The card security code (CSC) sometimes called Card Verification Data (CVD), Card Verification Value (CVV or CVV2), Card Verification Value Code(CVVC), Card Verification Code (CVC or CVC2), or Card Code Verification (CCV) are different terms for security features for credit or debit card transactions, providing increased protection against credit card fraud.

As additional account security, every credit card comes with a special three- or four-digit code generally known as a CVV2 or CVV number. Cardholders will be requested to enter this when processing an online payment. An identity thief who has come across credit card information illegally will not have access to the CVV number if they do not have physical access of the card.

Illustration: Back of Credit Card with CVV

Where to Find the CVV on a Credit Card

  1. Expect that different credit card companies will use different CVV number formats. Visa and MasterCard both use a three-digit format, while American Express is unique in that it uses a four-digit format. Visa, MasterCard and American Express are the only credit card companies that provide CVV numbers with every account.
  2. Turn your Visa or MasterCard over and locate the signature panel on the back of the card. The signature panel is a white rectangular box located beneath your credit card’s magnetic strip, which you are required to sign to activate your card.
  3. Look at the three-digit cluster on your Visa or MasterCard, which follows the final four digits of your account number in your signature panel. That is your CVV number.
  4. Look for the CVV number on an American Express card on the front of the card, in smaller numbers above the last four digits of the credit card number


Can CVV be Stored?

“It is permissible for issuers and companies that support issuing services to store sensitive authentication data if there is a business justification and the data is stored securely”

Easier purchasing and subsequent transactions are NOT business justification. Card security codes and magnetic stripe data are not permitted to be stored by merchants and processors according to PCI DSS. Associations strictly forbid their storage:

Merchants storing CVV can be issued with fines and potentially have their merchant facilities cancelled by the processor or acquiring bank.

Can a authorization be processed without CVV?

For once off payments, some issuing banks require security codes to be processed with each transaction. In those cases, if the CVV is not present, the transaction will be failed by the issuer. Online recurring payments work on a different set of rules. The initial transaction is processed with CVV as a purchase / sale. During a subsequent capture transaction, the merchant settles with the processor and the funds are transferred.

Offline recurring payments operate slightly different and are typically processed as batch payments. These transactions can be processed without CVV and with a recurring indicator on the initial transaction.

The main reason for processing in this manner is:

  • The issuing bank requires it (e.g., voice authorization).
  • The merchant does not know the full transaction amount (e.g., Card Holder registers card and amount unknown at time – Example Telecoms & Insurance)
  • The amount is owing at a later period (e.g., Card Holder registers card but amount is only owed at a later stage)

Processing offline recurring payments triggers a MUCH higher scrutiny under PCI DSS. As such, most merchants who use third party processors will utilize tokenization services to replace the card data removing themselves out PCI scope of card data storage.