What Are CVVs & an Updated Guide on Finding Them

Ever wondered how the numbers on the back of your credit card work? If you’re here, I’m guessing you have.

I’ll break down what CVVs are, their types, how they fight fraud, and key details for both sellers and shoppers.

Let’s begin with what they are.

Key Takeaways

• CVV codes verify card-not-present transactions and help prevent unauthorized use.
• PCI DSS prohibits storing CVVs to protect cardholders from breaches and fraud.
• Dynamic CVVs (like dCVV2) reduce card-not-present fraud by over 91% for some banks.
• Pair CVV checks with fraud scoring tools and chargeback alerts for more security.
• Protect CVVs by shopping on secure websites, avoiding phishing scams, and monitoring accounts.

CVVs don’t do much to stop friendly fraud — the most common type of chargeback. Managing disputes effectively requires other tools, such as chargeback alerts.

These alerts notify you before customers file chargebacks. Giving you a chance to resolve issues.

Learn how they work.

What Is a CVV?

A CVV, or Card Verification Value, is a 3- or 4-digit security code on payment cards like credit, debit, and gift cards. It authenticates card-not-present (CNP) transactions, such as online or phone purchases.

By requiring CVVs at checkout, merchants create an extra layer of security. Reducing fraud from stolen card numbers. We'll discuss how effective they are at preventing fraud later.

Most cards have the CVV printed on the back near the signature panel. Though American Express sometimes places it on the front.

Issuers print CVVs in plain text for manual entry. Unlike embossed or encoded card numbers and expiration dates.

Regulations prohibit storing CVVs in databases or browsers. Making them harder for hackers to access, even during breaches.

How does this work in practice?

Say a thief steals a credit card number during a data breach. They’ll struggle to make unauthorized purchases without the CVV. As it isn’t stored with other card details.

Have you noticed different names for this code? Let’s explore what they are.

Summary: A card's security code, verifying authenticity for card-not-present transactions.

Other Names for CVV

AmEx’s CSC code refers to the 3-digit number on the back of the card. Not the 4-digit CID number on the front.

Other card providers use only three-digit codes for CVVs.

You may also come across updated versions like CVV2 or CVC2, which are similar but include the number "2" to suggest enhanced security. We’ll discuss this in a bit.

Many Apple Cards use security codes instead of traditional CVVs. Apps like Google Wallet also refer to the CVV as a “security code” when manually adding a card.

How does Google Pay and similar wallets handle CVVs? Let’s dive into that next.

What is a CDCVM & How it Enables Digital Wallet Payments

A Consumer Device Cardholder Verification Method (CDCVM) is a security process for digital wallets. It authenticates the cardholder directly through their device.

CDCVM uses methods like:

• Biometrics (fingerprints or facial recognition)
• Passcodes
• Pattern locks

Digital wallets such as Google Pay, Apple Pay, and Samsung Pay rely on it for secure transactions.

CDCVM isn’t technically a CVV. Though, it serves a similar role. Verifying that only the legitimate cardholder can authorize payments.

How does this work with CVVs?

When adding a card to a digital wallet, you must enter the card’s CVV. This one-time step verifies that you physically own the card. After setup, digital wallets stop using CVVs for transactions.

Instead, digital wallets rely on tokenization. Digital wallets replace card details, including the CVV, with a unique digital token. This token processes payments without exposing your actual card information.

Want to know more? Check out our separate guide on tokenization.

Here’s an example:

Imagine paying for groceries with Google Pay. At checkout, you hold your phone near the POS and scan your fingerprint to confirm the payment.

In this scenario, CDCVM replaces the CVV’s role by verifying the cardholder.

Do card chips affect CVVs? Yes. Let’s explore how.

Summary: Secures digital wallet payments with device authentication and tokenization.

And What’s an iCVV & Its Connection to EMV

An iCVV (integrated Card Verification Value) is a security feature built into EMV chip cards. It prevents counterfeit magnetic stripe cards by securely storing card verification data on the chip, where it can’t be skimmed or copied.

How is iCVV different from traditional CVVs?

Card issuers print traditional CVVs on the card. Making them vulnerable to skimming or theft during in-person transactions. The iCVV exists digitally inside the EMV chip and works only during chip-based purchases.

How does it work?

During a transaction, the EMV chip validates the iCVV along with cryptographic data. This system blocks fraudsters from replicating iCVVs to create counterfeit magnetic stripe cards. Even if they steal card details.

iCVVs do not function in card-not-present (CNP) transactions. Limiting their exposure to fraud risks.

Imagine a fraudster tries to duplicate a card using stolen EMV chip data. Without the original chip’s iCVV, they can only create a counterfeit card with a magnetic stripe.

What if the fraudster tries using a counterfeit card at a terminal? The issuer rejects the transaction after the iCVV fails validation.

Want to learn more about EMV chips? Check out our separate guide.

Glossary:

• ARQC (Authorization Request Cryptogram): A cryptographic value generated by EMV. It validates purchases.

Summary: Secures EMV chip transactions by preventing counterfeit magnetic stripe fraud.

Where Do I Find My CVV Number?

Your CVV is a 3- or 4-digit security code printed on your credit, debit, and gift card. Most cards show this code on the back near the signature panel. Meanwhile, some, like American Express, place it on the front.

How to Identify Your CVV by Card Type:

• Standard cards (Visa, Mastercard, Discover): A 3-digit code printed on the back near the signature panel.
• American Express: A 4-digit code displayed on the front, above or to the right of the embossed card number.
  
  • AmEx also has a 3-digit code on the back, used for systems that handle standard CVVs.
• Apple Card: The physical titanium card has a 3-digit code on the back. In the Apple Wallet app, you can find the security code by navigating to "Card Information."
• UnionPay, JCB, Elo: These cards follow the standard 3-digit format, with the code placed on the back near or above the signature panel.

AmEx CID vs. CVV:

Merchants decide which code to use when accepting AmEx payments. Sellers with systems tailored for AmEx cards specifically request the 4-digit CID.

Wait — I haven’t explained how CVVs work yet. Let’s get into that.

How Do CVV Codes Work?

When a transaction takes place, here’s how CVVs work:

1. Customer inputs CVV: The cardholder enters their CVV along with other card info.
2. Merchant sends data: The payment gateway transmits the card details, including the CVV, to the payment processor.
3. Issuer matches CVV: The issuer checks the CVV against the one linked to the card account.
4. Issuer response: If the CVV matches, the issuer approves the transaction.
   
   1. If not, they decline it.
5. Processor finalizes payment: Once approved, the payment processor completes the transaction.

What about stolen cards?

If someone steals a physical card, they also get access to the CVV. Options like iCVVs and dynamic CVVs help solve this problem by adding more security layers.

And what is a dynamic CVV? Let’s break it down.

What is a Dynamic CVV?

Dynamic CVV (dCVV) generates a new, temporary security code for each transaction or at regular intervals. Dynamic CVVs change frequently. Making it much harder for fraudsters to use stolen card details. Issuers typically offer it for cardholders using virtual cards.

How do banks provide dCVVs?

• Mobile apps: Many banks allow users to retrieve fresh dCVV codes through their apps when needed.
• E-ink cards: Programs like Idemia offer experimental cards with an e-ink display on the back.
  
  • This display updates periodically with a new CVV.

Here’s what the e-ink card looks like:

Source: Idemia

Downsides of dCVVs include:

• Recurring transactions fail: Customers may need to enter a new CVV monthly for subscriptions. Leading to frustration or cancellations.
• Increased friction: Shoppers must open a dCVV app to retrieve a code for purchases. This may cause them to abandon transactions.

How would a dCVV work in real life?

Instead of entering a static CVV, you open your banking app and retrieve a fresh dCVV. After the transaction, the app automatically generates a new code. Even if hackers steal your card details, they can’t use the expired CVV for future fraud.

And what about dCVV2?

Visa’s dCVV2 works on the same principle as dynamic CVVs but integrates with their ecosystem. dCVV2 codes also change periodically or per transaction. Users retrieve them through a mobile app or secure device provided by their bank.

Note: Mastercard refers to their version as dynamic CVC2 (dCVC2) instead of dCVV2.

Now, let’s discuss how CVV codes, including dCVVs, help prevent fraud.

Summary: Generates temporary security codes that serve as CVVs.

Do CVV Codes Prevent Fraud?

Using dynamic CVV2 has reduced CNP fraud by over 91% for banks adopting it [1]. This drop in disputes also cuts fraud-related expenses by 90%.

However…

Businesses can’t force customers to use dynamic CVVs. Adoption remains limited due to friction they add to purchases and their high costs.

For example [2]:

• dCVV cost per card: Up to $15.
• EMV card cost per card: About $3.

While dCVVs represent the future, static CVVs play a crucial role in preventing CNP fraud. They ensure the buyer physically possesses the card.

How do CVVs help merchants?

Merchants using CVV verification in their checkout processes block unauthorized transactions early. This reduces chargebacks and disputes.

But CVVs have weaknesses:

• Web-based keyloggers: Hackers install malware to capture CVVs during online purchases.
• Card testing fraud: Fraudsters test random CVVs with small purchases until they find a match.
  
  • Card testing fraud rose 300% in Q1 2017.

How do PCI DSS standards help?

PCI DSS prohibits merchants from storing CVVs. Such rules reduce the risk of hackers stealing them during database breaches. But. Fraudsters have adapted by using tactics like phishing to trick cardholders into sharing their CVVs.

Learn more about PCI DSS here.

CVVs are a key part of payment security but aren’t foolproof. Pair them with tools like Address Verification Services (AVS) to minimize risk.

How does this connect to chargebacks? Let’s explore.

Summary: Dynamic and static CVVs reduce fraud but have exploitable limitations.

How Do CVV Codes Tie In With Chargebacks?

CVVs help confirm that the customer entering card details has the physical card. Making it harder for fraudsters to use stolen numbers. However. They are less effective against friendly fraud.

This type of fraud involves customers filing false disputes on legit purchases. See this piece for more information.

It's difficult to find reliable statistics that link CVV verification to reduced chargebacks. This happens because CVV verification serves as one part of a larger fraud prevention system.

For instance, sellers may use multiple tools at once, such as AVS and fraud detection algorithms. Making it difficult to isolate the specific impact of CVVs.

Let’s look at the future of CVV.

Glossary:

• Chargebacks: The forced reversal of a purchase. Not a refund.

Summary: They help cut fraud-related disputes.

CVV vs. CVV2 vs. CVV3

Here are the differences among CVV1, 2, and 3:

• CVV: A static code printed on physical cards for basic verification.
• CVV2: A code separate from the magnetic stripe.
• CVV3 (Dynamic CVV): A code that changes periodically to enhance protection against fraud.

You might have read this and thought, “isn’t CVV3 the same as dCVV2?”

Nope.

CVV3 is a standard for generating security codes. dCSS is a protocol that manages how the code changes periodically.

In simpler terms, dCVV can dynamically generate new codes for CVV2 or CVV3, depending on the system.

What do merchants need to know about CVV? Let’s break it down.

What Merchants Should Know About Using CVV Codes

Merchants must verify CVV numbers during transactions to reduce fraud risk. Most payment processors include CVV checks, so it typically requires no extra effort.

For phone transactions, always ask for the CVV. Skipping this step increases the chances of fraud-related chargebacks

Never store CVV data.

Merchants must not store CVV codes electronically, on paper, or in logs. Storing CVVs violates PCI DSS. Non-compliance can lead to:

• Huge fines.
• Reputational damage.
• Loss of payment processing privileges.

Use PCI-compliant processors. Processors with Level 1 PCI compliance help merchants stay compliant by managing sensitive data.

This reduces the risk of accidental CVV storage and simplifies compliance responsibilities.

Merchants should combine CVV checks with other fraud prevention methods:

• Fraud scoring: Analyze patterns and behaviors to assign risk scores to transactions.
• Chargeback alerts: Get notified of potential disputes to take preemptive action.
• Two-Factor Authentication: Require 2FA for user accounts to block account takeovers.
• Address Verification Services: Match the billing address with the cardholder’s records.

This last section is for the shoppers reading this piece.

Summary:

Don’t hold onto CVV data and use other chargeback management strategies.

How to Keep Your CVV Code Safe

Here are practical steps to ensure your CVV stays secure:

• Shop only on secure websites: Look for “https” and a lock icon before entering payment details.
• Avoid saving card information: Don’t store card details in browsers or accounts.
• Beware of phishing scams: Ignore suspicious links, emails, or texts asking for payment info.
• Use a VPN on public Wi-Fi: Encrypt your connection to stop hackers from intercepting your data.
• Monitor statements: Check for unauthorized charges and act quickly if you spot any.
• Install antivirus software: Protect your device from keyloggers and malicious programs.
• Never share your CVV: Only provide it for legitimate purchases online or over the phone.

Most computers that run on Windows include Windows Defender, which is good enough for security in most cases. Don’t click on sketchy links on the internet. Also, don’t download potentially dangerous files.

I (the writer, not Chargeback), use Proton VPN and highly recommend it. It has more data privacy than most other VPNs and has much better customer support.

As for phishing scams, the University of Chicago has a list of current scams. I recommend checking it out to prevent yourself from falling victim. They also provide a lot of neat resources about cyber hygiene. This means taking good care of your account security.

Let’s finish this off with some questions and answers.

FAQs

Are CVV Numbers Stored?

No, PCI DSS standards prohibit storing CVV numbers to protect cardholder security.

Can NFC Readers Read CVV Codes?

NFC readers do not access or transmit CVV codes.

Can Someone Look Up My CVV Number Online?

No, card issuers only print CVV codes on the card and do not store them digitally.

Can You Process Payments Without a CVV?

Yes, but skipping CVV verification increases fraud risk.

What is the Difference Between CVV & PIN?

A CVV verifies card-not-present transactions, while a PIN secures in-person transactions at terminals.

Wrapping Up

CVVs help confirm that cardholders are legitimate, but they aren’t foolproof at preventing fraud. Updates like CVV3 and dCVV2 improve security, but they still have limitations.

CVVs also can’t stop chargebacks caused by friendly fraud or merchant errors. That’s where chargeback alerts come in.

These alerts have helped some of our customers cut their chargeback rates by up to 91%.

Ready to take action? Schedule a demo.

Sources

• [1] How Dynamic CVV Helped Reduce Fraud. Visa. July, 2022.
• [2] Can CVV Stop Fraud? Merchant Fraud Journal.