What is CVV, CVC, or CV2?

What the Code Is

The three-digit security code on the back of your card is a fraud prevention measure designed specifically for card not present transactions -- situations where the merchant cannot physically inspect the card. It goes by several names depending on the card network:

• CVV (Card Verification Value) Used by Visa
• CVC (Card Verification Code) Used by Mastercard
• CV2 (Card Verification Value 2) A generic industry term
• CID (Card Identification Number) Used by American Express (4 digits, printed on the front of the card)

Despite the different names, they all serve the same purpose and work in the same way. Throughout this article, we will use CVV as shorthand, but everything applies equally to CVC and CV2.

Where to Find It

On Visa and Mastercard cards, the security code is the last three digits printed on the signature strip on the back of the card. On American Express cards, it is a four-digit number printed on the front of the card, above and to the right of the main card number.

The code is printed on the card but is not stored on the magnetic stripe, the chip, or in the card's digital data. This is a deliberate design choice -- it means that if someone copies the card number through skimming or a data breach, they still will not have the security code. The only way to obtain it is to have the physical card in hand -- or to have been told or shown the number directly.

How It Works in Transactions

When you make a payment online or over the phone, the merchant asks for the security code along with the card number and expiry date. The payment processor sends this code to the card issuer, which checks it against its records. If the code does not match, the transaction is declined.

This provides a simple but effective check: if someone has obtained your card number through fraud, they are unlikely to also have the security code unless they have the physical card. The code does not prove identity beyond doubt, but it raises the bar significantly for anyone attempting to use stolen card data.

CVV vs CVV2

You may occasionally see references to CVV1 and CVV2. CVV1 is a code embedded in the magnetic stripe of the card -- it is read automatically by card machines when you swipe. CVV2 is the printed code on the back of the card, used for remote transactions. When people say "CVV" in everyday conversation, they almost always mean CVV2 -- the printed code you are asked to provide when shopping online or paying over the phone.

PCI DSS Rules on Security Codes

PCI DSS has strict rules about how security codes must be handled:

• Never store the security code after a transaction has been authorised -- this applies to all merchants and service providers without exception
• The code may only be used for the purpose of completing a specific transaction
• It must not be written down, recorded in call audio, stored in databases, or kept in any form after authorisation
• Pre-authorisation storage is permitted only if there is a legitimate business need and solid security controls are in place

This rule is one of the most commonly violated PCI DSS requirements, particularly in call centre environments where agents may write down card details or where call recordings capture the customer speaking the code aloud. Even temporary storage -- such as an agent jotting the number on a notepad before typing it into a payment screen -- constitutes a violation.

Security Codes and Telephone Payments

Telephone payments present a particular challenge for security code handling. When a customer reads their CVV aloud over the phone, the code is exposed in multiple ways:

• The agent hears the code and may remember, write down, or inadvertently expose it
• Call recording systems capture the spoken digits in the audio file
• Quality monitoring and speech analytics tools may process and store the audio
• Screen-sharing or monitoring tools used for agent supervision may display payment screens

DTMF masking technology addresses this by allowing customers to enter their security code on their phone keypad instead of speaking it aloud. The tones are masked before reaching the agent, and the code is routed directly to the payment processor without being stored anywhere in the merchant's environment.

Why Merchants Cannot Store the CVV

The prohibition on storing CVV data after authorisation exists for a critical reason: if a merchant's systems are breached, attackers should not be able to obtain everything needed to make fraudulent transactions. The card number and expiry date may be compromised, but without the CVV, the stolen data is far less useful for card not present fraud.

Merchants who store CVV data -- even accidentally through call recordings or log files -- face severe consequences. These can include fines from the card brands, increased processing fees, mandatory forensic investigations at the merchant's expense, and in extreme cases, the loss of their ability to accept card payments entirely.

The Future of Card Verification

Static CVV codes have limitations. If someone photographs the back of a card, they have the code permanently. Several card issuers are now experimenting with dynamic CVV technology, where the three-digit code changes at regular intervals -- displayed on a small e-ink screen built into the card. This makes stolen codes useless within minutes.

Additionally, tokenisation and 3D Secure / SCA are increasingly supplementing or replacing CVV checks for online transactions. However, for telephone payments, the CVV remains the primary method of verifying card possession, making secure handling practices essential for any business taking payments over the phone.