CVC, or card validation code, and CVV, or card verification value, are 3-digit security authentication numbers printed on the back of payment cards. They ensure the security of online payments by acting as proof that the cardholder carries out a transaction.
So, how exactly are CVC/CVV used in online payments? When paying for a purchase in any e-commerce store, the buyer needs to fill out a payment form — enter the card number, the owner’s name and surname, the expiration date, and, finally, the CVC or CVV code. Without providing this authentication number, you won’t be able to complete the transaction.
CVC and CVV numbers are mainly used in card-not-present transactions. Merchants' requests for these verification codes are optional but their legitimate right. Therefore, the merchant may or may not request your CVC/CVV at will.
CVC is a security code used by the Mastercard card network. CVV is found on debit/credit cards issued by Visa. The primary purpose of the CVC and CVV is the same: cardholder identification.
Both security numbers are intended to identify real cardholders who have access to specific payment details. Thus, card validation codes and card verification value help merchants minimise the risk of unknowingly accepting a counterfeit card and cardholders being scammed.
In the case of in-person payments through the terminal or card reader, the merchant has no reason to worry about CVC and CVV codes since the customer manually enters their Personal Identification Number or PIN. However, if a merchant accepts online payments, the customer is required to enter their card’s CVC or CVV to verify two things:
Besides, CVC and CVV are valuable markers for fraud detection and prevention. Since payment intermediaries are forbidden to store any sensitive cardholder’s information, including CVC/CVV, entering the code during checkout guarantees physical possession of the card at the time of purchase. Thus, even if your card issuer data is leaked, fraudsters won’t be able to use your card details without a card validation code or CVV.
The only drawback of CVC/CVV is that if fraudsters get hold of your plastic card, they will also have a CVC or CVV code at their disposal. Each online transaction goes through an additional verification layer to avoid misappropriation of funds on the card. For example, the buyer can confirm the transaction in his bank's mobile application or enter the code that is additionally received.
The CVC and CVV codes of most bank cards consist of three digits located on the reverse of the card in the signature area. On American Express (AMEX) cards, the code usually consists of four digits located on the front. Typically, the last three digits of a seven-digit number are visually separated from the rest of the digits.
Many people think that CVC and CVV codes are generated randomly. We hasten to dispel this myth. Although the exact algorithms are unknown to us for obvious reasons, sources say issuing banks generate them based on the following information:
All this data is securely encrypted by the issuing bank using algorithms unknown to the general public.
A few basic rules can keep cardholders safe from CVC/CVV hacks and unauthorised purchases. Here they are:
In turn, merchants accepting online payments should take into account that the card validation code and card verification value are not the main way to reduce fraud. Thus, requesting a CVV number can only be effective if you apply comprehensive data protection measures, including 3DS.
