Card Verification Values: Why They Exist & What They’re For
Imagine that you’re shopping online. You fill your cart, then navigate to checkout.
The seller asks for your credit card number, your billing address… as well as that three-digit code on the back of your credit card. This code is often referred to as the card verification value, or CVV.
Other names include the card verification code (CVC), the card security code (CSC), or simply the “three numbers on the back” of a credit or debit card. No matter what they’re called, though, these codes all serve an important purpose in the checkout process. Your CVV is a security feature used to prevent fraudsters and criminals from stealing your payment information for unauthorized use.
This article offers a brief primer on CVVs. In the following sections, we discuss what CVVs are, how they work, whether they’re effective, and how they can be improved. We also tackle specific issues about CVVs from both a cardholder’s perspective and a merchant’s point of view.
Recommended reading
- What is Geolocation? A Key Anti-Fraud Tool for 2024
- What are Velocity Checks? How Do They Stop Fraud Attacks?
- ECI Indicators: How to Understand 3DS Response Codes
- Proxy Piercing: How Merchants Can Use it to Prevent Fraud
- The Top 10 Fraud Detection Tools You Need to Have in 2024
- Payment Authentication: How to Verify Buyers Before a Sale
What is a Card Verification Value?
- Card Verification Value
A card verification value, or CVV, is a three- or four-digit number that is printed on the signature panel on the back (and occasionally front) of a debit or credit card. It is a security measure meant to stop fraudulent transactions.
[noun]/kard • ver • ə • fə • kā • SHən • val • yo͞o/
CVVs primarily exist as a security measure to protect card-not-present (CNP) transactions. This covers all purchases made remotely, without the presence of either the buyer or their payment method at the point of sale (POS).
The logic is straightforward. Regulations prohibit CVVs from being stored on a browser or in a merchant’s database. So, if a buyer can successfully enter the card’s CVV, then it stands to reason that they probably have the card in question in their hand when making a purchase.
This security feature deters fraudsters from using payment card information leaked in sensitive data breaches. If unauthorized users know they can’t complete a transaction without a card’s CVV, they’ll be less likely to attempt a fraudulent transaction.
Where is the CVV Located on a Credit or Debit Card?
Card verification values are usually located on the back of a credit or debit card. Visa, Mastercard, and Discover cards all feature three-digit CVVs located on the signature panel on the back of the card.
Amex-branded cards buck this trend, and instead display four-digit CVVs on the front of the card. Amex also uses a four-digit code, rather than the three-digit values used by other card networks.
Despite this difference, CVVs on all cards serve the same basic purpose. CVVs add a layer of security to CNP transactions, and help deter fraudulent activity.
How Do Card Verification Values Work?
We get it. Grabbing your purse or wallet, taking out your card, and typing in a three- or four-digit card verification value every time you make an online purchase may be annoying. But, it helps make transactions a lot more secure.
When you click “Complete Purchase” at the end of the checkout process, the CVV you entered gets sent to the payment processor for validation alongside the card number and expiration date. If the code matches the card issuer's records, the transaction can proceed to authorization.
Here’s a quick rundown of how the process works:
How Do Card Verification Values Help Stop Fraud?
Card-not-present transactions, unfortunately, are more prone to fraud. Neither the cardholder nor the payment method are physically present at the point of sale. This makes it difficult for the merchant to verify the identity of the cardholder or the validity of the transaction.
This is where card verification values come in. CVVs provide an extra layer of security for buyers and merchants who complete CNP transactions.
Like we mentioned before, CVVs can’t be saved on a computer or stored in a merchant’s payments database. Buyers who engage in CNP transactions have to enter a CVV manually every time they wish to make a purchase.
Since CVVs must be entered manually, the reasoning is that buyers who are able to provide the correct CVV when making a purchase must have the physical payment card in their possession. This requirement reduces the risk of fraud and unauthorized use. After all, it’s a lot more difficult for fraudsters to get their hands on physical payment cards than it is for them to steal payment details online.
How Effective are Card Verification Values at Deterring Fraud?
Card verification values serve as a good deterrent against fraudulent card not present (CNP) transactions. But, they’re not foolproof.
For example, fraudsters who manage to steal physical payment cards can still make unauthorized purchases, as the CVV will be printed on the card. In other words, while CVVs essentially ensure that buyers have in their physical possession a payment card, they do not at all guarantee that the payment card actually belongs to the buyer.
Other tools should be deployed in tandem with CVVs to further enhance the security of a transaction. Take the Address Verification service, or AVS, for example. This service checks the address inputted by the buyer in the checkout form against the cardholder’s address on file with the credit or debit card’s issuing bank.
Learn about other fraud prevention tooslsInnovations in Card Verification Value Technology
Up to this point, we’ve been talking about Card Verification Value 2 (or “CVV2”) technology. This marks it as the second generation of CVV technology.
With the first generation of the technology, the CVV was encoded into the magnetic stripe on the back of payment cards. But, since cards can’t be swiped when making online purchases, CVV1 technology could not address the security concerns inherent in card not present (CNP) transactions. That’s why later innovations were needed.
CVV2 Technology: The Present
CVV2, the current generation of CVV technology, solved this problem by decoupling the verification values from the magnetic stripe. Now, CVV2 codes are simply printed on the card.
Astute readers will observe that CVV2 is a technological downgrade from CVV1. This is true… but also intentional.
Fraudsters who find themselves in temporary custody of cards using CVV1 technology—like a cashier gone rogue—can steal a card’s details, including the CVV1, by swiping the card and saving the data. CVV2 technology makes it more difficult to commit this sort of fraud, since CVV2 numbers are neither stored in the card’s magnetic stripe nor on its EMV chip.
This means that fraudsters who wish to steal payment information cannot merely swipe a card. They have to take the step of manually recording each card’s CVV2. This is a time-consuming, tedious method of theft, and it’s more likely to raise suspicion among witnesses and merchants.
CVV3 Technology: The Future
A principal weakness of CVV2 technology is that it relies on printed CVVs that do not change unless the payment method is physically replaced. A fraudster who manages to steal a cardholder’s payment method could run transactions through the stolen card until fraud is finally detected and the card is canceled. Clearly, further innovation was needed.
CVV3 technology, known commonly as dynamic CVVs, addresses this weakness by replacing static CVV with changing values that expire over time.
In effect, CVV3 technology functions very similarly to text- or authenticator app-based two-factor authentication (2FA) technology. The second factor is a proxy code that works like a payment token.
Dynamic CVVs are a notable improvement upon CVV2s because it means that fraudsters can no longer rely on copying a static verification value. A fraudster who gets their hands on a physical card will find themselves out of luck; before they click the purchase button, the CVV3 will have changed.
CVV1 | CVV2 | CVV3 |
Designed for card-present purchases | Designed for card-not-present purchases | Designed for card-not-present purchases |
Static; encoded on the card’s magnetic stripe | Static; printed or embossed on the card | Dynamic; new token can be issued for each purchase |
Automatically retrieved when card is swiped | Manually entered by buyer at checkout | Automatically generates token using 2FA method |
Can be defeated if card is stolen | Can be defeated if card is stolen | Can’t be defeated by card theft; 2FA factor required |
How Can Cardholders Protect Their CVV?
Cardholders can protect card verification value similar to how they protect all their other sensitive financial information.
For starters, do not share credit card numbers — including CVVs — with anyone. If you believe your card details have been compromised, immediately call your issuing bank to request a new card with a different card number and CVV.
When shopping online, be cognizant about the reputation of the merchant. Don’t input your card details or CVVs into websites or online stores that appear untrustworthy or unsafe, and peruse card statements frequently for unknown transactions or other signs of unauthorized activity.
Also, be on the lookout for scams. For example, text messaging scams, PayPal scams, or phishing attempts. Don’t send money to individuals who request money from you, unless you are confident that the request is legitimate. In a similar vein, ignore invoices or other requests for payment from vendors or businesses you don’t recognize.
Even if an email or text appears legitimate at first glance, pay extra attention to the sender’s email address, phone numbers, and any hyperlinked URLs. Scammers could be trying to steal your information by impersonating a legitimate business.
How Can Merchants Leverage CVVs to Stop Fraud?
By far the simplest method of deterring card-not-present fraud is to require all customers to input their card verification value at checkout. This ensures that the buyer is physically in possession of the card whose details they are entering.
Next, make sure that you are in compliance with best practices outlined under PCI-DSS standards. This means, for instance, that card verification codes/values must be completely removed from your systems once the checkout process is complete. You can’t hang onto that information.
Leveraging CVVs is a good starting point. But, you don’t have to stop there.
Merchants serious about combating fraud should view CVVs as one weapon within a broader arsenal of anti-fraud tools that can all be deployed simultaneously. We mentioned address verification earlier, but that’s just one example. A good multi-layer strategy to manage fraud should also incorporate:
- 3-D Secure 2.0 Technology
- Geolocation
- Proxy Piercing
- Fraud Scoring
…just to name a few.
CVV technology plays a pivotal role in the security of online transactions. It reduces the potential for fraud and assures both customers and merchants that the transaction is legitimate.
As online shopping continues to grow in popularity, robust security measures like CVV verification will remain essential to maintain trust in digital payment systems. WIth these technologies in place, stakeholders can navigate the complexities of eCommerce with greater confidence, ensuring a safer shopping experience for all.
FAQs
How do I check my Card Verification Value?
If you hold a Visa, Mastercard, or Discover-branded debit or credit card, your three-digit card verification values (CVVs) can be located on the signature panel on the back of the card. CVVs for Amex-branded cards are four digits long and are printed on the front of the card.
Is Card Verification Value the same as security code?
Yes. Card verification values (CVVs) are also known as card security codes (CSCs), card validation codes (CVCs), card authentication values (CAVs), card identification numbers (CIDs), or card verification data (CVD). The name used is dependent on the card brand in question.
What is the Card Verification Value of a credit card?
Card verification values (CVVs) refer to the three-digit numbers printed on the back of a credit card. CVVs on Amex cards are four digits long and are printed on the front of the card. CVVs enhance checkout security and protect both buyers and merchants from unauthorized activity.
How can I get my card verification code?
You can locate your card verification code (CVC) on the signature panel on the back (or in the case of American Express, on the front) of your debit or credit card.
How many digits is a card verification code?
Visa, Mastercard, and Discover-branded debit and credit cards feature three-digit card verification codes (CVCs). American Express-branded payment cards contain four-digit CVCs.
Can I lookup my CVV number online?
For security reasons, you typically cannot look up your CVV number online. That said, some issuing banks allow you to view your CVV number online if you create a virtual debit or credit card and link it to your physical card. Other cards, like the Goldman Sachs-issued Apple card, feature CVV numbers that can be found in your mobile wallet.