As my bank card had expired, I got a new one, and this one turned out to be "lucky": its CVC code was 000.
For a few months I used it extensively, both online and offline, without any difficulties - until the day when I was to enter my card details on Booking.com website. I filled in the form, clicked "submit" - only to see that the page discards the value in CVC field and demands to enter it again.
I contacted support. They confirmed that CVC code "000" is not accepted, because it is considered not secure enough (not a close quote unfortunately, as the conversation was in Estonian), and they suggest me to order a new bank card where CVC code would be different from "000".
That got me puzzled. As a former tester, I'm quite used to situations, where I think I'm reporting a bug, and then I'm told it is actually a feature - but this time it was somewhat against common sense. My current work is also related to infosecurity, so I came up with objections:
- First of all, CVC is not just a random number, there is a certain algorithm of generating it. This, in turn, means that all values are equally probable and some certain numbers can't be just excluded from it.
- Second, I have already used this card with a number of other online services, including Amazon, whose security is out of any doubts.
- Third, I don't quite understand what does "not secure enough" mean. Are "111" or "999" secure enough? If not, how about "123" or "234"? Again, it's not something I pick by myself, it's something I'm given by a bank, and if bank thinks it's secure, then it must be treated as such.
The response was very polite yet held out little hope: "We totally understand your frustration and we are really sorry about causing you inconvenience. We handed your reasoning over to our management - they responded that 000 is considered invalid, and this is also a way banks indicate that the card is a forgery".
I forwarded all the mail chain to my bank and asked for their advice. They told me they'll issue a new card for free, which solved the problem for me.
However, I still puzzled:
- Are there any official regulations/prescriptions (from Visa/MC or elsewhere) or any best practices regarding "all-zeroes" CVC/CVV codes? Especially that bit about banks allegedly using 000 as an indication of a forgery - sounds like a complete nonsense to me. I tried googling, but couldn't find anything.
- From practical point of view, how reasonable it is to decline "000" as insecure? I listed my concerns above, but maybe I'm missing something?
Update: Tough choice on which answer to accept... I liked a lot the answer from Alexander O'Mara - detailed and to the point. The latest revision of Harper's answer also seems very reasonable. Yet I eventually decided to accept the answer by Zoey - it seems the most relevant, as it, besides everything else, also sheds some light on internals of hotel business.
Thanks everyone for your answers and comments! What I'm going to do now is contact Booking.com support again and insist on getting this fixed. Will let know about the outcome.