Email asking for CVV, two days after I make a purchase?

Your credit card details can be seen as public

Your credit card details have been handled in an insecure way, and you should contact your bank to have the card revoked and get a new one.

What have happened

To handle credit card payments over Internet the company need to be PCI-DSS certified (thanks David Fulton for the full certification name). The certification is mandatory by the big credit card companies like Visa and MasterCard. This certification is in place to make sure the credit card details are handled in a secure way.

But a webshop doesn't need this certification if they use a third party payment provider. In that case all credit card information is handled by the payment provider. By sending the credit card information directly to the payment provider the webshop never handle any credit card information at all.

The webshop you have ordered from doesn't have, or doesn't follow, the PCI-DSS certification. This is obvious by them asking for the CVV by email. And they don't use a third party payment provider that have the PCI-DSS certification, by the same evidence. At least not in the intended way. Most likely they are trying to develop at least the UI for the payment without fully knowing what they do.

The result of this is that the credit card details added to this webshop can't be trusted. They have showed that they can't handle the security needed for credit card data. As such I would treat all information for that webshop as public.

Please note that I'm not saying that the webshop have acted knowingly maliciously. But it's about your money, does it really matter if it's knowingly or not?

What to do now

I can't tell you what to do, but this is what I would do:

1. Contact the bank and stop the payment for this order. I don't want to make business with dodgy companies, I would rather order the product elsewhere for a few bucks extra.
2. When talking to the bank, cancel the card and order a new one. A new one with a new credit card number. As stated above I consider your credit card details to be public. And since you know it's been used a bit dodgy, you probably won't get the money back if it's used for something you haven't ordered.
3. Contact the webshop and cancel the order. Do this as soon as possible, after stopping the transaction and cancelling the card.
4. Contact your credit card company (Visa, MasterCard etc) and report the webshop to them. Hopefully they will investigate the webshop. That way you help making sure no one else gets into this mess.

Could it be something else

As stated in other answers this could be phishing. But if it is, shouldn't the order be completed by now? And how did the phishers know you placed an order in that webshop? If you made it public on the Internet it could be they have picked it up from there, otherwise they got the information from the webshop.

But again, it's your money on the line. I think it's better to be safe than sorry.

As a web developer I know that a store's web site should never store your credit card number. It should be passed to the payment gateway directly and never be stored. If the store still has your credit card number 2 days later to use with the CVV they are mishandling your payment information. Otherwise it is a scam. Don't send your CVV, contact the store to see what is going on (they may have been compromised).

CVV is never disclosed unencrypted, i.e. via email. It can only ever be disclosed through a secure credit card processing page. Its probably illegal for the company to request a CVV via email.

Adding to @davidfulton's answer...

The CVV is a "proof of possession" indicator. If you know the CVV, then it means the card is in your hand and you are reading it off the card. It should never be permanently recorded anywhere. When I'm talking to a customer service agent and they ask for the CVV, my response is "are you writing it down or are you inputting it into a computer?" If it's the former, I don't give it to them.

A properly constructed credit card processing system will handle the CVV properly (and these systems get audited all the time). Writing it down on a piece of paper or putting it in an email is just wrong.

Anyone who knows your CVV and your card number can prove that he/she "possesses" your card.

And yes, PCI-DSS is very fussy about what a merchant can do with card information and CVV information in particular. They should never be asking you to put it in an email.

Even if this is an innocent request it's wrong.

PCI-DSS regulations (which have a global reach) are extremely strict about the management of card data. Certain values cannot be retained at all and some must be encrypted both in transit and at rest. The CVV is one of the more protected fields, so the fact that they're asking you to send it by e-mail is already a breach.

At the very least, they don't know what they're doing. This could be captured by a secure web form (most small companies just get an acquiring service to host the page for them), but e-mail capture is definitely not on.

In my opinion, this really depends on the website. If the website is not really a storefront, but is - for example - a local (local to somewhere, anyway) gaming store that sells Magic/Pokémon cards online, something like that, where they take your information through the website but actually enter it in to their POS system by hand, then this is an entirely reasonable thing. This isn't a great way to do things - no part of a system where they enter information into POS that they collected another way is, and it's almost certainly not compliant with how they ought to be doing things - but it's not surprising, either, and probably not fraudulent in that case; they simply forgot to require the code during the checkout process.

However, if the website seemed to be complete with payment information built in, then I would be more wary. That makes it sound a lot more like phishing, to me.

All things considered, though, this seems somewhat low likelihood to be phishing, and high likelihood to be a store that's ... not highly secure. I would not email them back, but instead call them. If they're like I describe and doing things manually in their POS system - then it's possible you can handle this over the phone. Avoiding the CVV code being in email is one major benefit, and secondly you confirm that the email really did come from them by contacting them via a different method (and look up their phone # online, don't use the email you were sent.)

DO NOT respond directly to the email with your information.

I cannot stress that enough: DO NOT respond to the email with any valuable information. If you decide to send them the CVV number to process the order, go to their website (do not click on a link in the email), and reach out to them using a customer service email or "Contact Us" number and ask them directly if they have requested this information. If they did, call them over the phone and share the CVV that way, rather than in an email.

This sounds like it could be phishing, where a scammer pretends to be someone you've done business with, and asks you for information that can be valuable. Usually it's for a bank user name and password ("Your password has been compromised. Click here to reset!" -- Never ever click there). If we're honest, I don't think this is phishing (a scammer would need your CC details for the CVV to be of any use), but it could be and it's important to develop safe habits.

A merchant uses that code to process the payment and verify possession of the card if they aren't handed the card in person (i.e. internet purchases). So if they didn't ask for it before, that was probably a mistake and at the very least opens them up to more liability. If they're new to accepting credit card payments, it's possible that they're still figuring everything out and it's an honest mistake. But that's the sort of thing they really should figure out after running a couple of orders (of course, a scammer would have that figured out too, so I wouldn't consider that a red flag per se). (NB: Apparently, the requirement isn't as strong as I originally thought (see comments), but I would consider needing the CVV the norm)

I might be willing to give them a benefit of the doubt if it's a new and small operation (and more businesses have become internet based the last few months for obvious reasons), but I'd be extremely wary of responding directly to the email with any personal or remotely valuable information for the reasons stated above. Reach out to the company directly through the website to confirm, preferably with a phone call. It's not perfect, but much more secure with hopefully just a little more effort.

It may not indicate fraud but it suggests incompetence/amateurism on the part of the business. This is not the normal flow for accepting credit card payments -- have they just started doing so?

Ben Miller says:

They could just as easily have been mishandling the code if they had asked for it at checkout.

But asking for it at checkout is likely part of a standard software process. Asking for it in an email suggests an unusual, manual, "roll-your-own" process that is likely less secure than a standard one. Even if you won't be liable for any fraud, it's a sign that the business may also be amateurish in other ways (quality, customer service).

Let me ask you these questions:

• Do you trust this website/business?
• If they had asked for the CVV code at checkout, would you have provided it?
• Do you believe that the email message you received is really from the company?

If you can answer yes to all these questions, then go ahead and give them the code. If you do not give them the code, your order will be cancelled and you will not be receiving your item.

I expect someone to comment at this point and suggest that what they are doing is illegal/improper, and that they shouldn’t need the code. I would say to them (and to you) that this company would not be asking for the code if they didn’t need it to process your order. If you would have provided it at checkout if asked, then you should provide it now.

They will also suggest that the company is mishandling the code. They may or may not be, but that is not really a concern of yours. They could just as easily have been mishandling the code if they had asked for it at checkout.

If it turns out that someone at this company is a crook, or if they get hacked and your card number & code get stolen, you will not be liable for the fraudulent charges. So while it is good to be cautious, if you have no reason to suspect the company/website is fake, I would say go ahead and give them the code.