CVV2 vs. Gen-One CVV Technology: What’s the Difference? Does it Actually Work & What's Coming Next?
Technology changes constantly. For some of us, CVV technology still feels relatively new. In reality, though, it’s been in use now for over two decades.
Card verification values were invented by Equifax in 1995 as a way to secure fraud-prone credit card transactions. In the 30 years since, these three- or four-digit security codes have undergone both subtle and more visible changes, all designed to make transactions less vulnerable to third-party fraud.
But how exactly does this technology work? And, what’s changed over the last three decades?
Recommended reading
- Card Security Codes: How They Protect Consumers & Merchants
- The Top 10 Fraud Detection Tools You Need to Have in 2025
- ECI Indicators: How to Understand 3DS Response Codes
- How Digital Footprint Analysis Works: A Guide for Merchants
- How Link Analysis Works: Data Points & Best Practices
- Credit Card Fraud Prevention: A Gameplan for Businesses
What is a CVV2 Code?
- CVV2
A CVV2 code is a 3-digit code located on the back of a Visa credit, debit, or prepaid card. The code is used to help verify buyers during a card-not-present transaction. “CVV2” refers to the fact that it is the second-form deployment of CVV (card verification value) technology.
[noun]/cē • vē • vē • tö • kōd/
In simple terms, the CVV2 code is the three-digit code printed on the back of a credit card (or, a four-digit code on the front of the card, in the case of American Express).
A seller can ask the buyer to provide the CVV2 code printed on the back of their card during checkout. The point of this is to ensure that the person initiating a purchase with a credit or debit card is in physical possession of the card itself.
How Does CVV2 Technology Work?
CVV2 codes are verified using encryption technology during checkout. Although the code is transmitted along with other transaction data, the merchant doesn’t keep copies of CVV2 codes on file.
PCI security standards prohibit merchants from storing CVV2 codes, so these codes are unobtainable, even in a data breach. In theory, the only way a buyer can know a card’s CVV2 is if they are physically in possession of it.
Banks deploy backend fraud detection tools to validate each purchase. Online transactions will only receive authorization if a payment method’s card number, billing address, card expiration date, and CVV2 all match the information on file with the bank.
It’s not a foolproof system (as we’ll see later). However, this measure puts more obstacles in a fraudster’s path, helping ensure that a transaction is far less likely to be fraudulent.
Learn more about card security codes
What’s the Difference Between CVV1 and CVV2?
A CVV1 is not visible. Rather, it is encoded into a card’s magnetic stripe and used to secure in-person transactions. On the other hand, a CVV2 is a three- or four-digit number printed on the front or back of a card that’s used to safeguard online transactions.
We get that this can be confusing. So, we’re going to walk you through it quickly, in the simplest terms possible.
When people talk about CVV codes, they’re typically referring to CVV2. This is the security code physically printed or embossed on a credit card.
In contrast, a CVV1 number is encoded on tracks one and two of the magnetic stripe on the back of the card. It’s used to validate buyers in a card-present transaction, along with a signature. The CVV1 code validates the card, while the signature validates the buyer.
Programming CVV codes into the magnetic stripe on the back of credit cards meant it could only be read when swiped. That worked great for a few years. But, the static information loaded onto the magnetic stripe on each card could easily be spoofed or used without alerting the card reader.
Also, because the code couldn’t be read physically, there was no way to provide it to a merchant as part of a card-not-present purchase. This became more and more of a problem as eCommerce became a major shopping channel.
Different Terms for Different Card Networks
CVV, CID, CSC, CAV, CVC, and CVN are all brand-specific acronyms that refer to the same card security code technology.
To make it even more confusing, each credit card network uses its own terminology regarding card security codes.
We mentioned above that “CVV2” is the Visa-branded deployment of the technology, and is commonly used in an informal sense to refer to all card security codes. However, the official name can change, depending on the card network in question. Other names for CVV2 codes according to each network include:
| Acronym | Branded Name | Associated Brand |
| CID | Card Identification Code | American Express |
| CSC | Card Security Code | American Express* |
| CID | Card Identification Number | Discover |
| CAV | Card Authentication Value | JCB |
| CVC | Card Validation Code | Mastercard |
| CVN | Card Validation Number | UnionPay |
* Used in reference to the three-digit 3CSC number on the card back, as opposed to the four-digit number on the card front.
All these terms refer to the same basic technology. However, it seems none of the networks could agree on which term they like best. And, as we saw, some even use multiple terms to refer to different deployments of the same basic CVV2 technology.
Where Do I Find My CVV2 Code?
On Visa, Mastercard, Discover, and UnionPay cards, the CVV2 is located on the back of the card, to the right of the signature box. On JCB cards, the CVV2 can be found on the back of the card, above the signature box. Meanwhile, CVV2s on American Express cards are printed on the front of the card, to the right of the card number.
As we mentioned above, each card network has its own method for pretty much everything, so it stands to reason that the same should be true for CVV2 codes.
Here is a tidy list of card security codes and their locations for some of the major card networks:
| Associated Brand | Digits | Location |
| American Express | 4 | On the front of the card, to the right of the card number |
| Discover | 3 | On the back of the card, to the right of the signature box |
| JCB | 3 | On the back of the card, above the signature box |
| Mastercard | 3 | On the back of the card, to the right of the signature box |
| UnionPay | 3 | On the back of the card, to the right of the signature box |
| Visa | 3 | On the back of the card, to the right of the signature box |
So to clarify, when you refer to a card security code as a CVV2 code, you’re referring specifically to a Visa card security code. But, it’s pretty common to see CVV2 used as a general term, regardless of the brand.
CVV2 Storage Rules & PCI Compliance
Storing CVV2 data — whether encrypted or not — is entirely prohibited by PCI compliance requirements. You could face serious consequences for violating this rule.
You’re allowed to keep card information on file, provided you get authorization from the cardholder to do so. However, Requirement 3.2.of the PCI Security Standards Council’s Data Security Standards expressly prohibits you from storing CVV2s after a transaction is authorized. It doesn’t matter if the purchase is recurring, or if you plan to retain the data in a tokenized or encrypted format.
This standard is intentionally strict. It ensures that a card’s CVV2 avoids compromise, even if you suffer a cyberattack or data breach.
Merchants who skirt the rules can expect strict sanctions. PCI-DSS noncompliance can result in account closure or even placement on the MATCH list, an industry-wide blacklist that effectively bars merchants from payment processing services as long as noncompliance persists.
You can be removed from the MATCH list if you were added using MATCH reason code 12 (PCI-DSS Noncompliance), but have since become PCI compliant. But, you’d still need to work with your acquirer to do this. And, removal is at the bank’s discretion, even if you’re no longer out of compliance.
This is just the start. Payment processors, for instance, may sanction sellers for PCI-DSS noncompliance. Egregious violations that cause widespread harm may result in five- or even six-figure fines. You may also get hit with civil lawsuits from angry cardholders eager to recover damages for unauthorized activity or identity theft.
It’s pretty easy to avoid these catastrophic fines, though: just don’t store CVV2 data after a purchase.
Use secure payment gateways that automatically purge security codes after authorization, and conduct regular database and PCI compliance audits to make sure that you do not inadvertently have prohibited data on file. In addition, encrypt all card information (like card numbers. expiry dates, and billing addresses) that you’re allowed to keep on hand; do not store sensitive or personally identifying information in plain text.
Why Are CVV2 Codes Still Necessary?
It didn’t take long for scammers to come up with ways to duplicate and reprogram the data encoded on credit card magnetic stripes. CVV technology needed to evolve. Thus, the CVV2 code was born.
As of the EMV liability shift, CVV codes are neither encoded nor embossed on the card. Rather, they’re printed directly on the card. This makes it much more difficult for fraudsters to use or copy the security code, protecting both consumers and merchants from potential acts of fraud.
CVV2 codes can also help merchants fight back against illegitimate chargebacks and friendly fraud. Verifying a buyer’s CVV2 code can’t protect you from every chargeback or act of first-party fraud. However, it does provide evidence that the customer authorized the sale in question because they would need to have the card in-hand to enter the code.
Does CVV2 Technology Actually Work?
Yes. CVV2 codes help prevent some card-not-present fraud attacks. However, they can’t prevent all fraud; attacks resulting from lost or stolen cards, family fraud, and other tactics are still possible.
As with many other antifraud tools like geolocation and fraud scoring, the answer is “yes”... but with a few caveats. CVV2 codes help prevent criminal fraud, but they still have limitations.
Take friendly fraud, for instance. Illegitimate chargebacks can happen regardless of a merchant’s fraud prevention efforts. This is because friendly fraud is a post-transactional threat that only occurs after a transaction has been finalized. Another point to make is that friendly fraud isn’t always malicious. It can be accidental in many cases.
CVV2 technology cannot prevent revenue loss resulting from any of these issues, either:
For merchants, consistent use of CVV2 codes will almost certainly lower the overall number of chargebacks filed against them. However, merchants can’t rely on this fraud protection mechanism as their sole chargeback defense.
CVV3: The Future is Already Here
CVV2 is the most widely used form of CVV technology on the market today, but new technologies are already emerging.
Mobile wallets like Apple Pay and Samsung Pay, for instance, fuse the security principles behind CVV2 with other measures like biometrics and geolocation capabilities. The mobile wallet app generates a unique security code, known as a cryptogram or CVV3 token, every time a buyer uses a phone to initiate a purchase.
This CVV3 token is essentially a proxy security code that works to verify users in real-time and on-the-go. This technology can take the place of conventional CVV2 codes. Tokenization technology provides up-to-the-moment location data that can prove even more difficult for fraudsters to mimic because codes are randomized or changed on an hourly basis. As a result, it’s generally considered more secure than traditional card security codes.
Dynamic CVV codes, also known as dCVV2 technology, are also beginning to make an appearance on some physical cards. Unlike a static, printed CVV2, a dCVV2 appears on a tiny, digital screen on the back of a card. The values on the screen are programmed to refresh every few hours, so the code is quickly rendered useless even if it falls into the wrong hands.
Other technologies, like full-palm biometric payments, iris scanners, or fingerprint verification methods, could replace card verification values altogether. Some laptops already have built-in scanners that allow buyers to verify themselves and authorize online purchases using their fingerprints in lieu of CVVs. For this reason, it’s plausible that tomorrow’s CNP transactions could be secured by more secure inherence factors rather than less-secure knowledge or ownership security factors.
We suggest that cardholders take their security seriously. For example, merchants that don’t require the code may be less secure than others, so buyers should be more wary of these sellers. Think about the extra step of entering a CVV2 security code as a positive step, rather than an added hassle.
CVV2 Security Best Practices for Merchants
Merchants also have a lot to consider when it comes to card security codes.
Sellers want to instill customer confidence in their fraud prevention efforts. That doesn’t have to come at the cost of sacrificing a pleasant shopping experience, though, or of seeing more false declines and chargebacks.
This is a delicate dance. Merchants must perform the maneuver perfectly to keep customers safe and revenue rolling in. To give merchants the best chance of success, here are a few best practices that could improve security without impacting customer satisfaction:
Don’t store CVV2 data
CRM and marketing software should be limited only to the most general data about your customers. Never save private security information like passwords or card security codes.
Keep software up-to-date
Set automatic updates whenever possible. If automatic updates aren’t possible, consider switching to a self-updating POS and CRM management system. New threats develop daily, and out-of-date software is a data breach waiting to happen.
Secure your site
The best way to help fight fraud and protect your customers is to operate from a secured website. Make sure that your eCommerce platform utilizes an HTTPS interface. Never manually enter customer data into an unsecured terminal or computer.
Use additional fraud tools
Never, rely on just one method for fraud prevention. CVV2 codes are best used in conjunction with other fraud prevention tools like AVS, velocity limits, geolocation, and others. Every fraud tool you opt for should be backed by fraud scoring to verify transactions in real-time.
Prioritize customer service
We can’t stress enough the value of the customer journey. Making sure your customers have available solutions at their discretion at all times goes a long way to diversifying your fraud and chargeback prevention efforts. If a customer feels they can reach out and ask about your security measures, they are more likely to purchase from you with confidence.
Multi-Layered Strategies Win
CVV2 codes are important criminal fraud protection mechanisms. However, they’re only really effective when implemented as part of a larger, multi-tiered chargeback management strategy.
Requesting CVV2 codes for card-not-present transactions is one step towards preventing fraud. It shouldn’t be a merchant’s only prevention method, though. Businesses need to combine traditional fraud prevention techniques with a comprehensive chargeback management plan to maximize their efforts.
Ready to take your chargeback defense to the next level? We can help. Call us today for your FREE ROI analysis.
FAQs
What is the difference between CVV and CVV2?
CVV codes can be subcategorized into CVV1, CVV2, and CVV3 respectively. CVV1 refers to the data stored on the card that is transmitted when a consumer swipes their card. In contrast, CVV2 refers to the security code printed on a credit or debit card.
Where do you find your CVV2 code?
The CVV2 code is a 3- or 4-digit code typically printed on the back of your credit or debit card, near the signature box. For Amex cards, code will be printed on the front of the card.
What does CVV2 stand for?
CVV2 is an acronym that means “Card verification value 2.” Although “CVV2” refers specifically to the Visa-branded deployment of the technology, the term is commonly used in an informal sense to refer to all card security codes.
Do all credit cards have a CVV2 code?
Yes. Depending on the card network ,though, they could be referred to by different terminology. For Visa and most Mastercard cards, it’s either a CVV2 code, or a CVC2 code. CID and CSC refer to Discover and Amex, respectively.
Do I need to provide my CVV2 code if asked?
Yes, and for good reason. It helps merchants and financial institutions verify your identity when using a card. It helps them tell if a transaction gets submitted by a fraudster posing as you.
Do I need to collect customers' CVV2 codes?
Merchants may be required to collect CVV2 codes from cardholders by their acquirer. However, even if it’s not a requirement, merchants should always validate a user’s CVV2 code as part of a card-not-present transaction.
What does declined CVV2 mean?
A declined CVV2 or declined CID code occurs when the card verification values (CVVs) you entered at checkout did not match the values on file with your issuer. To resolve the error, enter the correct CVV2 code and attempt the transaction again.
Is it safe to give a CVV number over the phone?
Yes, it’s generally considered safe to give out a CVV number over the phone to a legitimate, established business.
