I heard the CVV2 code doesn’t increase security these days. Is that true?
CVV2 is the name Visa gives the 3-digit code that appears on the back of credit cards. Mastercard calls it CVC2, Discover and Amex call it CID. In general, they are called Card Security Code (CSC). When a merchant asks a customer for the CSC, it gives an added layer of protection against fraud: only a user with access to the physical card can cite the CSC. At least, in theory.
Of late, the usefulness of CSCs have been challenged. After all, this argument goes, when phishers steal a credit card, they steal the CSC too from the user.
So, what extra protection does CSC give? This argument was well articulated in a Dreamhost blog post.
In defense of CSC, note that not all credit cards are stolen by phishing. Many are stolen directly from billing databases of other merchants. When an attacker compromises the system of a merchant, they get hold of thousands of credit card numbers - but, not the CSC. Visa, Mastercard and others require that merchants never store the CSC codes, that they destroy it immediately after use. So, even if a merchant is compromised, the CSC card would not get into the hands of the bad guys. Thus, when a user enters the CSC correctly, there’s higher likelihood of it coming from the true cardholder.
Wikipedia has more on Card Security Codes.
You might also want to check out Dreamhost’s follow-up post on why they use the codes now.