The short answer
Card Verification Value (CVV) is the 3 or 4-digit security code printed on a payment card. On Visa and Discover it's called CVV or CVV2; on Mastercard it's CVC or CVC2; on Amex it's CID (Card Identification); on JCB it's CAV. All serve the same function: proving physical possession of the card during card-not-present (CNP) transactions. Critically, under PCI DSS requirement 3.2, merchants and processors are never allowed to store CVV data after authorization — not even in encrypted form, not even for tokenized cards.
CVV1 vs. CVV2 (and the newer dCVV)
- CVV1: Encoded in the magnetic stripe (and EMV chip track data). Used in card-present transactions — a magstripe or chip read transmits it automatically. Never seen by the customer.
- CVV2: The 3-digit number printed on the back (Visa/MC/Discover) or 4-digit CID on the front (Amex). Used in CNP transactions — e-commerce, phone orders, MOTO.
- dCVV / dynamic CVV: An emerging feature where the CVV rotates every hour or per-transaction on chip cards with an e-ink or LCD display, or is generated in-app. Undermines CVV theft from card-photo leaks. Not widely deployed yet.
Why CVV reduces CNP fraud
The theory: CVV isn't encoded in the magnetic stripe/chip track data that gets skimmed or intercepted during a card-present breach. A breach of a restaurant POS system or a card skimmer might capture PAN, expiry, and even magstripe CVV1 — but not CVV2. A fraudster with stolen track data typically doesn't have CVV2. Requiring CVV at CNP checkout filters out this class of fraud.
In practice, CVV is compromised through: phishing kits that ask for "the code on the back," e-commerce database breaches (of merchants violating PCI storage rules), and direct photos of cards shared carelessly. CVV is still net-positive for fraud prevention but not bulletproof.
What operators need to know
- You cannot store CVV. Period. Not in your database, not in logs, not in analytics. Not even for 30 seconds past authorization. PCI DSS 3.2.1. Violations are a primary audit finding and can trigger forced MID closure.
- CVV mismatches should hard-decline. If your gateway returns CVV2 mismatch (result code "N"), do not approve — this is a clear fraud signal. Setting your fraud rules to auto-decline on CVV mismatch closes one of the biggest fraud pathways.
- Recurring billing skips CVV. After the initial transaction (where you're required to capture CVV), subsequent COF charges don't require CVV and the issuer doesn't expect it. This is normal and doesn't weaken fraud protection.
- CVV + AVS is the classic CNP fraud gate. Match both and approval rates go up; mismatch either and fraud risk spikes.
- Apple Pay and Google Pay skip CVV. Tokenized payments include cryptograms that are richer than CVV; the network treats these as higher-authentication transactions without requiring CVV entry.
- CVV is NOT the same as PIN. PIN (cardholder-entered, card-present) is different and stored nowhere — it lives only in the chip and the issuer's authorization system.