Credit card numbers can be easily stolen by hackers. That’s why, in addition to providing your account number when you make an online or telephone purchase, you’ll also be asked to provide a three- or four-digit verification code known as a CVV number. Let’s take a look at how CVV numbers function as a security feature and why it’s important to protect these sensitive bits of code.
What is a CVV on a debit card and credit card?
CVV is an abbreviation for Card Verification Value — sometimes also called CVC (Card Verification Code). It is a three-digit or four-digit code that is printed near the signature strip on the back of your credit or debit card.
The best credit cards have CVV numbers printed on them. Why? Because you can’t make an online purchase with a card that doesn’t have one. CVV codes are used as an additional security measure to help prevent fraud. When you make an online or telephone purchase, you will be asked to provide your card’s CVV number, along with your credit card account number and expiration date. Merchants ask for this information to make sure that the card is being used by an authorized cardholder. CVV codes are not required when you are making in-person transactions.
A CVV code is not the same as a Personal Identification Number (PIN), which you choose yourself. Creditors come up with CVV codes using a complex algorithm. They’re not meant to be shared except with the merchants you do business with and you can’t change them at will.
How are CVV numbers generated?
You might think that CVV numbers are chosen at random. But that’s not the case. Banks generate them using several pieces of information: the account number on your credit or debit card, its four-digit expiration date, a pair of encryption keys and a three-digit service code. All of these bits of information are then run through a secret algorithm.
The role of CVV codes in online transactions
CVV codes serve a number of purposes when you make a purchase online or by telephone, all of which add up to better protection against fraud. Here are four of the most important:
1. Protecting against card-not-present fraud
Card-not-present transactions are any purchases made when a physical card is not presented at the point of sale. This is the only type of payment online merchants can accept, but they are inherently riskier than card-present transactions. Requesting a CVV number is part of the user authentication process for most online purchases, as it helps online merchants ensure that a customer is in physical possession of the card they are using.
2. Adding an extra layer of security
Data breaches are common. Among the information that can be stolen when one occurs is the debit card or card number a customer used to make previous purchases. In order to save your credit card number and other personally identifiable information (PII) legally, merchants must adhere to rigorous standards set out by the Payment Card Industry Security Standards Council (PCI SSC), an organization founded in 2006 by five major credit companies: Visa, MasterCard, American Express, Discover and JCB.
It’s very likely that a merchant will save your account number when you make a purchase — that represents a convenience to returning customers who don’t care to enter their account numbers repeatedly for multiple purchases. But that convenience comes with some risk.
By contrast, merchants are not permitted to save CVV numbers, except under a narrow range of circumstances. For example, if you sign up for a subscription, storing your CVV number allows merchants to bill you for products or services you order repeatedly. If you have your dog food delivered by Chewy every month, Chewy will save your credit or debit card CVV number. The same goes for other services that are billed monthly, like identity theft protection and meal subscription services.
When merchants store CVV numbers, they are required to encrypt them and make sure that only authorized personnel have access to them.
3. Merchant verification
The credit card purchase process involves several steps. Before processing a transaction, merchants will typically verify that funds are available in the account you wish to use to make your purchase. CVV codes are stored briefly during that process. Here’s how verification works:
- The merchant collects a customer’s card information: the account number, the expiration date and the CVV number.
- The merchant transmits this data to the credit card issuer.
- The credit card issuer checks to see if the card has been reported lost or stolen.
- The credit card issuer or bank confirms that there are sufficient funds in the cardholder’s account (in the case of debit cards) or that the cardholder has not exceeded his or her credit limit (in the case of credit cards).
- The credit card issuer sends a thumbs up or thumbs down on the transaction to the merchant.
- The merchant completes the purchase only if all security and payment standards are met.
4. Compliance with payment industry standards
Due to the risks of using credit cards, merchants are required to meet certain standards when it comes to protecting your data. These are known as PCI DSS, which stands for Payment Card Industry Data Security Standards. These standards are set out by the Payment Card Industry Security Standards Council. Merchants that don’t comply with PCI data security standards are subject to penalties of $5,000 to $10,000 per month.
The location of CVV numbers on debit and credit cards
CVV numbers are almost always placed on the back of your credit or debit card, near the signature panel. That’s a security measure. Just in case someone is able to capture the information on the front of your card — think of some thief standing behind you in a department store checkout line — they won’t have access to the vital piece of information that would allow them to use your card for card-not-present purchases.
CVV Codes FAQs
Where is the CVV on a Visa gift card?
How can I find my CVV number without my card?
Why is my CVV not working?
Is it safe to give the CVV number over the phone?
Is it illegal to ask for the CVV code?
You shouldn't give your CVV code to anyone unless it is strictly necessary to make a purchase. As a rule of thumb, do not share your CVV code with anyone other than authorized users on your credit card.
Summary of Money's CVV codes: what are they and why are they important
- CVV codes are three or four-digit numbers that appear on the back of credit and debit cards. They are located near the signature panel on your card.
- CVV codes are designed to prevent scammers from using your credit card to make fraudulent purchases.
- Banks use the account number on the front of your credit or debit card, its four-digit expiration date, a pair of encryption keys, a three-digit service code and a secret algorithm to generate CCV codes.
- Merchants must ask for your card’s CVV code before processing online payments.
- Merchants must comply with certain data security standards if they want to process credit card transactions or store your CVV code.
- Just like your account passwords, you should never share your CVV codes or other card details with anyone other than authorized users on your account. Be particularly aware of phishing — a technique scammers use to gain unauthorized access to your CVV and your accounts via phone or email.