Glossary/CVV / CVC / CV2

What is CVV, CVC, or CV2?

CVV (Card Verification Value), CVC (Card Verification Code), and CV2 (Card Verification Value 2) are different names for the same thing: the three-digit security code printed on the back of most debit and credit cards. This code provides an additional layer of verification for card not present transactions, helping to confirm that the person making the payment has the physical card in their possession.

What the Code Is

The three-digit security code on the back of your card is a fraud prevention measure designed specifically for card not present transactions. It goes by several names depending on the card network:

  • CVV (Card Verification Value): Used by Visa
  • CVC (Card Verification Code): Used by Mastercard
  • CV2 (Card Verification Value 2): A generic industry term
  • CID (Card Identification Number): Used by American Express (4 digits, printed on the front of the card)

Despite the different names, they all serve the same purpose and work in the same way.

Where to Find It

On Visa and Mastercard cards, the security code is the last three digits printed on the signature strip on the back of the card. On American Express cards, it is a four-digit number printed on the front of the card, above and to the right of the main card number.

The code is printed on the card but is not stored on the magnetic stripe, the chip, or in the card's digital data. This is a deliberate design choice -- it means that if someone copies the card number through skimming or a data breach, they still will not have the security code.

How It Works in Transactions

When you make a payment online or over the phone, the merchant asks for the security code along with the card number and expiry date. The payment processor sends this code to the card issuer, which checks it against its records. If the code does not match, the transaction is declined.

This provides a simple but effective check: if someone has obtained your card number through fraud, they are unlikely to also have the security code unless they have the physical card.

PCI DSS Rules on Security Codes

PCI DSS has strict rules about how security codes must be handled:

  • Never store the security code after a transaction has been authorised -- this applies to all merchants and service providers without exception
  • The code may only be used for the purpose of completing a specific transaction
  • It must not be written down, recorded in call audio, stored in databases, or kept in any form after authorisation

This rule is one of the most commonly violated PCI DSS requirements, particularly in call centre environments where agents may write down card details or where call recordings capture the customer speaking the code aloud.

Security Codes and Telephone Payments

Telephone payments present a particular challenge for security code handling. When a customer speaks their CVV over the phone, it is captured in the call audio and potentially in any call recording. If agents write the code down -- even temporarily -- it creates an additional point of exposure.

DTMF masking technology addresses this by allowing customers to enter their security code on their phone keypad instead of speaking it aloud. The tones are masked before reaching the agent, and the code is routed directly to the payment processor without being stored anywhere in the merchant's environment.

How Paytia Uses This

Paytia's payment platform captures the CVV/CVC/CV2 code securely as part of every telephone transaction. When a customer enters their security code on their phone keypad, Paytia's DTMF suppression technology masks the tones so the agent cannot identify the digits. The code is transmitted directly to the payment processor for verification and is never stored in Paytia's systems after authorisation.

This approach fully complies with PCI DSS requirements for security code handling. The code is never spoken aloud, never visible to the agent, never captured in call recordings, and never stored after the transaction. Organisations using Paytia can be confident that this critical PCI DSS requirement is met automatically, without relying on agent behaviour or manual processes.

DTMF Suppression Solution

Frequently Asked Questions

Is CVV the same as CVC and CV2?

Yes. CVV, CVC, and CV2 are all names for the same three-digit security code on the back of your payment card. Different card networks use different names -- Visa calls it CVV, Mastercard calls it CVC, and CV2 is a general industry term -- but they all refer to the same code and serve the same purpose.

Can a merchant store my CVV after a transaction?

No. PCI DSS strictly prohibits the storage of the CVV/CVC/CV2 code after a transaction has been authorised. This applies to all merchants and service providers, regardless of size. The code may only be used to complete the specific transaction it was provided for.

Why do I need to provide my CVV for phone payments?

The CVV code helps verify that you have the physical card in your possession. Since the merchant cannot see or scan your card during a phone payment, the security code serves as an additional check against fraud. It confirms that the card details were not simply copied from a database or stolen receipt.

Related Terms

Card Not Present (CNP)Card Security CodePCI DSSDTMF Masking

See how Paytia handles cvv / cvc / cv2

Book a personalised demo and we'll show you how our platform works with your setup.

Request a Demo