What is a CVV number?

We’ll explain what a CVV number is, how it works, when you should ask for it in an online transaction – and what you should do with the CVV when you’re done.

Link to the author's page
November 13, 2023
Link to the author's page
What is a CVV number?

As a customer, you’ll be aware of the three-digit code on the back of your Visa debit card (or the four-digit one on the front of your American Express), even if you didn’t know what it was called. Well, this number has a name – CVV (Card Verification Value).

And, as it turns out, it benefits not only customers – but merchants, too.

CVV checks can help your business detect and prevent payment fraud, avoid chargebacks, and remain compliant with the payment industry’s strict data handling standards. But how?

Read on to find out. We’ll explain what a CVV number is, how it works, when you should ask for it in an online transaction – and what you should do with the CVV when you’re done.

What does CVV mean?

CVV stands for Card Verification Value. It’s a security feature that allows you to authenticate credit and debit card transactions you accept online, over the phone, or via mail order.

Because every CVV is unique to each customer’s card and account holder, CVV checks are an excellent way of verifying the legitimacy of a debit or credit card transaction. Essentially, CVV checks tell you that the customer actually has access to the card they’re using to make a purchase from your business – and that they’re not using stolen debit or credit card data.

There are different types of CVV, which include:

  • CVV1: this is encoded on the magnetic stripe of the card your customer swipes when they make a payment in-store, from your point of sale (POS) terminal.
  • CVV2: this is the three-digit number printed on the back of the customer’s card – usually in the signature panel. They’ll use this when making online or phone-based purchases from your business, where neither the customer – or their card – are physically present. (These are called card-not-present, or CNP, transactions.)
  • CVC2: this refers to Card Validation Code 2, and is simply another term for CVV2 that Mastercard uses. (As we’ll see, different card schemes – such as Visa, Discover, American Express, and Mastercard – have similar, but varying, CVV approaches.)
  • CID: this stands for Card Identification Number, and it’s the four-digit code you’ll see on the front of an American Express card. (It's printed just above the card number.) In an online transaction, it serves the exact same purpose as the CVV2 or CVC2.

The acronym CVV is also Discover’s version of CVV2 – the code on the back of the card, not the one encoded into the magstripe – and is not to be confused with CVV1. (Confusing, we know!) 

For a handy, at-a-glance guide to the different acronyms each card scheme uses, see below:

  • CVV2 is used by Visa
  • CVC2 is used by Mastercard
  • CID is used by American Express
  • CVV is used by Discover

How does CVV work?

CVV is a key aspect of credit card processing – here’s how it works in a typical online transaction.

  1. Your customer selects the products or services they want to purchase from your online store, and – after navigating to your checkout page – provides their card’s CVV code, along with their card and personal details.
  2. This code is then sent, via your payment processor, to the card issuer (be it Visa, Mastercard, Discover, or American Express).
  3. The card issuer will check the CVV code provided by the customer against its records. If there’s a match, this is relayed back to you – again by the payment processor – and, providing all the other security measures check out, the payment gets the green light.
  4. At this stage, you’ll receive a CVV response code. These are letter values that correspond to an outcome of the CVV check. With Checkout.com, for example, ‘Y’ indicates that the CVV matched, and the transaction is good to go. A response code of ‘D’, however, denotes that the CVV didn’t match, while ‘U’ informs you that the issuer does not support CVV. (Before you begin accepting credit and debit card payments, you can also simulate the outcome of a CVV check to ensure your integration is working.)

Why do credit cards have a CVV code?

Credit and debit cards contain CVV codes for a range of reasons, which include:

  • An extra layer of security: even if a fraudster gains access to your credit card number and details about your identity, they still won’t have your card’s CVV. By running a CVV check, then, you help establish that the person attempting to make the payment is the legitimate cardholder – and not someone who’s illegally obtained the card details.
  • A first defense against fraud: because the CVV isn’t embossed on the card or stored in the card’s magstripe, thieves can’t easily gain access to it by ‘skimming’ devices like ATMs; this adds another level of complexity for fraudsters attempting to use stolen credit cards. What’s more, unusual CVV patterns (such as multiple attempted transactions with the wrong CVV code) can raise red flags: triggering fraud detection systems and helping stop unauthorized transactions before they slip through the net.
  • A more confident customer base: verifying your online transactions with CVV demonstrates your commitment to the integrity of their card details; and that you’re putting the processes in place to safeguard their most sensitive data while they buy.

How does a CVV help merchants avoid fraud?

A CVV’s main role is to check whether the person attempting to make a purchase is authorized to use the card they’re attempting to do so with.

This way, a CVV check helps avoid fraudsters using stolen debit or credit card details – which they may have purchased from hackers on the Dark Web, who in turn obtained them through a data breach or targeted attack – from transacting with your business. Even if a hacker has gained access to a cardholder’s card number and personal details (including your name and billing address), they’ll still struggle to use that card to transact without a CVV.

By doing this, CVV numbers help you prevent several different types of payment fraud (especially card-not-present fraud). To learn more about how to detect and prevent fraud, our comprehensive guide offers everything you need to know.

When should you ask for the CVV?

You should ask for the CVV when processing card-not-present transactions: so, those you accept over the phone or online (be that through your website or mobile app).

Do this at the checkout stage, at the same time you ask for the customer’s personal information and other credit or debit data. This will help minimize any potential friction. For phone orders, you can verbally request the CVV from your customer, before entering it directly into your virtual terminal. (If you write it down anywhere for security, be sure to securely destroy the piece of paper as soon as the transaction is complete – we’ll explain why shortly)

If you offer a subscription- or membership-based service that processes recurring payments, you should request a CVV check every time you process a new payment. Used in combination with a real-time account updater, this will help confirm the continued validity of your returning customers’ cards, and drive down the likelihood – and risks – of unauthorized charges.

CVV and chargebacks

Running diligent CVV checks can help your business avoid the financial and reputational losses that chargebacks – and, worse, chargeback fraud – cause.

Chargebacks happen when your customer, having made and received an order from your business, disputes the transaction with your bank. Sometimes, this can be ‘friendly’ fraud – where the customer, perusing their bank statement, simply doesn’t recognize or remember the purchase. It can also be a purposeful (and fraudulent) attempt to claim free goods or services by claiming they didn’t arrive, or that they did so in a faulty or misleading condition.

In those cases, CVV checks can’t help you, because it’s the legitimate cardholder responsible for the chargeback. However, CVV checks can help you avoid chargebacks that result from unauthorized transactions. These happen when a fraudster illegally obtains a cardholder’s details, and uses them to make a purchase from your site.

Discovering the fraud, the legitimate card owner raises an equally legitimate dispute – which, when the bank rules in their favor, will leave you out of pocket for the inventory and the purchase amount, plus a chargeback fee on top.

By confirming that the cardholder is actually in possession of the card, CVV checks can protect you from chargebacks that happen as a result of cardholder theft. Which, while not the whole battle, is at least one potent part of a complete payment fraud detection arsenal.

What should you do with the CVV after a transaction?

After a transaction is complete, you should delete your customer’s CVV information.

Under no circumstances should you hang on to CVV data – whether electronically, in paper format, or in any other logs, databases, or storage systems.

Keeping hold of CVV data isn’t permitted by the major card schemes, and doing so will cause you to run afoul of PCI DSS (Payment Card Industry Data Security Standard) regulations. These govern how merchants handle all the sensitive cardholder information bundled up in a transaction – and that includes not holding onto it once that transaction is complete.

Every single merchant processing debit and credit cards must be PCI compliant. What level of PCI compliance you must obtain depends on the extent of the involvement you have with customer data. If you use a payment processor such as Checkout.com, for instance – which has Level 1 PCI compliance, the highest possible – we’ll generally handle that for you.

This simplifies your PCI duties (which involve filling out often lengthy self-assessment questionnaires, or SAQs). And means there’s less chance of you inadvertently retaining CVV information after a transaction, thus risking fines – and the big reputational hits that come with.

How Checkout.com can help you with credit card processing

CVV numbers are an integral part of accepting debit and credit cards at your business – and doing so in a way that minimizes fraud’s impact on you, and your customer.

However, CVV is just one part of a credit card processing strategy that needs to be optimized to your business’s unique needs and circumstances. This includes accepting a wide range of payment methods – including local and alternative ways to pay – and being able to do so online and via mail order/telephone order (MOTO).

You’ll also need to consider CVV alongside other fraud prevention tools – such as Address Verification Service (AVS), 3D Secure, and biometric verification – and how strategies like payment tokenization and machine learning can keep you one step ahead of the fraudsters.

Fortunately, these are all areas Checkout.com can help you in. Our Fraud Detection solution combines dynamic, AI-driven tools to boost authorization rates and reduce false declines, while constantly learning, improving, and drawing on the latest data to safeguard your business.

What’s more, we can process your transactions in over 150 currencies: helping you drive down cart abandonment rate by letting your customers pay the way they want to.

This barely scratches the surface, though. To dive deeper, get in touch with our team of payment experts today to learn more, and for a friendly, no-obligation conversation about CVV, fraud prevention – and the wealth of benefits Checkout.com can offer your business.

Stay up-to-date

Get Checkout.com news in your inbox.

Back to top button
November 13, 2023 22:23
November 13, 2023 22:23