Capital One ripoff Salt Lake City Utah

Thanks, David. You have summed up my thoughts on this very well.

Sal, employing the use of CCV2 codes for online account registration is just one way credit card companies (like Capital One) are working to comply with the FTC's Safeguards Rule in accordance with the GBL Act. You can disagree all you want, but that's the reality.

And if, like you say, it is really in violation of Visa membership terms, and/or in violation of the law, why would the disclosure of Capital One's CCV2 requirement for online registration be as public as it is? All one has to do is go to Capital One's website and click on "Register Here" to see that the CCV2 is needed for registration. They have required the CCV2 for several years now -- why haven't they been hauled into court? Fined thousands of dollars for violating their customers' privacy? etc. It hasn't happened, which is why what you're saying makes no sense at all.

Here is the whole thing explained in one simple sentence.

The codes are there to VERIFY that the one making the transaction is actually holding the Credit Card and not just making up numbers.

The above was read by me on many sites about how to manage Credit Card Debt, Wikipedia on CC cards, etc.:)

Yep, that above is what I read as a common use for the Security Codes. ;)

Here is the whole thing explained in one simple sentence.

The codes are there to VERIFY that the one making the transaction is actually holding the Credit Card and not just making up numbers.

The above was read by me on many sites about how to manage Credit Card Debt, Wikipedia on CC cards, etc.:)

Yep, that above is what I read as a common use for the Security Codes. ;)

Here is the whole thing explained in one simple sentence.

The codes are there to VERIFY that the one making the transaction is actually holding the Credit Card and not just making up numbers.

The above was read by me on many sites about how to manage Credit Card Debt, Wikipedia on CC cards, etc.:)

Yep, that above is what I read as a common use for the Security Codes. ;)

Here is the whole thing explained in one simple sentence.

The codes are there to VERIFY that the one making the transaction is actually holding the Credit Card and not just making up numbers.

The above was read by me on many sites about how to manage Credit Card Debt, Wikipedia on CC cards, etc.:)

Yep, that above is what I read as a common use for the Security Codes. ;)

"Sal, your post mentions that CCV2s are "sent electronically to the card-issuing bank to verify its validity." How is Capital One "illegally storing" these codes when THEY are the card-issuing bank that verifies the codes' validity?"

You are too much... How convenient of you to leave out the next sentence to try to change the meaning of the paragraph. Your little tricks don't work here sorry. ;-(

Merchants will request the CVV2 at checkout from the cardholder, and the information is sent "electronically" to the card-issuing bank to verify its validity. Within seconds the CVV2 results are returned with "authorization".

The Merchant Bank has a direct connection to the processing center Capital One uses like Vital Processing Systems would be an example. The Credit Card Terminal at your local general store does not connect to every credit card issuer bank that gets swiped. Common Sense is useful some times isn't it? Also, this connection is point to point and completely secure.


If your copy-and-paste job didn't really mean that card-issuing banks verify the CCV2 for merchants (and therefore must have a database to do so), but rather that Visa Intl/MC Intl/AmEx keep the database and do the verifying, how do you know that the card-issuers don't utilize the system for their anti-fraud measures (like during website registration) that merchants do?

The answer to this question is quite simple. The use of the CVV2 is only for verification purposes during a credit card transaction. It is not a "Signature Panel Code", which is quite laughable if this wasn't such a serious breach. Capital One is in violation of their contract with VISA and has breached a primary security feature just to frustrate former customers who have cancelled their cards. By violating the Visa regulations, they have also violated the FTC Act as well. I have included a few of them for you to wrap your arms around. I have also provided the links to the relevant sections of the Visa Security Standards.


Federal Trade Commission
16 CFR Part 314

Standards for Safeguarding Customer
Information; Final Rule

314.2 Definitions.
(a) In general. Except as modified by this part or unless the context otherwise requires, the terms used in this part have the same meaning as set forth in the Commission's rule governing the Privacy of Consumer Financial Information, 16 CFR part 313. (b) Customer information means any record containing nonpublic personal information as defined in 16 CFR313.3(n), about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.
(c) Information security programmeans the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect,store, use, transmit, dispose of, or otherwise handle customer information.
(d) Service provider means any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to this part.

Section 314.3: Standards for Safeguarding Customer Information
Proposed paragraph (a) of this section set forth the general standard that a financial institution must meet to comply with the Rule, namely to develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards'' that are appropriate to the size and complexity of the entity, the nature and scope of its activities, and the sensitivity of any customer information at issue. This standard is highly flexible, consistent with the comments, the Banking Agency Guidelines, and the Advisory Committee's Report, which concluded that a business should develop a program that has a continuous life cycle designed to meet the needs of a particular organization or industry.'


Service provider levels defined

Service providers are organizations that process, store, or transmit Visa cardholder data on behalf of Visa members, merchants, or other service providers. Service provider levels are defined as:


1 All VisaNet processors (member and Nonmember) and all payment gateways.*

2 Any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 Visa accounts/transactions annually.

3 Any service provider that is not in Level 1 and stores, processes, or transmits fewer than 1,000,000 Visa accounts/transactions annually.

Compliance validation basics

In addition to adhering to the PCI Data Security Standard, compliance validation is required for all service providers.


LEVEL 1 Annual On-Site PCI Data Security Assessment
a. Quarterly Network Scan
b. Qualified Data Security Company
c. Qualified Independent Scan Vendor

LEVEL 2 Annual On-Site PCI Data Security Assessment
a. Quarterly Network Scan
b. Qualified Data Security Company
c. Qualified Independent Scan Vendor

LEVEL 3 Annual PCI Self-Assessment Questionnaire
a. Quarterly Network Scan
b. Service Provider
c. Quarterly Network Scan



Payment Card Industry Security Audit Procedures

This document is to be used by those merchants and service providers who require an onsite review to validate compliance with the Payment Card Industry (PCI) Data Security Standard and to create the Report on Compliance.

Note that these PCI Data Security Requirements apply to all Members, merchants, and service providers that store, process, or transmit cardholder data. Additionally, these security requirements apply to all system components which is defined as any network component, server, or application included in, or connected to, the cardholder data environment. Network components, include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Servers include, but are not limited to, web, database, authentication, DNS, mail, proxy, and NTP. Applications include all purchased and custom applications, including both internal and external (web) applications.

Protect Cardholder Data

REQUIREMENT 3.2.2

Do not store the cardvalidation code [three-digit or four-digit value printed on the front or back of a payment

card (e.g., CVV2 data or CVC2 data)].

TESTING PROCEDURES 3.2.2

Examine the following from the sample selected and obtain evidence that three-digit or four-digit card validation code printed on the signature panel (CVV2/CVC2 data) is not stored under any circumstance:

Incoming transaction data
Transaction logs
History files
Several database schemas

Feel free to bring more of your goons to try to attack me and my intelligence. You guys are a bunch of amateurs who think that others should just believe them because they have backup waiting in the wings to try to give them credibility.

Well I say, Bring it On!!

sorry, allowing you to give a competitors name would instigate others to just file against their competition, to only come back later to suggest their company your comments on this policy are welcome! CLICK here to see why Rip-off Report, as a matter of policy, deleted either a phone number, link or e-mail address from this Report.

"Sal, your post mentions that CCV2s are "sent electronically to the card-issuing bank to verify its validity." How is Capital One "illegally storing" these codes when THEY are the card-issuing bank that verifies the codes' validity?"

You are too much... How convenient of you to leave out the next sentence to try to change the meaning of the paragraph. Your little tricks don't work here sorry. ;-(

Merchants will request the CVV2 at checkout from the cardholder, and the information is sent "electronically" to the card-issuing bank to verify its validity. Within seconds the CVV2 results are returned with "authorization".

The Merchant Bank has a direct connection to the processing center Capital One uses like Vital Processing Systems would be an example. The Credit Card Terminal at your local general store does not connect to every credit card issuer bank that gets swiped. Common Sense is useful some times isn't it? Also, this connection is point to point and completely secure.


If your copy-and-paste job didn't really mean that card-issuing banks verify the CCV2 for merchants (and therefore must have a database to do so), but rather that Visa Intl/MC Intl/AmEx keep the database and do the verifying, how do you know that the card-issuers don't utilize the system for their anti-fraud measures (like during website registration) that merchants do?

The answer to this question is quite simple. The use of the CVV2 is only for verification purposes during a credit card transaction. It is not a "Signature Panel Code", which is quite laughable if this wasn't such a serious breach. Capital One is in violation of their contract with VISA and has breached a primary security feature just to frustrate former customers who have cancelled their cards. By violating the Visa regulations, they have also violated the FTC Act as well. I have included a few of them for you to wrap your arms around. I have also provided the links to the relevant sections of the Visa Security Standards.


Federal Trade Commission
16 CFR Part 314

Standards for Safeguarding Customer
Information; Final Rule

314.2 Definitions.
(a) In general. Except as modified by this part or unless the context otherwise requires, the terms used in this part have the same meaning as set forth in the Commission's rule governing the Privacy of Consumer Financial Information, 16 CFR part 313. (b) Customer information means any record containing nonpublic personal information as defined in 16 CFR313.3(n), about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.
(c) Information security programmeans the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect,store, use, transmit, dispose of, or otherwise handle customer information.
(d) Service provider means any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to this part.

Section 314.3: Standards for Safeguarding Customer Information
Proposed paragraph (a) of this section set forth the general standard that a financial institution must meet to comply with the Rule, namely to develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards'' that are appropriate to the size and complexity of the entity, the nature and scope of its activities, and the sensitivity of any customer information at issue. This standard is highly flexible, consistent with the comments, the Banking Agency Guidelines, and the Advisory Committee's Report, which concluded that a business should develop a program that has a continuous life cycle designed to meet the needs of a particular organization or industry.'


Service provider levels defined

Service providers are organizations that process, store, or transmit Visa cardholder data on behalf of Visa members, merchants, or other service providers. Service provider levels are defined as:


1 All VisaNet processors (member and Nonmember) and all payment gateways.*

2 Any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 Visa accounts/transactions annually.

3 Any service provider that is not in Level 1 and stores, processes, or transmits fewer than 1,000,000 Visa accounts/transactions annually.

Compliance validation basics

In addition to adhering to the PCI Data Security Standard, compliance validation is required for all service providers.


LEVEL 1 Annual On-Site PCI Data Security Assessment
a. Quarterly Network Scan
b. Qualified Data Security Company
c. Qualified Independent Scan Vendor

LEVEL 2 Annual On-Site PCI Data Security Assessment
a. Quarterly Network Scan
b. Qualified Data Security Company
c. Qualified Independent Scan Vendor

LEVEL 3 Annual PCI Self-Assessment Questionnaire
a. Quarterly Network Scan
b. Service Provider
c. Quarterly Network Scan



Payment Card Industry Security Audit Procedures

This document is to be used by those merchants and service providers who require an onsite review to validate compliance with the Payment Card Industry (PCI) Data Security Standard and to create the Report on Compliance.

Note that these PCI Data Security Requirements apply to all Members, merchants, and service providers that store, process, or transmit cardholder data. Additionally, these security requirements apply to all system components which is defined as any network component, server, or application included in, or connected to, the cardholder data environment. Network components, include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Servers include, but are not limited to, web, database, authentication, DNS, mail, proxy, and NTP. Applications include all purchased and custom applications, including both internal and external (web) applications.

Protect Cardholder Data

REQUIREMENT 3.2.2

Do not store the cardvalidation code [three-digit or four-digit value printed on the front or back of a payment

card (e.g., CVV2 data or CVC2 data)].

TESTING PROCEDURES 3.2.2

Examine the following from the sample selected and obtain evidence that three-digit or four-digit card validation code printed on the signature panel (CVV2/CVC2 data) is not stored under any circumstance:

Incoming transaction data
Transaction logs
History files
Several database schemas

Feel free to bring more of your goons to try to attack me and my intelligence. You guys are a bunch of amateurs who think that others should just believe them because they have backup waiting in the wings to try to give them credibility.

Well I say, Bring it On!!

sorry, allowing you to give a competitors name would instigate others to just file against their competition, to only come back later to suggest their company your comments on this policy are welcome! CLICK here to see why Rip-off Report, as a matter of policy, deleted either a phone number, link or e-mail address from this Report.

"Sal, your post mentions that CCV2s are "sent electronically to the card-issuing bank to verify its validity." How is Capital One "illegally storing" these codes when THEY are the card-issuing bank that verifies the codes' validity?"

You are too much... How convenient of you to leave out the next sentence to try to change the meaning of the paragraph. Your little tricks don't work here sorry. ;-(

Merchants will request the CVV2 at checkout from the cardholder, and the information is sent "electronically" to the card-issuing bank to verify its validity. Within seconds the CVV2 results are returned with "authorization".

The Merchant Bank has a direct connection to the processing center Capital One uses like Vital Processing Systems would be an example. The Credit Card Terminal at your local general store does not connect to every credit card issuer bank that gets swiped. Common Sense is useful some times isn't it? Also, this connection is point to point and completely secure.


If your copy-and-paste job didn't really mean that card-issuing banks verify the CCV2 for merchants (and therefore must have a database to do so), but rather that Visa Intl/MC Intl/AmEx keep the database and do the verifying, how do you know that the card-issuers don't utilize the system for their anti-fraud measures (like during website registration) that merchants do?

The answer to this question is quite simple. The use of the CVV2 is only for verification purposes during a credit card transaction. It is not a "Signature Panel Code", which is quite laughable if this wasn't such a serious breach. Capital One is in violation of their contract with VISA and has breached a primary security feature just to frustrate former customers who have cancelled their cards. By violating the Visa regulations, they have also violated the FTC Act as well. I have included a few of them for you to wrap your arms around. I have also provided the links to the relevant sections of the Visa Security Standards.


Federal Trade Commission
16 CFR Part 314

Standards for Safeguarding Customer
Information; Final Rule

314.2 Definitions.
(a) In general. Except as modified by this part or unless the context otherwise requires, the terms used in this part have the same meaning as set forth in the Commission's rule governing the Privacy of Consumer Financial Information, 16 CFR part 313. (b) Customer information means any record containing nonpublic personal information as defined in 16 CFR313.3(n), about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.
(c) Information security programmeans the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect,store, use, transmit, dispose of, or otherwise handle customer information.
(d) Service provider means any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to this part.

Section 314.3: Standards for Safeguarding Customer Information
Proposed paragraph (a) of this section set forth the general standard that a financial institution must meet to comply with the Rule, namely to develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards'' that are appropriate to the size and complexity of the entity, the nature and scope of its activities, and the sensitivity of any customer information at issue. This standard is highly flexible, consistent with the comments, the Banking Agency Guidelines, and the Advisory Committee's Report, which concluded that a business should develop a program that has a continuous life cycle designed to meet the needs of a particular organization or industry.'


Service provider levels defined

Service providers are organizations that process, store, or transmit Visa cardholder data on behalf of Visa members, merchants, or other service providers. Service provider levels are defined as:


1 All VisaNet processors (member and Nonmember) and all payment gateways.*

2 Any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 Visa accounts/transactions annually.

3 Any service provider that is not in Level 1 and stores, processes, or transmits fewer than 1,000,000 Visa accounts/transactions annually.

Compliance validation basics

In addition to adhering to the PCI Data Security Standard, compliance validation is required for all service providers.


LEVEL 1 Annual On-Site PCI Data Security Assessment
a. Quarterly Network Scan
b. Qualified Data Security Company
c. Qualified Independent Scan Vendor

LEVEL 2 Annual On-Site PCI Data Security Assessment
a. Quarterly Network Scan
b. Qualified Data Security Company
c. Qualified Independent Scan Vendor

LEVEL 3 Annual PCI Self-Assessment Questionnaire
a. Quarterly Network Scan
b. Service Provider
c. Quarterly Network Scan



Payment Card Industry Security Audit Procedures

This document is to be used by those merchants and service providers who require an onsite review to validate compliance with the Payment Card Industry (PCI) Data Security Standard and to create the Report on Compliance.

Note that these PCI Data Security Requirements apply to all Members, merchants, and service providers that store, process, or transmit cardholder data. Additionally, these security requirements apply to all system components which is defined as any network component, server, or application included in, or connected to, the cardholder data environment. Network components, include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Servers include, but are not limited to, web, database, authentication, DNS, mail, proxy, and NTP. Applications include all purchased and custom applications, including both internal and external (web) applications.

Protect Cardholder Data

REQUIREMENT 3.2.2

Do not store the cardvalidation code [three-digit or four-digit value printed on the front or back of a payment

card (e.g., CVV2 data or CVC2 data)].

TESTING PROCEDURES 3.2.2

Examine the following from the sample selected and obtain evidence that three-digit or four-digit card validation code printed on the signature panel (CVV2/CVC2 data) is not stored under any circumstance:

Incoming transaction data
Transaction logs
History files
Several database schemas

Feel free to bring more of your goons to try to attack me and my intelligence. You guys are a bunch of amateurs who think that others should just believe them because they have backup waiting in the wings to try to give them credibility.

Well I say, Bring it On!!

sorry, allowing you to give a competitors name would instigate others to just file against their competition, to only come back later to suggest their company your comments on this policy are welcome! CLICK here to see why Rip-off Report, as a matter of policy, deleted either a phone number, link or e-mail address from this Report.

Of course the three digit code is different as the formula also incorporated the expiration date, which changes on the new card. If capital one onoy required the credit card # to sign up, then anyone could get your number from a statement and sign up for web service and use your account.

It can't work like Hugh said because I've gotten replacements for expired cards that have the same 16 digit number but a different CVV number. Using a single formula wouldn't be very secure because if the formula ever got into "the wrong hands" (and it would be hard to tell exactly when or how that happened) then all CVV numbers would be useless.

The subprime banks like to make online access difficult in order to encourage people to go over the limit or pay late, both of which generate luctrative fees. Though Capital One is pretty bad all around, their asking for the CVV number is a legitimate security measure. Someone could get the 16 digit number by stealing a statement out of the mail and if that was all they needed to register online, could do some real damage. The OP could request a new card just to get the number and then destroy it.

Actually, the CVV code is derived from the account number itself - if you know the extremely complex and extremely secretive formula you can take any sixteen digit Visa or Mastercard account number and extrapolate the CVV number.

So the bank isn't "storing" the number, they are running a formula against the card number to come up with the value - if the value you enter matches the one they calculated, you are in - if the codes don't match you aren't.

To the OP - for that reason, that they aren't really stored anywhere and the bank isn't going to give a call center person the formula to figure it out, you will need to order a new card to get the code - then you can destroy it.

Actually, the CVV code is derived from the account number itself - if you know the extremely complex and extremely secretive formula you can take any sixteen digit Visa or Mastercard account number and extrapolate the CVV number.

So the bank isn't "storing" the number, they are running a formula against the card number to come up with the value - if the value you enter matches the one they calculated, you are in - if the codes don't match you aren't.

To the OP - for that reason, that they aren't really stored anywhere and the bank isn't going to give a call center person the formula to figure it out, you will need to order a new card to get the code - then you can destroy it.

Actually, the CVV code is derived from the account number itself - if you know the extremely complex and extremely secretive formula you can take any sixteen digit Visa or Mastercard account number and extrapolate the CVV number.

So the bank isn't "storing" the number, they are running a formula against the card number to come up with the value - if the value you enter matches the one they calculated, you are in - if the codes don't match you aren't.

To the OP - for that reason, that they aren't really stored anywhere and the bank isn't going to give a call center person the formula to figure it out, you will need to order a new card to get the code - then you can destroy it.

How does Capital One illegally storing CVV2 codes? They are the ones who issue it, doesn't it make sens that they already have a databse of what credit card number is connected with what code?

Sal Just about every Card Company (Credit Card) has the 3 digit security code or something similier to stop theft, and so many other non Credit Carfs may have some form of code to enter.
..................
To the Creator of the ripoff, You need a Current CapitalOne credit Card that is ACTIVE to sign up online as I have a CapitalOne Card and am signed up for online tracking via their site. IT is only for Capitalone Cards...

You can cut up the CC cards, however it may be no good offline where the Card needs to be swiped at a machine. If you mainly shop online, or only use the Credit Card for that you need to remember BOTH the CC number and the 3 digit code as many sites do require it, and some don't, I just bought PALM Pilot software at two sites that don't require the CC 3 digit Code . (I don't have my CC cut up, however I have both my CC number and 3 digits, rememberized).

Sal, your post mentions that CCV2s are "sent electronically to the card-issuing bank to verify its validity." How is Capital One "illegally storing" these codes when THEY are the card-issuing bank that verifies the codes' validity?

If your copy-and-paste job didn't really mean that card-issuing banks verify the CCV2 for merchants (and therefore must have a database to do so), but rather that Visa Intl/MC Intl/AmEx keep the database and do the verifying, how do you know that the card-issuers don't utilize the system for their anti-fraud measures (like during website registration) that merchants do?

Please provide a source (link, etc.) which definitively states that it is against the law for card-issuing banks to keep a database of their CCV2s -- the very database that is used to verify the validity of their CCV2s, that is.

Also, please provide a source that definitely says that it is against the law for card-issuing banks to utilize CCV2s for their anti-fraud measures.

(These sources should be of actual laws, not from Visa/MC/AmEx's own policy books, since you're saying these things are illegal.)

Security Panel Code is another word for "Capital One" makes their own rules and does not have to comply with the consumer protection specifications from VISA.

Ex-Employee needs to stop reading Capital One documentation and believing that it is gospel when in reality it is a fraud.

One more layer of security from Visa

Also known as the Cardholder Verification Value or, CVV2, these three numbers help ensure that the physical card is in the cardholder's possession while shopping online or by phone, helping to prevent unauthorized or fraudulent use.

Where can I find it?

The 3-digit code is located on the back of your card, inside the signature area. Typically the signature panel will have a series of numbers, but only the last three digits make up the CVV2 code.

What does it do?

It's actually more about what it prevents. When shopping online or over the phone, the 3-digit code helps merchants ensure that the card is in the right hands. Merchants will request the CVV2 at checkout from the cardholder, and the information is sent electronically to the card-issuing bank to verify its validity. Within seconds the CVV2 results are returned with authorization. If it's returned invalid, merchants have the right to stop the transaction.

And for your added protection, merchants are prohibited from keeping or storing the CVV2 number after the transaction has been completed.

Your so called "Security Panel Code" is illegal. Logging into the Capital One website is not a Merchant Transaction and by storing the code in a database, Capital One has invalidated the whole purpose for the codes existance.

For this reason, it is obvious that Capital One asks for this so called "Security Panel Code" in order to further frustrate consumers who no longer have their card. Even worse, they try to get you to get a new card when because of their illegal behavior, they could just read to you the CVV2 code they illegally stored in their database. They could also give the CVV2 to an affiliate to make a charge on your card or charge an unauthorized payment on your card which according to VISA policy has been validated by the consumer because only they are supposed to have the CVV2 code.

Further Proof Capital One are a bunch of Crooks!!

The three-digit code on the back of your card is called the Security Panel Code. It's an additonal way to help protect your account from fraud, and is often used by credit card companies and merchants alike. Every so often I order pizza online from Papa John's, and even THEY require the SPC when I submit my order! It's not a big deal.

You have two choices:

1) Don't get a new card and thus don't get the information which enables you to access your Capital One account online; or

2) Get a new card from Capital One issued to you, register online with the necessary information, then cut up your card.

You don't have to keep the card if you don't want to. But you DO need the information that's on a current card in order to use the online service. It's as simple as that. The choice is yours.