Payment Security4 February 202623 min read

What is CVC? CVC vs CVV vs CV2 Explained (2026)

CVC, CVV, CV2, CCV — four names for the same three or four digits on your card. Here's what each means, where to find them, and why they exist.

By Craig Marston
What is CVC? CVC vs CVV vs CV2 Explained (2026)

TL;DR

CVC stands for Card Verification Code — it's Mastercard's name for the three-digit security code on the back of your card. Visa calls it CVV. Some banks call it CV2 or CCV. They all mean the same thing: a small printed number proving you've got the physical card when you can't tap or insert it. On debit cards from Mastercard, Visa, and most UK issuers, it's the same three digits in the same place.

Last updated: 29 May 2026

If you've ever typed "what is CVC" into Google, you've probably done it because some checkout form asked for one and you couldn't see anything labelled CVC anywhere on your card. There's a reason for that. CVC is real — it's a proper industry term — but it's one of about six names for the same little number, and which one you see depends on who issued your card and where the form was built.

This guide explains what CVC means, why it has so many other names (CVV, CV2, CCV, CSC, CID), where to find it on each major card brand, and how it works on debit cards specifically. We'll also cover the security and compliance side, because the whole reason this code exists is to stop fraud — and the way contact centres, merchants, and apps handle it is governed by a strict global standard that we work with every day.

Key takeaways

  • CVC = CVV = CV2 = CCV = CSC. All five acronyms refer to the same three-digit code on the back of your card (or four digits on the front for Amex).
  • CVC is Mastercard's name; CVV is Visa's. CV2 and CCV are informal variants you'll see on UK banking apps and some online forms.
  • On debit cards, CVC works exactly like on credit cards — same length, same place, same purpose.
  • The code is printed, not embossed, and it's deliberately kept off the magnetic stripe and EMV chip so it can't be skimmed.
  • Merchants can use it but cannot store itPCI DSS v4.0.1 explicitly forbids retention after the transaction is authorised, even encrypted.

What is CVC? The One-Sentence Answer#

CVC stands for Card Verification Code. It's the three-digit number printed on the back of your Mastercard, in the signature strip, and you use it to prove you've got the physical card when you can't physically present it — typing it into a website, reading it out over the phone, or entering it into an app.

That's it. That's the whole meaning. The complication is that "CVC" is just Mastercard's brand name for the code. Every other card network has its own name for the exact same thing, and a few unofficial shorthand versions have crept into UK banking apps and online checkouts over the years. Here's the full picture:

  • CVC or CVC2 — Card Verification Code, used by Mastercard.
  • CVV or CVV2 — Card Verification Value, used by Visa.
  • CV2 — informal UK banking shorthand, common on Lloyds, Halifax, NatWest, Barclays apps and statements. Same three digits.
  • CCV — a common typo or alternate spelling ("Credit Card Verification") you'll see in some online forms, particularly from US merchants. Still the same three digits.
  • CID — Card Identification Number, used by American Express (four digits, printed on the front) and Discover (three digits, on the back).
  • CSCCard Security Code, a generic catch-all used by checkout forms that don't want to pick a brand-specific term.

If a form asks for any of those and your card shows a different name, look at the three digits on the back (or four on the front for Amex). Type those in. It'll work.

CVC vs CVV — Are They the Same?#

Yes. They're the same. The only reason there are two names is that Visa got there first with "CVV" in the mid-1990s and Mastercard didn't want to use a competitor's acronym, so they coined "CVC" for their own cards. Functionally there's zero difference:

  • Same length — three digits on both Visa and Mastercard.
  • Same location — on the back, in or just after the signature strip.
  • Same job — proving you've got the physical card when you can't tap or insert it.
  • Same rulesPCI DSS forbids merchants from storing either one after the transaction.
  • Same generation method — both calculated cryptographically from your card number, expiry date, and the issuer's secret keys.

If you've got a Visa card and a checkout asks for your CVC, type the three digits on the back. If you've got a Mastercard and the form asks for your CVV, same answer. The acronyms are a branding choice, not a technical distinction.

Quick tip: If you're staring at a payment form that asks for a "security code" or "CVC" or "CVV" or "CV2" and you can't find anything matching that exact name, just look for the three digits printed on the back of your card. That's the answer to all of them.

Close-up of a credit card chip and signature panel where the CVV is printed

Where is CVC on a Credit Card?#

On every major card brand except American Express, the CVC is the three digits printed in the signature strip on the back of the card. They sit just after the last four digits of your card number, which are usually printed in white on a black or grey background within the signature panel itself.

Here's where each card network puts it:

Card BrandOfficial NameDigitsLocation
Mastercard (credit and debit)CVC / CVC23Back, signature strip
Visa (credit and debit)CVV / CVV23Back, signature strip
American ExpressCID4Front, above the card number, on the right
DiscoverCID3Back, signature strip
JCBCAV23Back, signature strip
UnionPayCVN23Back, signature strip

If your card is metal or contactless-only and there's nothing printed at all (some modern challenger bank cards do this), the code lives only in the issuer's app. Revolut, Monzo, Starling, and Apple Card all do this for at least some card types — you open the app to see the CVC, and on some it rotates every few hours for extra security.

What if there's no signature strip on the back?

A small but growing number of cards — particularly premium metal cards and virtual-only cards — don't have a signature strip at all. On these, the CVC is either printed elsewhere on the card (sometimes on the front) or it's available only through the issuer's mobile app. If you can't see a code anywhere obvious, open your banking app and look under your card details. The CVC will be there.

What Does CVC Mean on a Debit Card?#

The same thing it means on a credit card: a three-digit verification code printed on the back, used to prove you've got the physical card during online or telephone purchases. On Mastercard debit cards (which most UK current accounts issue), it's labelled CVC. On Visa Debit cards (used by Barclays, HSBC, First Direct, and others), it's labelled CVV. CV2 is the term you'll often see on Lloyds, Halifax, NatWest, and TSB statements and apps — same three digits, just a different label.

The rules are identical to credit cards. Three digits, on the back, in or near the signature strip. You'll be asked for it when you:

  • Shop online and your card isn't already saved with the retailer.
  • Pay by phone (council tax, utility bills, fines, professional services, charity donations).
  • Set up a recurring payment for the first time.
  • Add the card to a new device for the first time (though Apple Pay and Google Pay then take over).

There is one practical difference. Debit cards take money straight out of your current account, so a mistake — a duplicate transaction, a fraud attempt, a merchant overcharging — leaves you out of pocket immediately rather than a credit card bill arriving next month. UK debit cards are still covered by the Direct Debit Guarantee where it applies and by chargeback rights for unauthorised transactions, but the cash is gone from your account in the meantime. The CVC plays the same defensive role on debit as it does on credit: making sure stolen card numbers from a data breach can't be used to drain your balance through an online shopping spree.

CVV vs CVV2 vs CVC vs CV2 vs CCV vs CID — The Full Map#

People search "CVV vs CVC" or "CV2 vs CVV" or "CCV vs CVC" thinking there's some hidden technical difference. There almost isn't. Here's what each one actually means and why so many names exist for one number.

CVV1 vs CVV2 (and CVC1 vs CVC2) — Two Codes, Two Uses

Visa technically defines two codes, and Mastercard mirrors the same split. CVV1 (and the Mastercard equivalent CVC1) is encoded invisibly on the magnetic stripe. Your card terminal reads it automatically when you swipe — you've never seen it and you've never had to type it. CVV2 (and CVC2) is the visible three-digit number printed on the signature strip. That's the one you read out over the phone or type into a website. When the industry says "CVV" or "CVC" in 2026, they almost always mean the printed CVV2/CVC2 — the magnetic stripe versions have been quietly phased out as EMV chip and contactless took over.

CVC vs CVV — Mastercard's Name vs Visa's Name

The technical mechanism is identical. Visa coined CVV (Card Verification Value) first, in the mid-1990s. When Mastercard rolled out their equivalent system, they used CVC (Card Verification Code) instead so they weren't licensing or borrowing a competitor's terminology. Same length, same location, same cryptographic generation method, same PCI storage rules.

CV2 — The UK Banking Shorthand

CV2 is informal British banking shorthand for the same three-digit code. It's not an official network-defined term, but you'll see it everywhere on UK card statements, banking apps, and merchant payment forms. The "2" comes from the CVV2/CVC2 convention (distinguishing the printed code from the magnetic stripe version), and dropping the middle letter just made it punchier. Lloyds, Halifax, NatWest, RBS, and Barclays all use CV2 in at least some places. It refers to exactly the same three digits as CVV2 or CVC2.

CCV — The Typo That Stuck

CCV is widely thought to be a typo of CVC that got into early online checkout templates and never got cleaned up. Some sources will tell you it stands for "Credit Card Verification" or "Card Code Verification" — these are retrofitted explanations rather than official network terminology. You'll see CCV most often on US-built ecommerce platforms. If you see it, it means the three digits on the back of your card. Type them in.

CID — Amex's and Discover's Term

American Express puts theirs on the front of the card, above and to the right of the long card number, and it's four digits not three. Discover uses CID too but keeps it on the back at three digits like everyone else. The four-digit Amex code is a quirk of how their card numbering was set up decades ago — it gives them a slightly larger numeric space, which suits them because Amex has fewer cards in circulation than Visa or Mastercard.

CSC — The Generic Catch-All

CSC stands for Card Security Code. It's the generic term you'll see on payment forms that want to cover every brand without naming any of them. If a form labels its field "CSC," it just means whatever the three or four digits are on your card.

Bottom line: if any of the acronyms confuse you, look at the three digits on the back of the card (or four on the front for Amex). That's the answer for all of them. The terminology is mostly branding.

A person holds a blue credit card with a gold chip above a white keyboard on a wooden desk.

The Surprising UK Origins of the Security Code#

It's easy to think of that little number on the back of your card as a modern security feature, born from the internet age. Its story actually begins much earlier, in an era of mail-order catalogues and landline phone calls. The concept was invented right here in the UK, and it solved a problem that's still a huge challenge for businesses today: how to safely take a payment when you can't see the customer or their card.

Back in 1995, a man named Michael Stone, who worked for Equifax, came up with the idea. He created it specifically to secure transactions for mail-order companies and telephone sales — the original "card-not-present" fraud hotspots. His first version wasn't the simple three or four digits we see today. It was a much more complex 11-character alphanumeric code.

From Complex Code to Simple Standard

The first real-world test of this new security system involved Littlewoods Home Shopping and NatWest Bank. The trial was a success, and it didn't take long for the UK's payment authority, the Association for Payment Clearing Services (APACS), to see its potential for stopping the rising tide of fraud. APACS took the core idea and simplified it, creating the three-digit credit card security code standard that became the global norm.

This backstory is more than trivia. It shows that the security code was never an afterthought — it was purpose-built from day one to solve a single, critical problem: proving that the person making a remote purchase actually has the physical card in their hands. That simple principle is still its greatest strength.

When you understand where it came from, you see the security code for what it is — not just a random number, but a clever defence mechanism born out of necessity. The challenges of taking secure payments over the phone in the 90s directly paved the way for protecting the billions of online and contact centre transactions we see every day.

How Your Card Issuer Generates a CVC#

The CVC on your card isn't random. It's a cryptographic value the card issuer calculates using:

  • Your primary account number (PAN) — the long card number.
  • The card expiry date.
  • A service code (for CVC1) or the card brand identifier (for CVC2).
  • Two secret keys held inside the issuer's hardware security module.

The issuer runs those values through a triple-DES or AES algorithm and takes the resulting digits as the CVC. That's why the code changes when your card expires and you're sent a replacement — even if the long number stays the same, the new expiry date forces a different CVC.

This is also why CVC checks at the bank are deterministic. When a merchant submits a transaction with the code typed in, the issuer's system runs the same calculation against the live card data and compares. Match means approve. Mismatch means decline. There's no "close enough." The card networks also rate-limit failed CVC attempts — usually 3 to 5 wrong tries across a short window — before locking the card to slow down brute-force attacks.

Customer entering card details on a mobile phone during a payment

How CVC Stops Online and Phone Fraud#

A laptop displaying a security shield and padlock, with a credit card on its keyboard, signifying fraud protection.

The real strength of CVC shows up when a payment is made remotely. In any situation where the cardholder isn't physically there to tap or insert their card, that little three or four-digit number becomes the most important defence against fraud the industry has.

Think of it as a digital handshake. A fraudster might buy a list of stolen card numbers and expiry dates from a data breach — sadly, this kind of information is all too common on the dark web. But without the security code, those stolen details are often completely useless for making online or phone purchases. The cleverest part of the design is that the code is deliberately kept off the magnetic stripe and the EMV chip. Even if a criminal manages to "skim" your card data from a dodgy payment terminal, they still can't generate the printed CVC. That's by design, and it's the bit that makes the whole system work.

This distinction becomes vital in what the industry calls "card-not-present" (CNP) transactions. Whenever you aren't physically tapping your card or inserting its chip, the risk of fraud shoots up. That tiny security code is what bridges the trust gap.

CVC and UK Law: PCI DSS v4.0.1#

The card security code has a specific status under PCI DSS, the global standard every business taking card payments has to follow. PCI DSS v4.0.1 (the current version since March 2024) calls the CVC sensitive authentication data (SAD), and the rules around it are absolute.

You Can Use It. You Can't Store It.

Requirement 3.3.1 of PCI DSS v4.0.1 says SAD — which includes the full CVC, the magnetic stripe data, and PIN blocks — must not be retained after authorisation. "After authorisation" means the moment the issuer responds to the transaction. Once that response comes back, the CVC has to be gone. Not encrypted. Not hashed. Gone.

This applies whether you store data on:

  • A CRM record
  • A spreadsheet
  • A call recording
  • A screen recording
  • A chat transcript
  • A paper notepad on an agent's desk

Every one of those counts as storage. Every one of them is in scope for an audit. And every one of them is where contact centres trip up.

Why This Matters for Phone Payments Specifically

If a customer reads their CVC out loud on a phone call, and that call is recorded for quality or training purposes, you've just stored the code in your call recording archive. Doesn't matter if the recording sits on a vendor's encrypted bucket. Doesn't matter if nobody listens to it. It's stored. You're non-compliant.

The two ways to fix this are either to stop recording during the card-data portion of the call, or to keep the CVC from ever entering the audio stream in the first place. The first option is fragile — agents forget, software fails, recordings get archived anyway. The second option — using DTMF masking so the customer types their card number on the keypad rather than reading it aloud — keeps the CVC out of the call entirely. There's nothing to record because nothing was ever spoken.

That's why every Paytia call uses channel separation: the customer's audio is muted during card entry, the digits travel via a separate secure channel to the payment processor, and the agent stays on the call but never sees or hears the data.

Comparing options? Book a 15-minute demo — we'll show you a live capture and quote a real number for your call volume.

Why Contact Centres Get CVC Wrong (And What to Do)#

We talk to contact centre managers most weeks, and the same patterns come up. Here are the three most common CVC mistakes we see.

Mistake 1: Pause-and-Resume Recording

The agent presses a button to pause the recording while the customer reads out their card details, then unpauses afterwards. On paper this works. In reality, agents forget, the pause-resume software glitches, and call review samples turn up CVCs in the audio months later. UK Finance and the PCI Council have both flagged pause-and-resume as a known weakness — it's an organisational control, not a technical one, and humans break it.

Mistake 2: "We Only Store the Last Digit"

This is fine for the long card number — masking the PAN to first six and last four is allowed under PCI DSS. But the CVC doesn't get the same treatment. You can't store any part of it after authorisation. Full stop. We've seen CRMs where someone built a "CVC last digit" field thinking it was a useful fraud signal. It's not allowed under any reading of the standard.

Mistake 3: Asking the Agent to Type It In

Some teams have customers read out the CVC and the agent types it into a payment form. The agent doesn't "store" it — they just type and click submit. But the agent has now seen the CVC, the screen has displayed it, screen-recording software has captured it, and the workstation is in PCI scope. Take that workstation out of scope (which is what our secure telephone payments service does) and the whole problem disappears.

CVC Around the World — Same Code, Different Rules#

UK

UK Finance reports CNP fraud was around £363 million in 2024, the largest single category of card fraud losses. The FCA expects firms taking phone payments to meet PCI DSS as a baseline, and the ICO will treat a CVC leak via a recorded call as a personal data breach. If you suffer one, you've got 72 hours to report it.

EU

PSD2 strong customer authentication (SCA) applies on top of PCI for most CNP transactions. CVC alone is not SCA-compliant — you need two factors out of knowledge, possession, and inherence. CVC counts as knowledge. A 3-D Secure prompt on the cardholder's phone covers possession. Together they meet SCA. Just asking for a CVC does not.

US

No federal equivalent of GDPR for card data, but PCI DSS still applies via the card network contracts, and the FTC will treat a CVC leak as a Section 5 deceptive-practices issue if you'd told customers their data was secure. State laws (California's CCPA, New York's SHIELD Act, others) add their own breach-notification requirements.

Australia

The OAIC treats card data as sensitive personal information under the Privacy Act 1988, and the Notifiable Data Breaches scheme means a CVC leak from a recorded call is reportable within 30 days. PCI DSS applies via the same network rules as everywhere else.

What Counts As "CVC In the Recording" — Edge Cases#

This question comes up a lot. Below are the trickier scenarios and how we think about them.

Customer Reads CVC Before You Can Mute

If the customer blurts it out before the agent triggers card entry, it's in the recording. Treat it as a SAD breach: delete the affected portion of the recording, document the incident, retrain the agent. The fix is to script around it — agents shouldn't ask for the card details directly, they should hand control to the secure entry flow first.

CVC Is Spoken But the Recording Is Encrypted

Encryption doesn't help. PCI DSS v4.0.1 explicitly says SAD can't be stored after authorisation "even if encrypted." The whole point is that there's no recoverable form of the data anywhere.

The Customer Says It on a Chatbot or Webchat

Chat transcripts are storage. If a customer types their CVC into a webchat and the transcript saves anywhere — vendor logs, your CRM, agent's clipboard — you've stored SAD. The cleanest answer: route card capture out of the chat to a secure payment link sent by SMS or email, and never let the digits hit the chat thread.

The Customer Says It on a Voicemail

Voicemails are recordings. Same rules. If your IVR menu encourages customers to leave payment details on voicemail, you've got a compliance problem regardless of how secure the voicemail server is.

You're Quoted the CVC But Don't Use It

Doesn't matter. The moment the CVC exists in your recording, transcript, or notes, you're storing SAD. Use it or not, retention is the trigger.

CVC In the Age of Tokenisation and Digital Wallets#

Apple Pay, Google Pay, and most mobile wallets don't transmit your real card number or CVC at all. They generate a device-specific token tied to a one-time cryptogram, and that's what flows to the merchant. Visa calls their version VTS (Visa Token Service). Mastercard calls theirs MDES. Amex has the same.

From the merchant's side, this is great news: there's no CVC to handle because there's no CVC to begin with. Tokenised transactions sit largely outside PCI scope for the relevant data because the data isn't card data anymore — it's network-issued cryptographic material.

Where does that leave the CVC? Still very relevant for typed-in card numbers on web checkouts, MOTO (mail-order/telephone-order) transactions, and any payment scenario where someone is reading or typing the long card number from a physical card. That covers a lot of contact centres, hotels, utilities, charities, councils, professional services, and any business where the customer rings up to pay.

Building a Process That Never Touches CVC#

Here's the model we recommend to every contact centre we work with:

  1. Agent owns the conversation, never the card. The agent stays on the line, helps the customer, answers questions. They never see, hear, or type the CVC.
  2. Customer enters digits directly on their phone keypad. The audio between agent and customer is muted during the digits-entry window. DTMF tones are intercepted and replaced with flat tones the agent hears, so the agent knows entry is in progress but the digits themselves are unrecoverable.
  3. Digits go straight to the acquirer. The card number and CVC travel from the customer's phone, through our PCI DSS Level 1 environment, to the payment processor. They don't pass through your network, your CRM, your call recorder, or your agent's screen.
  4. Agent gets a result, not the data. The acquirer responds with an authorisation code or a decline. The agent sees that result. They never see the card data.
  5. Nothing of the CVC exists afterwards. No call recording contains it (it wasn't spoken). No CRM record contains it (it didn't pass through). No screen recording contains it (it wasn't displayed). The control is technical, not procedural.

That's what we sell. It's not magic — it's a sensible reading of what PCI DSS v4.0.1 actually requires, applied to the place most contact centres get it wrong. Our contact centre customers tell us the bigger benefit is that their agents stop dreading card calls. The compliance bit is a bonus.

Quick Answers — CVC and CVV FAQ#

What is CVC on a card?

CVC stands for Card Verification Code. It's the three-digit number printed in the signature strip on the back of your card. You use it to prove you've got the physical card during online or telephone purchases. Mastercard calls it CVC; Visa calls the same thing CVV; some UK banks call it CV2 or CCV. All four mean the same three digits.

Is CVC the same as CVV?

Yes. CVC is Mastercard's name for it; CVV is Visa's name for the same thing. Same length (three digits), same location (back of the card, in the signature strip), same job, same PCI rules. If a form asks for one but your card shows the other, type in the three digits on the back either way.

Where is the CVC on a credit card?

On Mastercard, Visa, Discover, JCB, and UnionPay credit cards, the CVC is the three digits in or just after the signature strip on the back of the card. On American Express it's a four-digit CID printed above the long card number on the front. On metal or virtual-only cards from challenger banks like Revolut, Monzo, and Apple Card, you'll find the code inside the issuer's mobile app rather than on the card itself.

What does CVC mean on a debit card?

The same thing it means on a credit card: a three-digit verification code used for online and telephone purchases. Mastercard debit cards label it CVC; Visa Debit cards label it CVV; Lloyds, Halifax, NatWest, and TSB statements often call it CV2. Same three digits on the back, same purpose — proving you've got the physical card when you can't physically present it.

What is CV2 and is it different from CVC?

CV2 is informal UK banking shorthand for the same three-digit code as CVC or CVV. It's the term you'll see most often on Lloyds, Halifax, NatWest, RBS, and Barclays apps and statements. It refers to the printed code on the back of the card — the same digits Mastercard calls CVC and Visa calls CVV. Not a different code, just a different label.

What does CCV mean and where do I find it?

CCV is widely thought to have started as a typo of CVC that got into some online checkout templates and stuck. You'll most often see it on US-built ecommerce platforms. It refers to the same three digits on the back of the card as CVC, CVV, CV2, and CSC. If a form asks for your CCV, type in the three digits on the back of your card.

Why do I need a CVC for online shopping but not in a shop?

In a shop, you tap, insert, or swipe the physical card. The card itself proves you've got it. The chip's cryptographic key handshake (or the contactless equivalent) authorises the transaction. Online or by phone, you can't tap or insert anything, so the CVC stands in as proof you're holding the card — the printed digits aren't readable from a magnetic stripe or chip, so a fraudster with stolen card data alone won't have them.

Can a merchant store my CVC?

No. PCI DSS v4.0.1 requirement 3.3.1 prohibits storing the CVC after authorisation — even if encrypted. If a merchant asks you to email or text your CVC, or stores it on file for future purchases, they're breaking PCI rules. Reputable card-on-file flows store the long card number (sometimes tokenised) but never the CVC.

What's the difference between CVC and CVC2?

CVC2 is the printed three-digit code on the signature strip — the one you read out or type in. CVC1 was an older equivalent encoded invisibly on the magnetic stripe, used automatically when you swiped your card. You've never seen CVC1 or had to type it. When people say "CVC" in 2026, they almost always mean CVC2 — the printed version.

What does CID mean on an Amex card?

Card Identification Number. Same idea as CVC, but Amex puts theirs on the front of the card (above the card number, on the right) and uses four digits instead of three. Discover also uses CID but keeps it on the back at three digits.

Why is the Amex CID four digits?

Quirk of Amex's older system design. They use a four-digit code on the front, giving slightly more numeric space. It doesn't make Amex cards more or less secure than the three-digit codes on Visa or Mastercard — the security comes from the code's secrecy, not its length.

Can a CVC be guessed?

In theory yes — three digits gives 1,000 combinations. In practice, card networks lock the account after a small number of failed CVC attempts (usually 3-5 across a short window), so brute-force guessing isn't viable. The CVC's strength is in its secrecy combined with attempt limits, not its length.

What happens if I type my CVC wrong?

The transaction declines. Most merchants will let you re-enter. After a few wrong attempts the issuer may flag the card for fraud review, and you might need to call your bank to reset things. Genuine mistakes happen — the system is designed to assume the cardholder is human.

Does a virtual card have a CVC?

Yes. Virtual cards from Revolut, Wise, Apple Card, and most challenger banks have a CVC that works exactly the same way. Some virtual cards rotate the CVC periodically for extra security — useful if you've used the card on a site you don't fully trust.

Does my CVC change when I get a new card?

Yes. The CVC is calculated from your card number, expiry date, and the issuer's secret keys. When your expiry date changes (which it does on every replacement), the CVC calculation produces a different result. That's why old CVCs stop working even if the long card number stays the same.

What's the difference between a CVC and a PIN?

Your PIN authorises in-person transactions where you insert or tap the card. Your CVC authorises card-not-present transactions where you can't tap or insert. PINs are entered into card readers; CVCs are entered into web forms or read out over the phone. You shouldn't share either over email, text, or any channel where it gets stored.

Is the CVC the same as a one-time passcode (OTP)?

No. The CVC is a static value printed on your card — it stays the same for the life of the card. An OTP is a single-use code your bank texts you (or generates in an app) for a specific transaction. Many secure checkouts ask for both: CVC to prove you've got the card, OTP to prove you've got your phone.

Is giving my CVC over the phone safe?

Only if the merchant uses a system that keeps the CVC out of the call recording, the agent's screen, and the merchant's network — like DTMF masking. If you can hear yourself being recorded reading out the CVC, that recording is now non-compliant, and that's not safe for either of you.

The Paytia solution

If you're reading this, the Paytia solution that solves it is dtmf masking.

DTMF masking

Suppress card tones so card numbers never reach your recordings, agents, or CRMs.

Related Articles

Card Not Present (CNP) Explained: Risks and How to ReduceGuide
Payment Security

Card Not Present (CNP) Explained: Risks and How to Reduce

Learn how card not present (CNP) transactions work, the fraud risks they carry, and the practical steps you can take to secure your business and stay compliant.

Read more →
Is AI Safe for Payment Fraud Detection?
Payment Security

Is AI Safe for Payment Fraud Detection?

AI is changing how secure payment services work — from spotting fraud in real time to protecting card data before it reaches any system that could expose it.

Read more →
Are Payment Links Safe? Complete UK Guide for 2026
Payment Security

Are Payment Links Safe? Complete UK Guide for 2026

Payment links are convenient, but plenty of people wonder whether they're actually safe to use.

Read more →

Ready to take secure payments?

Book a demo with our team. We'll show you DTMF masking live, talk through PCI DSS scope reduction, and put together pricing based on your call volume.

PCI DSS Level 1
Cyber Essentials Plus
Book a demoContact us

Trusted by law firms, insurers, healthcare providers and regulated businesses worldwide. Learn more about Paytia