A CVV is the three- or four-digit security code printed on your credit or debit card, used to verify you physically have the card when making purchases online or over the phone. It stands for “card verification value,” and its sole purpose is to reduce fraud on transactions where a merchant can’t see or swipe your card in person.
Where to Find It on Your Card
The location and length of the code depend on which card network you use. Visa, Mastercard, and Discover all print a three-digit code on the back of the card, typically to the right of the signature line. American Express is the outlier: it uses a four-digit code printed on the front of the card, usually to the right of the card number or logo.
You may also see this code called by different names. Visa calls it a CVV2, Mastercard labels it a CVC2 (card validation code), and American Express refers to it as a CID (card identification number). They all serve the same function. When an online checkout asks for your “CVV,” “security code,” or “card code,” it wants this number regardless of which brand you carry.
How It Protects You During Online Purchases
When you shop in a store, the chip or magnetic stripe on your card proves the card is present. Online and phone purchases don’t have that physical check, so the CVV fills the gap. After you enter the code during checkout, the merchant’s payment system sends it to your card’s issuing bank, which compares it against the code on file. The bank sends back a match or mismatch result, and the merchant uses that to decide whether to approve the transaction.
This matters because if a thief steals only your card number (from a data breach, a compromised database, or a photo of the front of your card), they still can’t complete most online purchases without the CVV. It’s a second layer of proof that the person entering card details is holding the actual card.
Why Merchants Can’t Save Your CVV
You may have noticed that websites ask for your CVV every time you check out, even when the site already has your card number saved. That’s not a design choice. The Payment Card Industry Data Security Standard (PCI DSS) explicitly prohibits merchants from storing your CVV after a transaction is authorized, even in encrypted form. The rule treats the CVV as “sensitive authentication data” that must be discarded once the purchase clears.
This restriction exists for a practical reason: if a merchant’s systems are breached, attackers get card numbers but not CVVs. The stolen data becomes far less useful for committing fraud elsewhere. It’s the same logic behind keeping your PIN separate from your card number. So when a retailer asks you to re-enter the code on your next order, that’s the system working as intended.
What to Do If Your Code Is Worn Off
Because the CVV is printed (not embossed) on most cards, it can fade or rub off over time, especially on cards you carry in a wallet pocket. If you can no longer read yours, contact your bank’s customer service line and request a replacement card. Some banks also let you view your card details, including the security code, through their mobile app. Either way, don’t try to guess the number during checkout. Failed CVV attempts can trigger fraud alerts or temporarily lock your card.
Dynamic CVVs and Virtual Cards
The static code printed on a plastic card has an obvious weakness: once someone sees it, they have it forever (or at least until the card expires). Newer technology addresses this with dynamic security codes that change automatically.
Some banks issue cards with a small electronic display built into the plastic. The screen shows a CVV that refreshes at set intervals, anywhere from every few minutes to every few hours. By the time a stolen code could be used for a fraudulent purchase, it has already expired and been replaced by a new one. Other versions tie the code refresh to a chip transaction. Every time you insert or tap the card at a terminal, it generates a fresh CVV, which means you can update the code on demand if you suspect the old one was compromised.
Virtual card numbers, offered by many banks and digital wallets, take a similar approach. When you pay online, the bank generates a temporary card number with its own one-time security code. The merchant never sees your real card details. If that virtual number is later exposed in a breach, it’s useless because it was created for a single transaction or a short time window.
Keeping Your CVV Safe
Treat your CVV like a PIN. Don’t share it over email, text, or social media, and never give it to someone who contacts you claiming to be your bank. Your bank already has the code on file and will never ask you to read it back. Be cautious when entering it on unfamiliar websites. Look for “https” in the URL and avoid entering card details on sites you reached through unsolicited links.
If you shop online frequently, using a virtual card number or a payment service that masks your real card details can reduce your exposure. And if your card number is compromised in a data breach, the fact that merchants aren’t allowed to store your CVV means the stolen data is incomplete, but you should still request a new card to be safe.