Across the Board

Blog on e-business and online payments.

What everybody should know about CVV2

CVV2, CVC2, or just the card security code (CSC), are different names for the security features for credit and debit card transactions. CVV2 provides increased protection against credit card fraud.

How it works?

Imagine that you’re buying something over the Internet, fax, mail or phone. Since you’re not present in person, such transactions are called “card not present transactions”. Normally, you give your card to a merchant. You take it out of your wallet, you can present your signature or prove that you know the PIN. Somehow you prove this card belongs to you. Everything goes well…

But how you can prove that a card is yours in case of card not present transactions? This is the point where the CVV2 enters the game. You type your card number, expiration date, your name and usually you have to enter the CVV2 security code. Because of increased attempts at card fraud, it’s now mandatory in many countries in Western Europe to provide card security code when the cardholder is not present in person.

But remember! Do not confuse this code with a card’s PIN or 3-D Secure passwords. You can choose your own PIN code or 3-D Secure password, but the CVV2 code was generated by the card issuer and cannot be changed! As a curiosity, I can also mention virtual credit cards. The security code is usually sent to the cardholder by mail.

Your money is even more secure

The greatest benefit of the card security code is the increased safety of your card, and your money. Even if someone gets your credit or debit card details, it would be of very little use. Nowadays a card number is practically useless without the CVV2.

Different card associations – different names

There are a few names for the same feature:

Cards mentioned above have a three-digit code printed on the signature panel on the back of the card. However, American Express has unique style – their cards have a four-digit code printed on the front side of the card, above the card number. It’s printed flat, not embossed like the card number, and this code is called CID or “unique card code”.

Storing CVV2 codes

I can also add that merchants who require the CVV2 for card not present transactions are forbidden in the USA by Visa from storing the security code after the transaction is completed. It means that if somebody unauthorized gets access to the transactions or credit cards numbers database, he won’t find the CVV2 codes there, so the stolen card numbers are less useful. Additionally, the Payment Card Industry Data Security Standard (PCI DSS) also prohibits storage of the card security code. This also applies to anyone who stores, processes or transmits the card holder data.

Every rose has its thorns

CVV2 cannot protect anyone from phishing scams, where the cardholder is tricked into entering all card details, including the security code. Even if a phisher obtained only the card number (for example by hacking a merchant’s database) he could ask the cardholder for the security code on a fraudulent website. It makes a false sense of security – we know your card number, but cannot do anything without your security code.

But don’t be afraid of Internet transactions, use your card and do the shopping while sitting at home. But always remember that the security code of your card is confidential data.

Image source:

This post was written by Michał Nowakowski

Mr. Banks is actually a fictional character, but does some real work. This makes him PayLane's fictional employee of the year :)

Are you a business looking for a payment processor?

Don't miss any articles!

Leave your email and get regular updates!

Close window