Card Security Code – CVV, CVC etc
Each of us has somehow wondered about credit cards and many intricate terms and definitions related to them, since all those numbers, PIN-codes, CVV, CVC and other attributes can easily nonplus even economically savvy people, let alone newbies. And, if the awareness of why and how we utilize the card number or PIN has been forged through years of daily practice, there are still enough novelties that demand a closer look. Like, for example, card security codes.
From the very beginning of the bankcard era, card networks have been putting all their efforts to ensure maximum security to the users of their products. The challenge got even more pressing when payments progressively went online and people started to use their cards for paying household bills, making purchases at web-stores, booking tickets or subscribing for e-services, and therefore, the number of frauds surged. Introducing card security code technology became one of those highly efficient solutions which now ensure customers' financial safety.
Many names, one same thing...
Even though Card Security Code (CSC) seems to be a more general term today, each network tend to operate their own designation for this feature, e.g., Card Verification Value or CVV for VISA, Card Validation Code or CVC for Mastercard, Card Identification Number or Card ID (CID) for American Express and Discover.
Some other names include Card Verification Data (CVD), Card Authentication Value (CAV), Card Validation Number (CVN), Signature Panel Code (SPC) and Verification Code (V-code).
These acronyms are frequently followed by the numeral 2 and people usually say “CVV2” or “CVC2”.
Why CVV2? Is there CVV1?
In fact, most bankcards have two security codes – CVV1 (CVC1) and CVV2 (CVC2). It is noteworthy that their numerical values are not equal in any way, so they both serve different purposes and offer different security layers.
The first code is encrypted on one of the three tracks of the card's magnetic stripe (as a rule, on Track 2) and used for the authentication of the cardholder at in-person swiping transactions. Unlike card number, name or expiration date, this value remains pretty undetectable and therefore impedes those who try to steal your physical card data.
CVV2 is generally required for card-not-present payments and customers are asked to provide it when making online purchases. Though it may look quite risky to give access to your CVV2 every time you pay at web-shops, no merchant is allowed to keep your CVV2 on file, in accordance with Payment Card Industry Data Security Standard.
The location of this type of security code on a card as well as the number of digits used to designate it normally depends on the card network issuing policy. Traditionally, this is a three-digit value (or sometimes the last three digits of a longer number) printed above or on the signature area on the back of VISA, Mastercard and Discover bankcards, while American Express uses a four-digit code format and places their CID above the embossed card number on the front side of their payment cards.
With the advent of chip-based cards using EMV technology (EMV standing for “Europay, Mastercard and VISA) which encodes the account data on an integrated circuit chip, there came another kind of card security code known as “iCVV” or “integrated circuit card verification value”. And, although some data stored on the magnetic stripe is also encrypted in the chip so it could be interchangeable in situations where there is no chip reader or the latter fails, the CVV1 and iCVV are not however fully compatible for reasons of protection. For example, when someone got to copy the magnetic stripe data from the chip and wants to create a fake magnetic stripe card.
How do security codes protect card holders?
Actually, each new bankcard has a new CVV number regardless of whether the card has been newly issued or replaced. And even if it is replaced after expiration with exactly the same number, the card security code will always be totally different.
As we have just mentioned, these codes are not stored in merchants' databases and card holders finances stay safe even in cases when a customer database has been stolen from a merchant, for there must be no record of CVV2 there.
Unless your card falls into the hands of someone else or someone else obtains its photographic image or absolutely all the data through, e.g., phishing scams, the only person who has access to your card security code is you.
Today, networks do not cease to improve the technology and offer new solutions such as dynamic CVV2 (or dCVV2) by VISA when a special issuer's mobile application delivers different card security codes for different CNP transactions or another innovative but more expensive dCVV technology when the bankcard has an integrated e-ink display on which the CVV value changes at intervals. It all means that despite moving in other directions concerning card-absent transactions safety such as 3-D Secure, SecureCode or biometrics, most industry players still believe in what has proven to be effective.