CVV2 vs. Gen-One CVV Technology: What’s the Difference? Does it Actually Work & What's Coming Next?
Technology changes constantly. For some of us, CVV technology still feels relatively new. In reality, though, it’s been in use now for over two decades.
That three- or four-digit code printed on your credit card was once touted as a simple, yet highly effective solution for card-not-present fraud. Times have changed, though, and CVV codes have had to undergo a few updates over the years to remain current.
So, what exactly is the CVV2 technology we use today? How and why does it remain relevant for consumers and merchants after all this time? Let’s find out.
Recommended reading
- What is 3-D Secure? Fraud Prevention Solution Explained
- What are Velocity Checks? How Do They Stop Fraud Attacks?
- ECI Indicators: How to Understand 3DS Response Codes
- Visa Secure: What This Tool Does & How to Get Started
- Account Takeover Protection: Best Practices for Businesses
- How Digital Risk Protection Protocols Keep You Safe
What is a CVV2 Code?
- CVV2
A CVV2 code is a 3-digit code located on the back of a Visa credit, debit, or prepaid card. The code is used to help verify buyers during a card-not-present transaction. “CVV2” refers to the fact that it is the second-form deployment of CVV (card verification value) technology.
[noun]/cē • vē • vē • tö • kōd/It’s pretty easy for a merchant to validate a cardholder’s identity in a card-present scenario. The buyer and seller are interacting face to face. Plus, authentication data is accessed and communicated by swiping, inserting that card into an EMV reader, or tapping that card against a contactless terminal.
What about a situation where the cardholder isn’t physically present to swipe, insert, or tap their card against an EMV reader, though? How do sellers validate buyers in an online purchase, for example? This is where CVV2 codes come into play.
The acronym “CVV” stands for “card verification value.” It’s a Visa-specific term for a card security code (CSC). That said, “CVV” is often used in an informal sense to refer to all deployments of CSC technology.
The merchant can ask the buyer to provide the CVV2 code printed on the back of their card during checkout. The point of this is to ensure that the person initiating a purchase with a credit or debit card is in physical possession of the card itself.
These codes are verified using encryption technology during checkout. Although the code is transmitted along with other transaction data, the merchant doesn’t keep copies of CVV2 codes on file. In this way, even in the event of a data breach, fraudsters couldn’t gain access to this number.
In theory, only the cardholder would have access to the CVV2 code. It’s not a foolproof system (as we’ll see later). However, this measure puts more obstacles in a fraudster’s path, helping ensure that a transaction is far less likely to be fraudulent.
What’s the Difference Between CVV1 and CVV2?
We get that this can be confusing. So, we’re going to walk you through it quickly, in terms that are as simple as possible.
The CVV codes commonly used today can be subcategorized into CVV1 and CVV2. There’s also CVV3, but we’ll hold off on discussing that for right now.
When people talk about CVV codes, they’re typically referring to CVV2. This is the security code physically printed or embossed on a credit card. In contrast, CVV1 refers to data that is encoded on the card itself.
A CVV1 number is encoded on tracks one and two of the magnetic stripe of the card in question. It’s used to validate buyers in a card-present transaction, along with a signature. The CVV1 code validates the card, while the signature validates the buyer.
Different Terms for Different Card Networks
To make it even more confusing, each credit card network uses its own terminology regarding card security codes.
We mentioned above that “CVV2” is the Visa-branded deployment of the technology, and is commonly used in an informal sense to refer to all card security codes. However, the official name can change, depending on the card network in question. Other names for CVV2 codes according to each network include:
| Acronym | Branded Name | Associated Brand |
| CID | Card Identification Code | American Express |
| CSC | Card Security Code | American Express* |
| CID | Card Identification Number | Discover |
| CAV | Card Authentication Value | JCB |
| CVC | Card Validation Code | Mastercard |
| CVN | Card Validation Number | UnionPay |
* Used in reference to the three-digit 3CSC number on the card back, as opposed to the four-digit number on the card front.
All these terms refer to the same basic technology. However, it seems none of the networks could agree on which term they like best. And, as we saw, some even use multiple terms to refer to different deployments of the same basic CVV2 technology.
Where Do I Find My CVV2 Code?
As we mentioned above, each card network has its own method for pretty much everything, so it stands to reason that the same should be true for CVV2 codes.
Here is a tidy list of card security codes and their locations for some of the major card networks:
| Associated Brand | Digits | Location |
| American Express | 4 | On the front of the card, to the right of the card number |
| Discover | 3 | On the back of the card, to the right of the signature box |
| JCB | 3 | On the back of the card, above the signature box |
| Mastercard | 3 | On the back of the card, to the right of the signature box |
| UnionPay | 3 | On the back of the card, to the right of the signature box |
| Visa | 3 | On the back of the card, to the right of the signature box |
So to clarify, when you refer to a card security code as a CVV2 code, you’re referring specifically to a Visa card security code. But, it’s pretty common to see CVV2 used as a general term, regardless of the brand.
Why Are CVV2 Codes Still Necessary?
Programming CVV codes into the magnetic stripe on the back of credit cards meant it could only be read when swiped. That worked great for a few years. However, it didn’t take long for scammers to come up with ways to duplicate and reprogram the data on those magnetic stripes.
The trouble with this method was that there was no way to differentiate between legitimate cards and fakes. The static information loaded onto the magnetic stripe on each card could easily be spoofed or used without alerting the card reader.
Also, because the code couldn’t be read physically, there was no way to provide it to a merchant as part of a card-not-present purchase. This became more and more of a problem as eCommerce became a major shopping channel.
CVV technology needed to evolve. Thus, the CVV2 code was born.
As of the EMV liability shift, CVV codes are neither encoded nor embossed on the card. Rather, they’re printed directly on the card. This makes it much more difficult for fraudsters to use or copy the security code, protecting both consumers and merchants from potential acts of fraud.
CVV2 codes can also help merchants fight back against illegitimate chargebacks and friendly fraud. Verifying a buyer’s CVV2 code can’t protect you from every chargeback or act of first-party fraud. However, it does provide evidence that the customer authorized the sale in question because they would need to have the card in-hand to enter the code.
Does CVV2 Technology Actually Work?
As with many other antifraud tools like geolocation and fraud scoring, the answer is “yes,” but with a few caveats.
CVV2 codes help prevent criminal fraud, but they still have limitations. This is particularly true when it comes to protecting merchants. While requiring card security codes for every CNP transaction is a necessary practice, it doesn’t fully eliminate the risk posed by fraud.
Take friendly fraud, for instance. Illegitimate chargebacks can happen regardless of a merchant’s fraud prevention efforts. This is because friendly fraud is a post-transactional threat that only occurs after a transaction has been finalized. Another point to make is that friendly fraud isn’t always malicious. It can be accidental in many cases.
CVV2 technology cannot prevent revenue loss resulting from any of these issues, either:
For merchants, consistent use of CVV2 codes will almost certainly lower the overall number of chargebacks filed against them. However, merchants can’t rely on this fraud protection mechanism as their sole chargeback defense.
CVV3: The Future is Already Here
As we alluded to at the top of this post, CVV2 is not the end of the progression for this technology. CVV3 does exist, and it is already in use today.
Mobile wallet technology is growing at a rapid pace. Apps like ApplePay and Google Pay aim to capitalize on EMV principles while incorporating biometric and GPS data to verify users in real-time.
In practice, every time a user initiates a purchase via a mobile wallet application, the app generates a dynamic security code (also known as a cryptogram or CVV3 token). This is similar to, but still not to be confused with dCVV cards.
This CVV3 token is essentially a proxy security code that works to verify users in real-time and on-the-go. This technology can take the place of conventional CVV2 codes. Tokenization technology provides up-to-the-moment location data that can prove even more difficult for fraudsters to mimic because codes are randomized or changed on an hourly basis. As a result, it’s generally considered more secure than traditional card security codes.
Physically-printed CVV2 codes will continue to be relevant for some time to come. But, perhaps eventually, the tokenization software included with CVV3 codes might one day replace the need for these codes.
Consumer Tips: Keep Your CVV2 Safe
Keeping CVV2 codes safe should be a priority for every consumer. Although the card networks work around the clock to ensure that consumers are protected from fraud whenever possible, it’s still a great idea to take every opportunity to protect oneself.
Here are a few tips for consumers to keep their information safe — both online and everywhere else:
Never save your card information online
Don’t click “save this card for future purchases” unless you are 100% sure that the seller is secure and trustworthy.
Get a password manager
Sign up for a password manager program like 1Password or Lastpass to protect yourself from cyberthieves and hackers and keep your accounts secure. This can also help you limit the need to remember so many passwords.
Monitor your credit reports
Check your credit reports on a regular basis. You’re entitled to a report from each of the three reporting bureaus (Equifax, Experian, and TransUnion) each year. Look for signs of fraud or identity theft, like accounts in your name that you never opened.
Review your bills and statements
Keep an eye on your account activity. You’re protected from liability for credit and debit card fraud, but that protection is time-sensitive. If it goes unreported, you might end up covering more of the losses (up to and including the full amount).
Register for regular account alerts
Get account alerts through your bank, credit card, or credit union. You’ll be notified of suspicious activity in advance of transaction completion, giving you time to review the charge and even freeze your account before the transaction goes through.
Avoid phishing attacks
One of the most common ways consumer accounts are targeted by fraudsters is through phishing links. You should never click an email link unless you can verify the sender first. You can even try calling a sender to inquire if any information is required. Don’t click any links that are emailed to you unless you know it is coming in advance.
We suggest that cardholders take their security seriously. For example, merchants that don’t require the code may be less secure than others, so buyers should be more wary of these sellers. Think about the extra step of entering a CVV2 security code as a positive step, rather than an added hassle.
Merchant Tips: CVV2 Best Practices
Merchants also have a lot to consider when it comes to card security codes.
Sellers want to instill customer confidence in their fraud prevention efforts. That doesn’t have to come at the cost of sacrificing a pleasant shopping experience, though, or of seeing more false declines and chargebacks.
This is a delicate dance. Merchants must perform the maneuver perfectly to keep customers safe and revenue rolling in. To give merchants the best chance of success, here are a few best practices that could improve security without impacting customer satisfaction:
Don’t store CVV2 data
CRM and marketing software should be limited only to the most general data about your customers. Never save private security information like passwords or card security codes.
Keep software up-to-date
Set automatic updates whenever possible. If automatic updates aren’t possible, consider switching to a self-updating POS and CRM management system. New threats develop daily, and out-of-date software is a data breach waiting to happen.
Secure your site
The best way to help fight fraud and protect your customers is to operate from a secured website. Make sure that your eCommerce platform utilizes an HTTPS interface. Never manually enter customer data into an unsecured terminal or computer.
Use additional fraud tools
Never, rely on just one method for fraud prevention. CVV2 codes are best used in conjunction with other fraud prevention tools like AVS, velocity limits, geolocation, and others. Every fraud tool you opt for should be backed by fraud scoring to verify transactions in real-time.
Prioritize customer service
We can’t stress enough the value of the customer journey. Making sure your customers have available solutions at their discretion at all times goes a long way to diversifying your fraud and chargeback prevention efforts. If a customer feels they can reach out and ask about your security measures, they are more likely to purchase from you with confidence.
Multi-Layered Strategies Win
CVV2 codes are important criminal fraud protection mechanisms. However, they’re only really effective when implemented as part of a larger, multi-tiered chargeback management strategy.
Requesting CVV2 codes for card-not-present transactions is one step towards preventing fraud. It shouldn’t be a merchant’s only prevention method, though. Businesses need to combine traditional fraud prevention techniques with a comprehensive chargeback management plan to maximize their efforts.
Ready to take your chargeback defense to the next level? We can help. Call us today for your FREE ROI analysis.
FAQs
What is the difference between CVV and CVV2?
CVV codes can be subcategorized into CVV1, CVV2, and CVV3 respectively. CVV1 refers to the data stored on the card that is transmitted when a consumer swipes their card. In contrast, CVV2 refers to the security code printed on a credit or debit card.
Where do you find your CVV2 code?
The CVV2 code is a 3- or 4-digit code typically printed on the back of your credit or debit card, near the signature box. For Amex cards, code will be printed on the front of the card.
What does CVV2 stand for?
CVV2 is an acronym that means “Card verification value 2.” Although “CVV2” refers specifically to the Visa-branded deployment of the technology, the term is commonly used in an informal sense to refer to all card security codes.
Do all credit cards have a CVV2 code?
Yes. Depending on the card network ,though, they could be referred to by different terminology. For Visa and most Mastercard cards, it’s either a CVV2 code, or a CVC2 code. CID and CSC refer to Discover and Amex, respectively.
Do I need to provide my CVV2 code if asked?
Yes, and for good reason. It helps merchants and financial institutions verify your identity when using a card. It helps them tell if a transaction gets submitted by a fraudster posing as you.
Do I need to collect customers' CVV2 codes?
Merchants may be required to collect CVV2 codes from cardholders by their acquirer. However, even if it’s not a requirement, merchants should always validate a user’s CVV2 code as part of a card-not-present transaction.
Does CVV2 actually work?
Yes, but CVV2 codes are only one piece of the fraud puzzle. For the best and most comprehensive fraud and chargeback protection, it’s wise to pair the use of fraud tools like CVV2 with best practices, additional fraud tools, and effective chargeback management where necessary.
