Really really helpful post over on 451 Security. Here’s the intro:
I’ve written this post for two reasons. First, the recent Target breach has led to some confusion, which I will try to clear up here. Second, I wanted to create an easily referenced educational resource on how credit cards are designed to work. I’m hoping this will help people understand the intricacies of credit card fraud and how some credit card features attempt to limit it.
Here is the TL;DR version: CVV codes were compromised and should not be stored post-authorization, but the CVV codes compromised are not the codes printed on the card that we get asked for when making online purchases. There are actually two separate security codes: one to prove possession of the card when it is swiped (stored on the magnetic strip) and another printed on the card, to prove possession of the card when it is used in card-not-present transactions, like e-commerce or over the phone. The same value is not used for both codes.
Read more on 451 Security.