Online casino Debit Visa transaction successful with wrong/random CVV

Hydr0

cyber chill
PABnoaccred
Joined
Oct 24, 2012
Location
OZ
Hey guys, first post in a long time.... Hope you’re all well!

I made a deposit at a popular and legit online casino using my registered debit Visa card. I entered the wrong CCV by accident. Naturally I expected the transaction to fail but to the contrary it didn’t. I advised the casino immediately and the supervisor stated it’s impossible for a debit card transaction to succeed with an incorrect CVV. I maintained that it did indeed succeed with an incorrect CVV, but it appeared to fall on deaf ears.

Adamant that I was correct in my observation, and not the tripper I believe I was being perceived to be by support (in the nicest possible way, I may add) I decided to make another deposit with the same card, only this time I entered a random CVV and took screenshots at each stage or the transaction; well guess what - again success, as well as shock horror that this type of security risk could actually occur.

Once again, I contacted support, and advised them that I had solid proof this time to support my concern, and hence provided them with the screenshots I took. The impossible became possible after all, and they swiftly passed on my notes and photo proof to IT for investigation, after realising that yes, I’m right, an incorrect CVV number doesn’t adversely affect the outcome.

Has anyone here ever experienced this type of issue at an online casino or otherwise? It’s a genuine worry, and the casino in question obviously had no clue that their debit visa processing system has a potentially significant security flaw linked to Visa card transactions. Perhaps the issue is unique to my country and/or bank provider?

I wonder how long the issue has been there at the casino in question, and whether or not other casinos have or are experiencing the same seemingly “impossible” issue, but it’s gone undetected to date.

Thanks for listening, would like to hear your thoughts on the subject.

hydr0
 
Last edited:
With videoslots sometimes when I make a deposit it says failed. So like most people I try again and it succeeds then when I go to my account I find that both deposits have actualy worked leaving me short in my bank account. I have live chatted about this but only to be told it can sometime take a minute for transaction go through despite it saying declined. And no you don't get your first failed transaction back.
 
With videoslots sometimes when I make a deposit it says failed. So like most people I try again and it succeeds then when I go to my account I find that both deposits have actualy worked leaving me short in my bank account. I have live chatted about this but only to be told it can sometime take a minute for transaction go through despite it saying declined. And no you don't get your first failed transaction back.
Thanks for your reply Scott. Yes, I understand that sometimes transactions can be tagged as failed initially, and end up going through successfully a short time later - this may happen for a variety of reasons, and I too have experienced this a few times in the past. The key point here however is that debit visa transactions shouldn’t work at all if the CVV is incorrectly entered; at least, that has always been my understanding. In my case, the last two deposits were successful, and funds were debited from my account despite my having entered the wrong CVV on each occasion. Have you ever had this experience?
 
With videoslots sometimes when I make a deposit it says failed. So like most people I try again and it succeeds then when I go to my account I find that both deposits have actualy worked leaving me short in my bank account. I have live chatted about this but only to be told it can sometime take a minute for transaction go through despite it saying declined. And no you don't get your first failed transaction back.

Why would it leave you short in your bank account?.

Even if you have to turn over the deposits 1X, you only need a 50% RTP and then withdraw your 2nd deposit, play with what's left.

With VS the money is back in your account pretty much instantly.
 
Why would it leave you short in your bank account?.

Even if you have to turn over the deposits 1X, you only need a 50% RTP and then withdraw your 2nd deposit, play with what's left.

With VS the money is back in your account pretty much instantly.
Nah bank transfer takes 3 working days to go back in. Still waiting for the top one. Screenshot_20190924_171229_com.android.chrome.jpg
 
Hey guys, first post in a long time.... Hope you’re all well!

I made a deposit at a popular and legit online casino using my registered debit Visa card. I entered the wrong CCV by accident. Naturally I expected the transaction to fail but to the contrary it didn’t. I advised the casino immediately and the supervisor stated it’s impossible for a debit card transaction to succeed with an incorrect CVV. I maintained that it did indeed succeed with an incorrect CVV, but it appeared to fall on deaf ears.

Adamant that I was correct in my observation, and not the tripper I believe I was being perceived to be by support (in the nicest possible way, I may add) I decided to make another deposit with the same card, only this time I entered a random CVV and took screenshots at each stage or the transaction; well guess what - again success, as well as shock horror that this type of security risk could actually occur.

Once again, I contacted support, and advised them that I had solid proof this time to support my concern, and hence provided them with the screenshots I took. The impossible became possible after all, and they swiftly passed on my notes and photo proof to IT for investigation, after realising that yes, I’m right, an incorrect CVV number doesn’t adversely affect the outcome.

Has anyone here ever experienced this type of issue at an online casino or otherwise? It’s a genuine worry, and the casino in question obviously had no clue that their debit visa processing system has a potentially significant security flaw linked to Visa card transactions. Perhaps the issue is unique to my country and/or bank provider?

I wonder how long the issue has been there at the casino in question, and whether or not other casinos have or are experiencing the same seemingly “impossible” issue, but it’s gone undetected to date.

Thanks for listening, would like to hear your thoughts on the subject.

hydr0
What casino is it? I had similar issue with Casumo (until I closed my account)
 
This is really strange to me. I worked at Lloyds for a company called First Data not so long back on the card transaction side. Basically selling means for businesses to take card payments, from online portals through to pdq machines.

I finished there about 2015 and at that time, all transactions were handled by providers and not the seller. All merchant services are handled by 3rd parties - Worldpay, First Data etc and the banks each offer a product or two.

It may look like your are still on the same website but the actual transaction is handled by the 3rd party on their server. This was true for all transactions worldwide no matter how big or small a company is/was. Tescos, Amazon all had people like lloyds tendering for their business. In fact, something like 60% of card transactions worldwide one Christmas went through First Data.

So if there is an issue with the portal taking any cvv then the 3rd party are liable and will be handling the complaint. As far as I am aware the casino wont be handling the details. Thats if nothing has changed. Often you cant see any evidence of being on another providers page or pop up.

I will add, it is possible to process a transaction without a cvv code but this is normally critical online.

Edit: I will also add the merchant will pay more a for a 'non-secure' transaction. e.g. one without a cvv code or part of an address missing.
 
Last edited:
This is really strange to me. I worked at Lloyds for a company called First Data not so long back on the card transaction side. Basically selling means for businesses to take card payments, from online portals through to pdq machines.

I finished there about 2015 and at that time, all transactions were handled by providers and not the seller. All merchant services are handled by 3rd parties - Worldpay, First Data etc and the banks each offer a product or two.

It may look like your are still on the same website but the actual transaction is handled by the 3rd party on their server. This was true for all transactions worldwide no matter how big or small a company is/was. Tescos, Amazon all had people like lloyds tendering for their business. In fact, something like 60% of card transactions worldwide one Christmas went through First Data.

So if there is an issue with the portal taking any cvv then the 3rd party are liable and will be handling the complaint. As far as I am aware the casino wont be handling the details. Thats if nothing has changed. Often you cant see any evidence of being on another providers page or pop up.

I will add, it is possible to process a transaction without a cvv code but this is normally critical online.

Edit: I will also add the merchant will pay more a for a 'non-secure' transaction. e.g. one without a cvv code or part of an address missing.

This is really strange to me. I worked at Lloyds for a company called First Data not so long back on the card transaction side. Basically selling means for businesses to take card payments, from online portals through to pdq machines.

I finished there about 2015 and at that time, all transactions were handled by providers and not the seller. All merchant services are handled by 3rd parties - Worldpay, First Data etc and the banks each offer a product or two.

It may look like your are still on the same website but the actual transaction is handled by the 3rd party on their server. This was true for all transactions worldwide no matter how big or small a company is/was. Tescos, Amazon all had people like lloyds tendering for their business. In fact, something like 60% of card transactions worldwide one Christmas went through First Data.

So if there is an issue with the portal taking any cvv then the 3rd party are liable and will be handling the complaint. As far as I am aware the casino wont be handling the details. Thats if nothing has changed. Often you cant see any evidence of being on another providers page or pop up.

I will add, it is possible to process a transaction without a cvv code but this is normally critical online.

Edit: I will also add the merchant will pay more a for a 'non-secure' transaction. e.g. one without a cvv code or part of an address missing.

Thanks for your reply Bamberfishcake.

Normally when the visa debit transaction is processed, there is no visible redirection to the third party provider (as you say), and this has been the case up until very recently.

Apart from my two most recent transactions where the wrong CVV was entered and my account nonetheless successfully debited, and my casino account balance credited, there has been one other instance of visible redirection via the third party handler. Note that in this instance I had the option to cancel the transaction or confirm payment; which I did, because a $5 additional charge was added to my deposit amount ( normally fee free), on the ‘Verified by Visa page’.

Here is the sequence that appeared during the transaction (stage two and three not normally seen):

E4736983-7CB9-4F29-8032-76EFEB56CFB8.jpeg
Stage one

B065F46D-FFF2-49BF-B9B0-828CB493AF9A.jpeg
Stage two



114516
Stage three (final)

Stage three states “Something went wrong”, however the transaction was successfully completed, albeit without the correct CVV, and an additional charge.

In the case of my most two recent deposits, $25AUD respectively, I was charged a fee of $1.00AUD for each transaction. Hence $26AUD was debited from my bank account for each transaction, however only $25AUD x 2 was credited to my casino balance.

The following shows the usual information that appears on my bank statement when depositing and receiving funds from the casino in question:

114519


The image below shows the information that appeared on my bank statement after the seemingly non secure transaction was successfully processed, without the correct CVV. The processing stages were visible for this third party provider:

114524

Before the above anomaly, all other transactions have shown up as DIREX LTD, NICOSIA on my bank statement, and processing stages have never been visible.
 
Last edited:
It is linked, its my visa debit card. Still takes three working days.

Yep 3 day cycle with card refunds unless the casino and bank co-operate for instant refunds.

First day is the withdraw day, second day is the processing day and third day money hits account. I've argued on here before that in this day and age, all card refunds should be instant.
 
What casino is it? I had similar issue with Casumo (until I closed my account)

Thanks for your reply Rita. It is part of the DIREX NV group. I’m not sure that stating the actual name is appropriate practice - don’t want to potentially burn any bridges etc with either the forum and/or the casino in question. If stating the name is acceptable to the forum, please advise and I will go from there.
 
Last edited:
Thanks for your reply Bamberfishcake.

Normally when the visa debit transaction is processed, there is no visible redirection to the third party provider (as you say), and this has been the case up until very recently.

Apart from my two most recent transactions where the wrong CVV was entered and my account nonetheless successfully debited, and my casino account balance credited, there has been one other instance of visible redirection via the third party handler. Note that in this instance I had the option to cancel the transaction or confirm payment; which I did, because a $5 additional charge was added to my deposit amount ( normally fee free), on the ‘Verified by Visa page’.

Here is the sequence that appeared during the transaction (stage two and three not normally seen):

View attachment 114501
Stage one

View attachment 114502
Stage two



View attachment 114516
Stage three (final)

Stage three states “Something went wrong”, however the transaction was successfully completed, albeit without the correct CVV, and an additional charge.

In the case of my most two recent deposits, $25AUD respectively, I was charged a fee of $1.00AUD for each transaction. Hence $26AUD was debited from my bank account for each transaction, however only $25AUD x 2 was credited to my casino balance.

The following shows the usual information that appears on my bank statement when depositing and receiving funds from the casino in question:

View attachment 114519


The image below shows the information that appeared on my bank statement after the seemingly non secure transaction was successfully processed, without the correct CVV. The processing stages were visible for this third party provider:

View attachment 114524

Before the above anomaly, all other transactions have shown up as DIREX LTD, NICOSIA on my bank statement, and processing stages have never been visible.

Few things I cant work out:

1) Halycard are a 'pre paid reward card' provider and i cannot see that they are listed as a 'merchant services/payment gateway provider' which is strange to me. There are lots of providers for Australia and every transaction will go through one of the providers but they are not one of them, from what i can see.

2) Unsure of the rules in Australia but they will have set guidelines that transactions have to adhere to. In the UK, at the point of sale, your charge of 25 would have to stay at 25 if shown and 25 would be taken from your account. They cant add an extra 1 without notifying you at the point of sale. Im 99.99% certain this will be the same for Oz.

3) Your payment is being processed in Cyprus usually, which must be where the casino is based. Why is the payment showing for processing in Barcelona where Halycard are based?

Give me a couple of days and i will look into this for you. The only logical reason i can think of, actually seems bonkers so let me check my info and look into it a bit more but my first port of call would be to ask my bank for further information on that transaction i.e. when and where it was processed.
 
Few things I cant work out:

1) Halycard are a 'pre paid reward card' provider and i cannot see that they are listed as a 'merchant services/payment gateway provider' which is strange to me. There are lots of providers for Australia and every transaction will go through one of the providers but they are not one of them, from what i can see.

2) Unsure of the rules in Australia but they will have set guidelines that transactions have to adhere to. In the UK, at the point of sale, your charge of 25 would have to stay at 25 if shown and 25 would be taken from your account. They cant add an extra 1 without notifying you at the point of sale. Im 99.99% certain this will be the same for Oz.

3) Your payment is being processed in Cyprus usually, which must be where the casino is based. Why is the payment showing for processing in Barcelona where Halycard are based?

Give me a couple of days and i will look into this for you. The only logical reason i can think of, actually seems bonkers so let me check my info and look into it a bit more but my first port of call would be to ask my bank for further information on that transaction i.e. when and where it was processed.

Thanks mate, yes, it’s really odd. I will contact my bank and find out more. I value your knowledge, and appreciate your effort on this...... cheers.
 
Last edited:
Thanks mate, yes, it’s really odd. I will contact my bank and find out more. I value your knowledge, and appreciate your effort on this...... cheers.

In hindsight mate, ask your bank to launch an investigation into the transaction.

I wanted to look into it before i make myself look an idiot but im used to that by now so im just going to come out and say it -

It looks to me like someone got your details, credited your casino account and then went and used your details to buy a reward card.

Dont take my word for it. Your bank are best placed to find out whats gone on. Give them everything you have shown us but just make that call and ask when and where this transaction was placed. EFTPOS means it was processed on a physical terminal, i think - an actual pdq machine as some people call them, not online.

Let us know how you get on :)
 
In hindsight mate, ask your bank to launch an investigation into the transaction.

I wanted to look into it before i make myself look an idiot but im used to that by now so im just going to come out and say it -

It looks to me like someone got your details, credited your casino account and then went and used your details to buy a reward card.

Dont take my word for it. Your bank are best placed to find out whats gone on. Give them everything you have shown us but just make that call and ask when and where this transaction was placed. EFTPOS means it was processed on a physical terminal, i think - an actual pdq machine as some people call them, not online.

Let us know how you get on :)

Thanks mate. To confirm, I myself, placed the two transactions shown on my bank statement, at the exact times shown in the clipped screenshots (shown above). My account was debited for $26AUD x 2, and my casino balance was credited $25AUD x 2, so all good there, I’m not thinking fraud is at play - it’s just weird scenario.

I’ve contacted my bank and confirmed that the transaction was indeed processed in Barcelona. I was also advised that some third party processors, online or land based don’t require a CVV to work; although I’m not sure that this applies in my case, because the CVV field was required before the transaction would work (with seemingly any 3 digit combination accepted).

Additionally, a quick browser search found that Halycard is owned by the following company: UKEU Global Sociedad Limitada.

Company location: Barcelona ES

The question remains however - why was Halycard (which incurred a fee) used to process my debit Visa card transaction, and why was the transaction successful despite the CVV being incorrect? This is currently under investigation by the casino in question.
 
Last edited:
In hindsight mate, ask your bank to launch an investigation into the transaction.

I wanted to look into it before i make myself look an idiot but im used to that by now so im just going to come out and say it -

It looks to me like someone got your details, credited your casino account and then went and used your details to buy a reward card.

Dont take my word for it. Your bank are best placed to find out whats gone on. Give them everything you have shown us but just make that call and ask when and where this transaction was placed. EFTPOS means it was processed on a physical terminal, i think - an actual pdq machine as some people call them, not online.

Let us know how you get on :)

I had another read of your post, and maybe you’re correct regarding my personal details being stolen.... hmm... the timing of the transactions adds up however, and I’m not out of pocket at the moment, so I’m not sure what to think. Ok, thanks mate, will launch a more in depth investigation with my bank as well. Thanks again for your advice.

PS: I’ve placed a temporary block on the card used to fund my casino account until the issue is resolved.
 
Last edited:
Update: my bank has confirmed that the transaction was processed online. I was advised to wait a day or two for the bank statement showing the third party processor details to finalise. Based on this advice, I’m expecting to see the POS eftpos to change to reflect an online transaction. The $1 fee x 2 is likely an admin fee charged by Halycard.

Will provide a further update when I know more.
 
Update: my bank has confirmed that the transaction was processed online. I was advised to wait a day or two for the bank statement showing the third party processor details to finalise. Based on this advice, I’m expecting to see the POS eftpos to change to reflect an online transaction. The $1 fee x 2 is likely an admin fee charged by Halycard.

Will provide a further update when I know more.

Maybe EFTPOS means online in some cases nowadays. It used to mean a physical terminal:

3 methods of processing payments - Physical Terminal, Virtual Terminal and Online Gateway.

If you have not done already - confirm the date and time of the actual transaction with the bank to Halycard and check it matches with when you processed your payment.

Then ask the casino to clarify their involvement with Halycard.

Its strange how your payment has gone to Halycard. Have you ever used Halycard before?
 
I had another read of your post, and maybe you’re correct regarding my personal details being stolen.... hmm... the timing of the transactions adds up however, and I’m not out of pocket at the moment, so I’m not sure what to think. Ok, thanks mate, will launch a more in depth investigation with my bank as well. Thanks again for your advice.

PS: I’ve placed a temporary block on the card used to fund my casino account until the issue is resolved.
Maybe EFTPOS means online in some cases nowadays. It used to mean a physical terminal:

3 methods of processing payments - Physical Terminal, Virtual Terminal and Online Gateway.

If you have not done already - confirm the date and time of the actual transaction with the bank to Halycard and check it matches with when you processed your payment.

Then ask the casino to clarify their involvement with Halycard.

Its strange how your payment has gone to Halycard. Have you ever used Halycard before?

Yes mate, times between bank to Halycard and casino processing match up, so all good there.

Never used Halycard.

I think it will be fine in the end. Waiting for the casinos reply. Although an odd scenario, it appears that based on the evidence this far, that no fraud is at play.

Naturally the casino need to sort out the anomoly however, as by their own admission this should never happen, and it does potentially put the customer at risk.
 

Users who are viewing this thread

Meister Ratings

Back
Top