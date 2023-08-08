Lotto says transactions on its MyLotto app are secure, despite the system approving some card payments with false information.

Lotto players reported the issue over the weekend, saying card payments on the MyLotto app were being approved even when random numbers were entered as a CVV.

A CVV (card verification value) number is used to prove to online merchants that the person making a payment actually has the physical credit or debit card.

They are usually printed on the back of the card and are also known as CSC, CAV2, CVC2, CVV2, or CID numbers depending on the card issuer.

A Lotto spokesperson said transactions on the app were completely secure, and its payment providers used robust security measures.

“The nature of those payment security systems is not determined by Lotto NZ, it is instead a matter for payment providers and the customer’s bank,” she said.

“We understand some providers rely on the CVV and some don’t. This is why some MyLotto customers may still be able to top up without the CVV, if their card has already been registered and validated, but others won’t.”

While the situation could be confusing, the system needed to cater for different process and every transaction was secure, she said.

All transactions on MyLotto happened behind a secure username and password entry and “guest entry” wasn’t an option.

Sam Leggett, Cert NZ senior threat analyst, said while a CVV number added an extra layer of security when making purchases online or over the phone, their use was not a requirement for processing online transactions.

“It's ultimately up to the retailer whether they ask for and/or verify the CVV as part of the transaction process.”

Leggett said consumers should always ensure the site they were giving card details to was legitimate, whether it asked for a CVV or not.

“We also recommend that you don't let a site save your credit card details, as this can be an issue if the site suffers a data breach.”

Under international standards for secure transactions, CVV information must not be stored after it had been used to authorise a transaction.