CVV Definition & Examples

Last reviewed: June 14, 2026Sources reviewed: Payment Card Industry Data Security Standard (PCI DSS), Visa Security Features

Quick Facts About CVV

Key Takeaways About CVV

CVV is a 3- or 4-digit code printed on the card, not stored in the magnetic stripe or chip.
It is required for card-not-present transactions like online or phone purchases.
CVV helps merchants verify the customer has the physical card, reducing fraud risk.
Merchants must never store CVV after transaction authorization to comply with PCI DSS.
Different card brands use different names (CVV, CVC, CSC) but serve the same purpose.

Understanding CVV

CVV. Or Card Verification Value, is a security feature designed to protect credit and debit card transactions from fraud. Unlike the card number or expiration date, which can be stored or transmitted during transactions, the CVV is a dynamic code that's not embedded in the magnetic stripe or EMV chip. This makes it harder for fraudsters to use stolen card details for online or phone purchases, where the physical card is not present. The code is typically printed on the back of Visa, Mastercard. And find cards (three digits) or the front of American Express cards (four digits).

Related glossary terms: Card Not Present Transaction, PCI Compliance, Payment Processor.

CVV serves as an additional layer of authentication, ensuring that the person initiating the transaction has access to the physical card. While it doesn't guarantee absolute security, it significantly reduces the risk of unauthorized transactions, particularly in e-commerce or mail-order/telephone-order (MOTO) scenarios. For merchants, requiring CVV during checkout can lower the likelihood of chargebacks due to fraud, as it provides evidence that the customer had the card in hand at the time of purchase.

How CVV Works?

When a customer enters their CVV during an online or phone transaction, the merchant’s payment processor sends the code to the card issuer for verification. The issuer checks the CVV against the code stored in its secure database and either approves or declines the transaction based on the match. This process happens in real time, adding only a few seconds to the checkout experience. Importantly, the CVV is not stored in the merchant’s systems after the transaction is completed, as PCI DSS (Payment Card Industry Data Security Standard) prohibits merchants from retaining this data.

The CVV’s effectiveness lies in its separation from other card data. Since the code is not encoded in the magnetic stripe or chip, it can't be skimmed or copied during in-person transactions. This makes it particularly valuable for card-not-present transactions, where fraud rates are higher. But CVV is not foolproof—if a fraudster gains access to the physical card or a photograph of it, they can still use the CVV. For this reason, CVV is often used alongside other fraud prevention tools, such as address verification (AVS) or two-factor authentication.

Why CVV Matters?

For merchants, requiring CVV during transactions can reduce fraud-related losses and chargebacks. Chargebacks occur when a customer disputes a transaction, often due to fraud. And the merchant is forced to refund the payment. By verifying the CVV, merchants can demonstrate that they took reasonable steps to confirm the cardholder’s identity, which can help in disputing fraudulent chargebacks. And some payment processors offer lower interchange fees for transactions that include CVV verification, as these transactions are considered lower risk.

For consumers, CVV provides an added layer of security, particularly for online shopping. While it does not prevent all forms of fraud, it makes it harder for criminals to use stolen card numbers without access to the physical card. Consumers should treat their CVV with the same care as their card number, avoiding sharing it unnecessarily or storing it in unsecured locations, such as emails or digital notes.

When CVV Matters Most?

CVV is most critical in card-not-present transactions, where the merchant cannot physically inspect the card. This includes online purchases, phone orders. And mail-order transactions. In these scenarios, merchants are at higher risk of fraud, as criminals can use stolen card details without needing the physical card. Requiring CVV during checkout can deter fraudsters, as they're less likely to have access to the code. But CVV is not required for card-present transactions, such as in-store purchases, where the card is swiped, dipped. Or tapped at a terminal.

Merchants must also be aware of PCI DSS requirements regarding CVV. The standard prohibits merchants from storing CVV after a transaction is authorized, even if the data is encrypted. This rule is designed to cut down on the risk of CVV data being stolen in a breach. Merchants who fail to comply with this requirement may face fines or lose their ability to process credit card payments. And some industries, such as travel or subscription services, may have specific rules about when CVV can be collected or used for recurring payments.

How to Evaluate CVV?

Check if the CVV is required during checkout for online or phone transactions.
Verify that the merchant’s payment processor does not store CVV after authorization.
Ensure the CVV matches the card brand’s format (3 digits for Visa/Mastercard/Discover, 4 digits for American Express).
Confirm that CVV is used alongside other fraud prevention tools, such as AVS or two-factor authentication.
Review PCI DSS compliance to ensure CVV is not stored in databases, logs. Or receipts.

Related Concepts Compared

CVV vs. PIN (Personal Identification Number)

A PIN is a numeric code used for in-person transactions at ATMs or point-of-sale terminals. While CVV is a security code used for card-not-present transactions like online purchases.

CVV vs. AVS (Address Verification Service)

AVS verifies the cardholder’s billing address. While CVV verifies the physical card’s security code. Both are used to reduce fraud but serve different purposes.

CVV vs. EMV Chip

An EMV chip generates a unique transaction code for in-person purchases. While CVV is a static code printed on the card for online or phone transactions.

Expert Note

While CVV is a valuable fraud prevention tool, it is not a silver bullet. Merchants should combine CVV verification with other security measures, such as AVS, tokenization. And fraud detection algorithms, to create a layered defense against unauthorized transactions.

Common Mistakes or Myths About CVV

Storing CVV after a transaction is authorized, which violates PCI DSS requirements.
Assuming CVV is required for all transactions, including in-person purchases.
Confusing CVV with the card’s PIN or magnetic stripe data.
Using CVV as the sole fraud prevention measure without additional tools like AVS or tokenization.

CVV in Practice: A Real-World Example

A customer purchases a laptop online and enters their card number, expiration date. And CVV during checkout. The merchant’s payment processor sends the CVV to the card issuer, which verifies the code before approving the transaction. The merchant does not store the CVV, complying with PCI DSS requirements.

Sources & Further Reading on CVV

Payment Card Industry Data Security Standard (PCI DSS)
Visa Security Features
Mastercard Security Codes
American Express Card Identification Number (CID)

Related Terms

Card Not Present Transaction

Card Not Present Transaction is a payment processed without the physical card being swiped, dipped. Or tapped at a terminal. These transactions occur online, over the phone, via mail order. Or through recurring billing, where the merchant can't verify the cardholder’s identity in person. They carry higher risk and often incur additional fees due to increased fraud potential.

PCI Compliance

PCI Compliance is adherence to the Payment Card Industry Data Security Standard (PCI DSS), a set of security requirements designed to protect cardholder data during credit and debit card transactions. PCI Compliance applies to any organization that accepts, processes, stores. Or transmits payment card information, ensuring consistent security measures to prevent data breaches and fraud.

Payment Processor

Payment Processor is a financial technology company or service that acts as an intermediary between merchants, card networks. And banks to authorize, clear. And settle credit and debit card transactions. Payment Processors handle the technical and financial workflows required to transfer funds from a customer’s issuing bank to a merchant’s acquiring bank, ensuring transactions are secure, compliant. And completed in real time or near real time.

Tokenization

Tokenization is a data security process that replaces sensitive information, such as credit card numbers, with unique identification symbols called tokens. These tokens retain essential data without exposing actual details, reducing the risk of fraud or data breaches during transactions. Tokenization is widely used in payment processing to comply with security standards like PCI DSS while maintaining transaction functionality.

Questions About CVV

Is CVV the same as the card’s PIN?

No, CVV is a security code printed on the card for online or phone transactions. While a PIN is a numeric code used for in-person transactions at ATMs or point-of-sale terminals.

Can merchants store CVV after a transaction?

No, PCI DSS prohibits merchants from storing CVV after a transaction is authorized. Storing CVV can result in fines or loss of payment processing privileges.

Why is CVV required for online purchases but not in-store transactions?

CVV verifies the physical card’s presence, which is harder to confirm in online purchases.

CreditCardProcessing-SanDiego.com

Have Questions About CVV?

Contact CreditCardProcessing-SanDiego.com for practical guidance on CVV and related credit card processing work in San Diego.

Contact Our Experts

What is CVV?