What is a CVV? CVV stands for “Card Verification Value” and is a security feature found on most credit and debit cards. The CVV is a three or four-digit security code printed on credit and debit cards. The code is used as an added security measure for card-not-present transactions – such as an online or telephone-based payment. For card-present transactions, the CVV is not used. Since CVV was introduced, it has helped to greatly reduce incidents of online, phone, and mail order credit card fraud.
CVVs, also commonly known as CVC, CSC, CVD, or CINs depending on the card company, were created and implemented in the late 1990s and early 2000s. The creation of CVV was in direct response to the rise of online shopping. With online shopping came an increase in online credit card fraud creating the need for increased security to protect cardholders. The original concept for the CVV was created in the UK by Michael Stone, an employee of Equifax. At first, it was an 11 digit number but was quickly reduced to a more reasonable 3-4 digit code. In 1997 MasterCard® was the first company to implement CVVs on their credit and debit cards. In 1999 American Express® implemented CVV followed by Visa® in 2001.
The card security codes for MasterCard®, Visa®, Discover®, and JCB® are usually located on the back of the card, to the right of the signature space, and are a group of 3 numeric digits. The American Express® CVV is a group of 4 numeric digits printed on the front face of the card above and to the right of the card number.
Each card company has their own preferred name for their version of a card security code. Below are a list of card security code names, what each stands for, and which card brands use them.
“CVV2” – Card Verification Value 2 – Visa®
“CVC” – Card Verification Code – MasterCard®
“CVC2” – Card Validation Code 2 – MasterCard®
“CVD” – Card Verification Data – Discover®
“CID” – Card Identification Number – Discover® and American Express®
“CVN2” – Card Validation Number 2 – China Union Pay®
“CSC” – Card Security Code – American Express®
Technically one or the other is used in a transaction. The CVV1 is a code embedded in the second track of the credit or debit card’s magnetic strip. During swipe transactions, the CVV1 is read by the credit card machine or swiper. The CVV2 is used when the card is not able to be swiped such as in phone or online orders. Since the CVV1 cannot be read, in such situations, the cardholders are asked to supply the CVV2 number.
Per the ‘Payment Card Industry Data Security Standard (aka PCI DDS) regulations, CVV2 data must not be held in any payment system database after a transaction is complete. This is a cornerstone to why CVV security works. Because CVV information cannot be stored, if the database is comprised the card data stored within is less useful to fraudsters. This not only protects from online hackers but also protects the cardholder from fraudulent merchants or employees.
The other main security benefit is the obvious one; In card-not-present transactions, requiring the CVV helps to verify that the physical card is in the possession of the customer performing the transaction.
No, a CVV is different from a card PIN. PIN stands for “Personal Identification Number” and is the secret passcode the cardholder sets for their debit cards. During a “card-present” transaction, the PIN is required as a security measure to ensure the customer is the owner of the card. On the other hand, the CVV is a 3-4 digit security code printed on the back of the card and is used as added security in “card not present” transactions.
Dynamic CVV is a new system in which a card will have a tiny screen that displays the CVV code rather than being printed on the card. The card will change the security number every 30 to 60 minutes for the life of the card – usually 3 or 4 years. The screen will be similar to popular e-reader screens that only require energy to change the displayed numbers and none to keep them displayed. In this way, the system will have extremely low energy requirements. This is a proposed future technology that does not have firm adoption dates but is likely to be implemented in the next few years.
The CVV system provides an enhanced layer of security for credit card processing transactions. Since CVV isn't allowed to be stored, per data security and PCI DSS compliance, it is less likely to be part of online data breaches. However, that doesn't mean that CVV codes can't be intercepted, stolen, and misused online. It is imperative to protect your data and to never input your CVV code on websites you aren't sure you can trust. Treat your CVV number as secure data and protect it with the same level of security you would apply to account numbers and other personal information. If your CVV security code were to become compromised, it may make the transaction seem more legitimate to an unsuspecting merchant.
American Express is different but also has CVV codes for additional security. Instead of a 3 digit CVV on the back of the card, Amex has a 4 digit CVV value on the front of the card just above the account number on the right. CVV is an important security measure for American Express cards, and users should protect the 4 digit Amex CVV code the same way they would protect a 3 digit CVV code on Visa, MasterCard, or Discover.
When you're checking out online, you have no doubt been prompted to enter the Card Verification Value, or CVV number, as an additional security measure. If you didn't have the number available, you might have tried to guess or you might have tried to remember your CVV number. If you didn't remember correctly, undoubtedly you saw a decline code from the merchant. Since a CVV value is only 3 digits (or 4 digits for an American Express CVV), you might think that it is easy to guess. However, submitting multiple transactions with different CVV codes will no doubt set off security alarms with your card issuer as well as the merchant. Three digits might not seem like iron-clad security for a PIN, but it serves as an effective deterrent for fraud on e-commerce transactions. The 4 digit American Express CVV is even more difficult to guess and provides even better security. Per PCI DSS standards, processors can't allow unlimited guesses for CVV values.
Merchants are prohibited from storing the CVV value in any way. The 3 digit CVV for Visa, MasterCard, and Discover, as well as the 4 digit CVV for American Express, must never be stored in any point of sale, terminal, software, or e-commerce system. So what about recurring transactions? The CVV value can be used for the first authorization when a credit card is added to the digital wallet for recurring transactions. The CVV code is no longer required for subsequent transactions on recurring billing, and the absence of the CVV for future billings will not cause any interchange downgrades or declines.
Taking prudent security measures can help safeguard the CVV codes from your credit and debit cards. To help keep your data secure, you should only shop online and enter your CVV with retailers you trust. If you have doubts, see if that merchant offers third-party payment acceptance such as AmazonPay or PayPal. Only shop at e-commerce stores that protect your CVV data with encryption and HTTPS. Be alert for invalid SSL certificates or warnings that might put your CVV data at risk. When paying at a physical store, it is best to keep the card in your sight. Restaurants are one of the prime places that card data and CVV values are stolen. If you have the option to pay at the table on a mobile terminal, or through an app on your phone, that can help safeguard your CVV code. If you are concerned that your CVV value might be at risk, it is best to seek out an ATM to pay cash or to ask for alternative payment options.
CVV is a three-digit code created for added security when paying online or over the phone. It was instituted in the late 1990s in response to the birth of online shopping and fraudulent use of cards online. Though different card brands have different names for the CVV security code, “CVV” is the commonly accepted term for all of them. Next time you enter your credit card info online to make a purchase and you are required to enter your card’s CVV, you will have a full understanding of just how important those 3 tiny numbers really are.