The Card Verification Value or CVV is a small three or four-digit number that is meant to provide an extra layer of security. Especially for purchases made over the phone or online. The main point of the CVV code is to authenticate that you are holding the actual physical card in your hand while making the purchase, rather than someone who has stolen your identity to make a fraudulent purchase.
What Does CVV Mean?
CVV stands for Customer Verification Value. It is a security code feature located on all debit and credit cards as a line of defense against card-not-present fraud.
Do Online Purchases Need an Extra Security Layer?
As recently as 2021, the Federal Trade Commission handled a whopping 390,000 reports of credit card fraud. Given the fact that there are 300 million people in the United States, this might actually seem like a small number. Until you realize there is a decent chance that credit card fraud is massively underreported.
The 2022 Nilson Report estimates that credit card fraud losses will total more than $165 billion over the next decade. Card-not-present fraud accounted for $5.72 billion in losses in 2022. And one of the most common forms of card-not-present fraud occurs with online transactions.
What is a Card-not-present Transaction?
A card-not-present transaction means exactly what you would think it means: the debit card or credit card is not physically present during the transaction—and in most cases (like shopping online) the customer isn’t present either.
CVV Code and Online Transactions
When a customer makes a purchase online, they will put the account number on the front of their card into the payment gateway, along with a few other pieces of information, depending on the payment processor. For most payment processors, that’s going to include the card CVV, which is the 3-digit code on the back of the card, often located next to the signature panel. For an Amex CVC, there is a 4-digit code located on the front of the Amex card.
Fax, Telephone, and Mail Order Transactions
Fax, Telephone, and mail orders (MOTO) are also categorized as card-not-present transactions because neither the cardholder nor their credit card is physically in front of the merchant (otherwise they wouldn’t be calling). By contrast, card-present transactions involve payment details being captured in person, with the cardholder and their card present—that is, the card is swiped, inserted, or tapped over the POS terminal.
In addition to online purchases, phone orders, and mail order purchases, another type of card not present transaction is recurring payments. These are typically subscription services, which is a growing market with a great impact on American cultural consciousness. So much so that Netflix has even become a verb (one often paired with chill, which may or may not have literal or figural implications).
Although payment details do not need to be updated every time the subscription customer is charged, they will need to be input at the time of sale, and one of those pieces of information will be the debit or credit card CVV.
A card-present transaction can occur if the cardholder is not present if for instance they leave their card details with a merchant and authorize its usage at a later time. While there may be some legal issues around how this needs to happen, exactly, it does happen—and you’ll know that if you’ve ever left your card at a bar.
Do QR Codes Need a CVV?
Tangentially, it’s important for any business owners reading this article to know that QR codes are also classified as card-not-present transactions. To provide a little background, a QR code is an amalgamation of black and white squares that can be scanned by a customer using their smartphone camera.
The phone will then direct them to a website link where they can complete their payment. But because the payment is not being made at a POS terminal, a physical card is not being used. The customer is just inputting payment details like they would at home. And that means that yes, a CVV will often be required.
QR codes are useful and becoming more popular, especially in restaurants. Around 45% of polled consumers say they’d actually prefer to pay with a QR code when dining, perhaps because it speeds up the checkout process. QR codes are also extremely useful for small business owners (or very part-time business owners) who are vendors at something like a street fair.
That’s because all they need to do is display a QR code for customers to scan on their phones—they don’t even need a POS terminal. The downside of QR codes is that they are card-not-present transactions, which (whether they’re online, over the phone, or even in person with something like a QR code) are going to cost the merchant more.
Card-not-present Transactions and Risk
Card-not-present transactions carry an extra degree of risk because this type of transaction is subject to more chargebacks—incidents where a disgruntled customer contacts their bank or credit card company to dispute a charge, instead of requesting a refund.
For instance, a payment processor might charge 2.6% + $0.10 per card-present transaction (swiped, dipped, or chipped), while charging 3.5% + $0.15 per card-not-present transaction. Although 1% percentage point and a nickel may not seem like such a big difference, it can become a few hundred, a few thousand, or tens of thousands of dollars over the course of a year. Depending on your transaction volume.
CVV Code Vs the Signature on the Back of the Card
Most consumers don’t know this, because it’s become a ritual that seems as antiquated as taking off a glove to challenge someone to a duel or throwing a clod of dirt across your newly purchased property (it’s called Livery of Seisin if you’re interested). But merchants can request to see the signature on the back of your credit card and match it against the signature on your sales receipt.
In fact, if a card does not have a signature beneath or above the magnetic strip, they are not required to process the transaction. And if the signatory space says something like “See ID” instead of bearing a signature, they’re supposed to ask for your driver’s license (or whatever else you can offer as proof of identity). The intention of these formalities obviously, is to preclude the possibility of identity theft.
It’s easy to see why merchants do not want to put you through the formality of examining your autograph (as some might flatter you by calling it). It significantly delays transaction times and also creates a negative customer experience.
Moreover, many of the card networks have actually dropped the requirement for signatures in light of the fact that EMV chips facilitate an extremely secure transaction—at least one that is more secure than the magnetic strip.
However, this only applies to merchants that have an EMV-compliant POS. In any case, there can be no signature-matching ritual with card-not-present purchases. Just a request for the customer to verify themselves with the CVV.
Access to Personal Information Online
None of this is possible online, as you might guess. While you are required to input personal information to have your intended item shipped to the right address. And for making sure that the address you offer matches the billing address on file with your card issuer, this type of information can easily be located with some online searching. Or if your personal information was compromised because of a large-scale data breach.
Alternatively, cyber-criminals can even do a little bit of hacking to explore information stored on your browser to help fill in the blanks when it comes to making purchases under your name.
The one thing they can’t do is locate the CVV number on your credit card unless they are watching you in real-time by remotely accessing your computer (which is possible). Or if they are physically holding your card in their hand.
CVV Codes and Access to Physical Wallets
Keep in mind that it is very possible for a criminal who steals your actual wallet to locate the code on your Amex or Visa or Mastercard or Discover (to name all four horsemen of the credit apocalypse). They can then use the card for both online and in-person transactions, at every place that finds the ritual of signature matching as antiquated as the Livery of Seisin—and as that turns out, that’s most merchants.
Is a CVV Code the Same as a CVC, CID, CVV1, and CVV2?
CVV, as mentioned, is a 3-digit number on the back of your credit card. We have used the term CVV throughout this article because it’s fairly recognizable to both consumers and business owners in the parlance of making purchases.
Visa CVV Code Vs MasterCard CVC
But technically speaking, CVV is used by Visa. While Mastercard uses a CVC or Customer Verification Code. The practical difference doesn’t go far beyond the name, because the Mastercard CVC is also a 3-digit code on the back of the card.
American Express CVV Code
But the CVV on an Amex card is a little different. With American Express, this code is a 4-digit number placed on the front of the card. In addition to this Amex security code location, there is also a second code or CIV (Card Identification Number) on the back of the card. Amex does not put these numbers into the magnetic strip, nor are they embossed on the card, so that makes it more difficult for a merchant to take an imprint of these numbers.
The absence of the CVV from the magnetic strip on an Amex is actually something that sets a merchant’s least favorite credit card apart from competitors (to explain our passing reference, Amex has the highest processing fees of any card). That said, now is perhaps the time to rip open the curtain and reveal the Wizard of Oz: there are actually two types of CVV codes: CVV1 and CVV2.
CVV1 Vs CVV2 Code
CVV1 is actually embedded in the magnetic strip and can be read by a POS terminal. CVV2 is the number printed on the card. Presumably, the difference in those numbers is one way that a payment processor can differentiate between card-present and not-present types of transactions.
But wait, there’s more. Banks are now issuing cards with a dynamic CVV that changes with each interaction. If you thought that having to memorize the three digits on the back of your card was a task, wait until…well, never mind—the idea is that the same CVV will never be used twice, so it’s a moot point anyway.
These dynamic CVV codes or DCVV2s are a solution that banks are currently exploring. Rollout strategies include everything from having customers access a dynamic CVV from a banking app every time they make a purchase to having a small screen on the back of the card. One that’s just big enough for a ladybug to watch a football game on.
These financial institutions hope that DCVV2 may help to cut down on card-not-present fraud. Something that cannot be prevented with improvements like EMV chips and contactless payments. These only help with card present transactions.
Can a CVV Code Foil Different Types of Credit Card Fraud?
Lost or Stolen Credit Card
A CVV cannot foil the capture of a lost or stolen credit card, because the criminal has the tangible card in their possession. This is why if you realize your wallet has been stolen, you need to contact your bank immediately.
However, the implementation of DCVV2 may prevent criminals from getting very far, if the method of assigning the CVV involves logging on to an app. For customers with digital wallets on their mobile devices, the use of biometric authorization (e.g. a fingerprint) may prevent criminals from accessing card information to make payments or finding out the CVV on the cards stored in the wallet.
A phishing attempt is when a criminal will pose as a business or organization and fish for information (the spelling alludes to the fact that something might seem off). Phishing scams are getting increasingly sophisticated but the premise is the same.
In this case, a phisher might pose as a business that is emailing you about winning a prize. But the prize needs to be delivered, and you’ll have to pay for that—so please input your credit card information. Once the criminal has that, they can go shopping online, and you can forget about those iPhone earbuds. In summary, if you give your CVV away to a phisher, you had better hope they won’t go shopping right away.
This is when criminals install a small machine on credit card POS terminals. It often occurs at gas stations or similar venues where there is little in-person oversight. Remember that one type of CVV code is actually stored in the magnetic strip.
That said, criminals can leverage your card information by collecting card numbers and even pins. And they can use this card information for card-not-present transactions, even if they don’t have the physical card. Because they have essentially collected a digital imprint of its contents.
Identity theft is what it sounds like: someone steals your identity. This can be done by getting hands-on personal information like a social security number, driver’s license, or passport. It can also be accomplished by scanning publicly displayed information on your social profiles or purchasing compromised information on the dark web.
Identity thieves can use this information to do a number of things, but one thing might be to call your bank, pose as you, and have a new credit card sent to themselves. That said, the CVV or CVC code is just a small component of a much larger and much more serious issue.
This is a true cybercrime in which criminals assume ownership of your username and password to shop at your mutually favorite places. Or access sensitive financial information like your online banking info. Typically browsers (and most certainly merchants) will not store CVV codes.
The fact that you have to input it serves as an extra layer of security. But unfortunately, there is a way for some cybercriminals to collect a CVV through the use of a keylogger. A keylogger can be installed on a site like a store you’re shopping at and used to collect the customer information that has been input into the payment page before it’s encrypted.
How Can I Secure My CVV Code?
As you can see from the list above, while a CVV is meant to foil card-not-present fraud, it’s not a total failsafe. And part of the reason it’s not is because keeping a CVV code secure is the responsibility of the cardholder. Credit card fraud is actually the second most common form of identity theft, behind that committed for government benefits. And part of the reason is that consumers are not always vigilant about protecting their banking information.
It’s a good idea to make your passwords strong and uncorrelated to personal information like names, birthdays, and significant places. Avoid saving personal information on retailer websites, because even brand-name corporations like Target can experience a data breach.
In a similar vein, don’t shop on websites without an SSL certificate (indicated by a lock icon to the left of the URL). Because these sites are at risk for an attack from hackers using something like a keylogger.
Check your credit card and debit card statements regularly. Perhaps every few days use your banking app to see if any suspicious or unaccounted-for purchases have been made. And get familiar with the nature of phishing attempts. For example, emails from a suspicious address that does not align with the merchant it’s pretending to be from.
A CVV is an excellent tool for preventing card-not-present fraud, but only to a point. And even with the advent of digital and/or randomized CVVs, it’s easy to imagine that cyber criminals will rise to the challenge like they always have been. Like any other financial security tool, a CVV is only as good as the cardholder’s vigilance in protecting their personal information.