What is a Card Security Code?
A card security code is a short numeric code printed on a payment card that is used to verify card not present transactions. It is most commonly three digits on the back of the card (for Visa and Mastercard) or four digits on the front (for American Express). The code is also known as CVV, CVC, or CV2 depending on the card network.
Understanding the Card Security Code
The card security code is a fraud prevention feature built into every debit and credit card. Its purpose is simple: to prove that the person making a remote payment actually has the physical card, not just a stolen card number.
The code has several names across the payment industry -- CVV, CVC, CV2, and CID -- but they all refer to the same concept. In everyday language, most people simply call it the "security code" or "the three digits on the back of your card."
Where to Find Your Security Code
For Visa and Mastercard cards, the security code is the last three digits printed in the signature area on the back of the card. It is separate from the main card number.
For American Express cards, the code is four digits printed on the front of the card, above the card number on the right-hand side.
Why It Exists
The card security code was introduced to combat a specific type of fraud. When card numbers are stolen -- through data breaches, skimming devices, or phishing attacks -- the criminals obtain the long card number and expiry date but typically not the security code. This is because:
- The code is not encoded on the magnetic stripe
- It is not stored on the card's chip
- PCI DSS prohibits merchants from storing it after a transaction
- It is not embossed on the card, so carbon copies do not capture it
By requiring the security code for card not present transactions, merchants add a verification step that stolen card data alone cannot satisfy.
How It Works During a Payment
When you provide your security code during an online or telephone payment, it is sent to your card issuer as part of the authorisation request. The issuer checks the code against its records and returns one of several responses:
- Match: The code is correct
- No match: The code is incorrect, and the transaction may be declined
- Not processed: The issuer did not check the code
Merchants can configure their payment systems to accept or decline transactions based on these responses. Most merchants will decline a transaction where the security code does not match.
Security Code and PCI DSS
The PCI DSS standard has an absolute rule regarding security codes: they must never be stored after a transaction has been authorised. This means no database records, no written notes, no call recordings containing the spoken code, and no screen captures. This rule applies to every merchant and service provider, with no exceptions.
In telephone payment environments, this requirement creates a practical challenge. If a customer speaks their security code to an agent and the call is being recorded, the code is captured in the recording -- which is a PCI DSS violation. Organisations must either exclude payment portions of calls from recordings or use technology that prevents the code from entering the audio stream in the first place.
Paytia eliminates the security risks associated with handling card security codes over the telephone. With Paytia's DTMF suppression solution, customers enter their security code on their phone keypad rather than speaking it aloud. The keypad tones are masked in real time, so the agent hears only a uniform tone and cannot identify the digits.
The security code is transmitted directly to the payment processor, verified against the card issuer's records, and never stored anywhere in Paytia's infrastructure or the merchant's environment after authorisation. This fully meets the PCI DSS requirement that security codes must not be retained post-authorisation, and it does so automatically -- without relying on agents to follow manual procedures or organisations to redact call recordings.
Frequently Asked Questions
Is my card security code the same as my PIN?
No. Your PIN is a secret number you choose and enter at chip-and-PIN terminals or cash machines. Your card security code is printed on the card itself and is used for remote payments where a PIN cannot be entered. Never share your PIN with anyone, including merchants.
What should I do if someone asks me to email my security code?
Never send your card security code by email, text message, or any other written communication. These channels are not secure, and the code could be intercepted or stored in violation of PCI DSS rules. Only provide your security code through secure payment channels -- such as a verified website checkout or a secure telephone payment system.
See how Paytia handles card security code
Book a personalised demo and we'll show you how our platform works with your setup.
Request a Demo