Why don't popular web services mask the CVV?

Most likely answer:

• They don't have to (it's not a PCI requirement)
• It's better from a UI/support standpoint

Let's keep this in perspective. This is the number that's printed, on the back of the card, right where minimum-wage cashiers are instructed to visually inspect when performing a POS transaction. Absolute secrecy from physical bystanders is clearly not the intended control for the CSC!

Pay attention rather to the aggressive controls the PCI DSS imposes to ensure it's never stored by anyone in the processing chain. They are not concerned with onesie-twosies being shoulder-surfed, they're concerned with the people who steal credit card databases getting away with the CSC too.

First, it's important to understand that security is not binary. It is not an "on" or "off" concept, but a continuum or risk management options, and each decision comes with a cost. Either the additional cost of controls or mitigation as you move toward the "secure" end of the spectrum, or the cost of exploitation as you accept more risk towards the "insecure" end.

There is nowhere this is more true and more evident than in systems that deal with credit cards. When an entity that deals with credit cards makes a risk decision, there is a trade-off between accepting the cost of fraud when the system is less secure, and accepting the cost of lost revenue when the system is more secure, as users are prevented from making legitimate transactions, either because the system will not let them, or because it becomes harder to use.

So, in any system like this, when you have a question about why something doesn't seem to be as secure as it could be, it's generally safe to assume that the answer is because the cost of fraud due to the choice in question is less than the cost of lost transactions for the more secure alternative. It it shockingly critical to sales that systems be as easy as possible to use, and even small tweaks to usability can have a drastic effect on the number of transactions that are abandoned and never completed.

For the specific aspect in your question, why don't they mask CVVs? It seems to me that the opportunity for additional fraud here is quite low, as the CVV is only one of the pieces of data you'd need in order to commit fraud, and masking it would deal only with the smallest subset of cases where a malicious actor had all of required the data except for the CVV, but could only view the CVV on the screen and not from the card itself, or from the keyboard as it is entered. I suspect that the additional risk to frustrating users who enter the CVV incorrectly and can't tell while still small, is significantly higher.

If you think about the 'expected' usage, the CVV is simply supposed to mean that you physically have the card (so you can see both sides).

With that starting point, the user will type in the card number from one side, then turn over and type the CVV.

I appreciate that many people will have memorised the CVV and/or 16-digit number, so the assumption above may not be valid, but the expectation is that they will have the card visible to copy the number (unlike a PIN or password which is expected to be stored in their head), so the shoulder-surfer could also see the CVV without much effort.

For my own 'most-used' card, the 16 digits are quite hard to read on the front, the CVV is easier to read from a distance.