The short answer
The CVV/CVC/CVN is the short security code printed on a card — 3 digits on Visa/MC/Discover, 4 digits on Amex — that isn't stored in the mag stripe or chip. At checkout, your gateway sends it to the issuer, which compares it against its records and returns a match / no-match response.
The names (all the same thing)
- CVV / CVV2 — Visa's name.
- CVC / CVC2 — Mastercard's name.
- CID — Amex's name (4 digits, on the front).
- CVN / CSC — generic industry terms.
What operators need to know
- Never store it. PCI DSS forbids storing CVV after authorization, even encrypted. Tokenize it or discard it.
- Required for lowest interchange tier on CNP — missing CVV downgrades the transaction.
- Required on first auth only for card-on-file — subsequent MIT (merchant-initiated transactions) don't need it and shouldn't prompt for it.
- Match codes — M (match), N (no match), P (not processed), S (should be on card), U (not supported). Decline on N for fresh cards; be lenient on P for tokenized returning customers.
- Not on all cards — some virtual cards and corporate cards omit CVV; match code will be U or S.
- Don't prompt for CVV in dunning retries — you don't have it, and asking customers to re-enter nukes your retry recovery rate.
Numbers to know
CVV match rate on legit transactions hovers at ~98%. CVV mismatch is a stronger fraud signal than AVS mismatch — declining on N cuts card-testing fraud by 70–80% at almost no good-order cost. Including CVV on initial auth is worth 10–20 bps of interchange savings on top of the fraud win.
Why multi-brand operators care
If any of your brands stores CVV on file (in a DB, log file, S3 bucket, Redis cache), you have a PCI incident waiting to happen — and a serious compliance event when discovered. Quarterly automated scans of your brands' data stores for anything that looks like a CVV string is a standing hygiene task.