While individuals should do their best to protect confidential information such as passwords and PIN numbers, businesses and other organisations that process payments must also help protect their customers' personal information.

My wife bought a foreign domestic worker insurance plan from a local insurer over the phone. The salesman asked for her credit card details, including the card verification value (CVV), to process the payment. She did as instructed.

Based on my experience in making credit card payments by phone, I know that such payments can be processed without the CVV.

When I asked the insurer about this, it claimed that the CVV was needed for "immediate payment" to facilitate the work permit processing, although our helper's permit was still valid for another month so there was no urgency.

According to the written reply from the insurer, "our telesales executive can ask for our customers' credit card CVV for the purpose of payment transaction, and there is no restriction on us doing so".

My wife informed the bank that issued the credit card, and was advised that the CVV is confidential and should not be shared with anyone. It cancelled her card immediately as its security had been compromised.

Francis Yong

A version of this article appeared in the print edition of The Straits Times on January 27, 2022, with the headline Insurer asked for credit card CVV over the phone.

