CVV
What is the CVV and how does it protect your card?
The CVV (Card Verification Value) is the 3‑ or 4‑digit verification code printed on credit and debit cards. Its purpose is to authenticate card‑not‑present (CNP) transactions: online, phone or mail‑order purchases where the card is not physically presented.
This code is not stored on the magnetic stripe or the EMV chip. If an attacker clones a card through skimming, they obtain the PAN and expiry date, but not the CVV. This separation makes the verification code the last barrier against ecommerce fraud.
Each payment network uses its own terminology: Visa uses CVV2, Mastercard uses CVC2 and American Express calls it CID. Technically, they all serve the same function.
How the CVV works
The verification flow in an online purchase follows these steps:
- The merchant requests the CVV along with the PAN, expiry date and cardholder name.
- The payment gateway sends the data to the acquirer, which forwards it to the card network.
- The issuer compares the received code with the value stored in its systems and returns a verification result (match, mismatch or not processed).
- If the code does not match, the transaction is rejected before authorization.
There are three types of CVV:
- CVV1 (CVC1): encoded in the magnetic stripe. Automatically read in card‑present transactions. The cardholder never enters it manually.
- CVV2 (CVC2): printed on the back of the card (or front for American Express). This is the code used for online purchases.
- Dynamic CVV: generated through the issuer’s mobile app with a validity of 5 to 10 minutes. Each transaction uses a different code, neutralizing any previously captured data.
PCI DSS v4.0, requirement 3.3.1.2, explicitly prohibits any payment‑processing entity from storing the card verification code after authorization. This applies to databases, transaction logs, debug files and memory dumps.
Regulatory impact and applicable security
The CVV is classified as sensitive authentication data (SAD) under PCI DSS. The standard distinguishes between cardholder data (PAN, name, expiry date) and sensitive authentication data (CVV, PIN, full track data).
Key regulatory obligations include:
- PCI DSS v4.0: SAD cannot be stored after authorization, not even encrypted. Only issuers with legitimate justification may retain it.
- PSD2 and strong customer authentication (SCA): the CVV alone does not meet SCA requirements. Online payments in the European Economic Area require at least two authentication factors, typically via 3‑D Secure.
- Royal Decree‑Law 19/2018: transposes PSD2 into Spanish law and regulates strong authentication obligations.
The combination of CVV + 3‑D Secure shifts fraud liability to the issuer in the event of a chargeback.
Operational advantages and disadvantages
| Aspect | Advantage | Limitation |
|---|---|---|
| CNP fraud | Blocks transactions using stolen data if the attacker lacks the CVV | Does not protect against phishing where the cardholder provides the code |
| Conversion | Adds trust to the payment with minimal friction | Some cardholders cannot locate the code and abandon the purchase |
| PCI compliance | Reduces PCI scope by prohibiting SAD storage after authorization | Recurring payments cannot rely on CVV; tokenization is required |
| Dynamic CVV | Each code expires within minutes, preventing reuse | Depends on the cardholder’s access to the issuer’s app |
For recurring payments or subscriptions, tokenization replaces the CVV. The token allows charges to be processed without requesting the code each time, ensuring PCI DSS compliance and maintaining high approval rates.
Was this term useful?
Leave a Comment