fraud prevention system used in card-not-present transactions to ensure that the card is valid. The CVV2 is the three-digit value that is printed on the back of all Visa cards. Card-not-present merchants ask the customer for the CVV2 and submit it as part of their authorization request. For information security purposes, merchants are prohibited from storing CVV2 data.
Source: http://usa.visa.com/download/merchants/rules_for_visa_merchants.pdf (Page 130)
Comments
21 responses to “(Updated) Steam will remember your security code!”
So Steam promoted itself on PayPal level.
If I let my imagination go further: when someone steal your account and you had your CC informations saved then VAC ban is the smallest thing you have to fear about. You can find your account full of games you didn’t bought and bank account sucked to bottom and dry as Sahara desert – especially with those prices on Steam :) I wonder how will you proof that you didn’t buy those games and of course if you block the payments before money was send you will be considered as fraudulent user.
“Does Steam remember also security number?”
No. It does not need to remember it after your first transaction!
The CVV acts as a mechanism against fraud for the Merchant/Steam. If the CVV matches the first time you buy with that card they know you got the card “in hand” as such. They would then eg. flag you/the card as trusted and allow you to buy against that card for your next purchase…if you selected that option. They would thus not need to re-verify the card using the CVV on your next purchase.
Paypal works on the same principle. They verify your CVV initially and flag your card as “verified/confirmed” or whatever term they want to use and stores your CC number for the next time you want to use it. PayPal just takes it a step further by asking for a special code directly from your card’s statement – something that only the Original Card Holder should have access to. This is much safer as anyone can steal your card info and use it online but not everyone can access your bank statements.
The problem I have is with this InstaBuy ‘function’ that someone at Steam thought would be an awesome feature. Steam needs to return to the previous way the system worked. The ‘store CC info’ box can stay but they should ask the user to re-enter the CVV like I heard D2D does on each purchase imo. Otherwise they might also think of implementing Verified by Visa – Not sure if they have that yet though.
“Does Steam remember also security number?”
Yes.
D2D remembers Credit card number, but they will ask for security number during checkout.
My question is – once and for all, to make this clear (because I pay via PayPal, so I don’t know this):
Does Steam remember also security number?
I asked once on Steam forums and reply (by some user, not mod or guy from Valve) was: Steam will ask for security code.
Only fool would check that box.
PS: D2D ir gamers gate have same option
@Spooky Thank you for reminding me to wake up. Just had a nice cuppo java so I should be fairly awake at this stage. I still do not get what your problem is though. I know my card info off by heart as well. In fact I removed the CVV number from my card to protect myself against card theft. I’m just trying to explain the reason why the CVV is there in the first place. I did not like make it up or anything. In fact, let met quote directly from Visa: “[the CVV2 code] is a three-digit number imprinted on the signature panel of Visa cards to help card-not-present merchants verify that the customer has a legitimate card in hand at the time of the order” – That is why they are so strict about NOT storing CVV info.
Ergo Steam is not in violation of any Visa merchant regulations. I just verified this with Visa too. The CVV is there for the merchant and does not get used in normal transactions at all once the merchant trusts the card/user.
Question sent
@ld13
wth? I can write my whole number (inkl. CVV) out of my memory. Card on my hand? Come on. Wake up ..
oh shit, i tried that with DLC from game i donˇt own, as you said, and really that is instantly O.o
wtf?
@kipa – That is the thing, it does not allow you to change the payment anymore. I just tried it with a DLC and it tried charging my card instantly after I selected “buy for myself”. That is not nice. A merchant must at least require the CVV number before charging as they are not allowed to ‘know’ that beforehand. The CVV number is the proof that you do have the card in your hand.
@slay – OneClickBuy is dangerous if not set up with the full consent of the user thereof. I wonder how Amazon.com gets around the CVV storage regulations . . .
Well you got the point here.
I personally like that one click buy.
And btw, correct me, if I am wrong, but as I remember, the VISA payment system was changed. It didn’t ask for that security code, it asked only for your name.
So I think that this could be reason of “saving payment information” – they simply doesn’t save that security code, they don’t need it anymore.
Imagine this, you go into the grocery store, buy some bread and orange juice. You go to the checkout and pay with your card.
The next day you do the same except they:
– won’t allow you to pay with cash
– will remember your pin number
Question: Would you like that?
lol,
Whats wrong with that? That is not new and if you would like to use other payment method or other credit card you can do that by click an edit before the last step in every payment.
I happy, because i don`t need to write again and again my card information, just next next next and i purchased my game ))
Or you are worrying that steam will stole your credit card? XDDD
You are funny, really ))
For people who don’t understand:
Save my payment information so checkout is easy next time – shouldn’t save your SECURITY CODE for your credit card.
First 1€ ≠ 1$ and now they collecting our credit cards details…