A CVV is the three- or four-digit security code printed on your credit or debit card, used to verify that you physically have the card when making online or phone purchases. It acts as a second layer of protection beyond your card number, making it harder for someone who only stole your account number to complete a fraudulent transaction.
Where to Find Your CVV
The code’s name and location depend on your card network. Visa calls it a CVV (Card Verification Value), and Mastercard calls it a CVC (Card Verification Code). Both are three-digit codes printed on the back of the card, typically next to or just after the signature panel. American Express uses a different format entirely: a four-digit code called a CID, printed on the front of the card, usually above and to the right of your card number.
Despite the different names, they all serve the same purpose. When a website asks for your “CVV,” “CVC,” “security code,” or “card verification number,” it wants whichever version your card carries.
How the CVV Protects You
Your CVV exists specifically for “card not present” transactions, meaning any purchase where you can’t physically swipe, tap, or insert your card. Online checkout forms, phone orders, and mail orders all fall into this category. Because the CVV isn’t embedded in your card’s magnetic stripe or chip, it can’t be captured by a skimmer at a gas pump or ATM. Someone who intercepts your card number from a data breach still won’t have the CVV unless the merchant improperly stored it.
This is where industry security rules come in. The PCI Data Security Standards, which govern how businesses handle card data, explicitly prohibit merchants from storing your CVV after a transaction is authorized. The rule is absolute: even encrypted CVV data cannot be kept on file. That’s why you have to re-enter your security code on many websites each time you check out, even if the site has your card number saved.
CVV on Virtual Cards
Virtual credit cards, offered by many banks and card issuers, generate a temporary card number linked to your real account. Each virtual card comes with its own CVV and expiration date, separate from the numbers on your physical card. If a virtual card number is compromised, your actual card stays safe because the two numbers aren’t the same. Some virtual cards are designed for a single use and expire immediately after one transaction, while others can be reused for a set period.
Dynamic CVV Technology
Some banks have begun issuing cards with a small digital display on the back that shows a CVV that changes automatically. These “dynamic CVV” cards work in two ways.
The first approach uses a tiny battery and internal clock built into the card. The code refreshes at intervals the bank chooses, anywhere from every few minutes to every few hours. Both the card and the bank’s server share an algorithm that stays in sync, so the bank always knows which code is currently valid.
The second approach piggybacks on the chip technology already in your card. Every time you insert or tap your card at a terminal or ATM, the terminal’s power supply updates the code shown on the card’s display. No battery is needed because the card draws energy from the terminal itself.
In both cases, a stolen CVV becomes useless almost immediately because it expires and a new one takes its place. This technology is still relatively uncommon but is gradually rolling out through certain issuers.
Keeping Your CVV Safe
Your CVV is only useful as a security tool if it stays private. Never share it over email or text. Legitimate companies will never ask for it outside of an active payment form. When shopping online, stick to sites that use encrypted checkout pages (look for “https” in the address bar). If a phone caller claims to be your bank and asks for your CVV, hang up and call the number on the back of your card instead.
Some people memorize their CVV and then cover or obscure the printed code on the physical card with a small sticker or marker. This way, if the card is lost or briefly handled by someone else, the code isn’t visible. Your card will still work normally at chip and tap terminals since those transactions don’t rely on the printed CVV.