The CCV on a card is the three- or four-digit security code printed on your credit or debit card, used to verify you physically have the card when making online or phone purchases. You’ll most often see it called a CVV (card verification value), but CCV, CVC, CSC, and CID all refer to the same thing. Different card networks just use different names for it.
Where to Find It on Your Card
On most Visa, Mastercard, and Discover cards, the code is a three-digit number printed on the back, usually near or on the signature strip. American Express cards are the exception: the code is four digits and printed on the front of the card, typically above and to the right of the card number.
This code is separate from your card number and your PIN. It’s not embedded in the magnetic stripe or the chip, which is exactly the point. Even if someone copies your card number from a receipt or a data breach, they won’t necessarily have the security code.
Why It Exists
The security code exists to protect “card not present” transactions, meaning any purchase where you can’t physically swipe, tap, or insert your card. When you buy something online or read your card number to someone over the phone, the merchant asks for the security code as a basic check that you’re holding the actual card and not just working from stolen digits.
It’s a simple layer of fraud prevention. A thief who gets your card number from a database hack or a skimmed receipt still needs that printed code to complete most online purchases. It doesn’t make fraud impossible, but it raises the bar significantly for criminals working with partial card data.
Why Merchants Never Save It
You may have noticed that websites ask for your CVV every time you check out, even when your card number is saved on file. That’s not a design choice. It’s a rule. The Payment Card Industry Data Security Standard (PCI DSS) prohibits merchants from storing your security code after a transaction is authorized. This applies even if you give the merchant permission to save it, and even if they encrypt it. The code must be completely deleted from their systems once the purchase goes through.
This rule is what gives the code its protective value. If a merchant’s database gets breached, attackers can potentially steal stored card numbers, but they won’t find security codes in that data because merchants aren’t allowed to keep them. For recurring subscriptions or saved payment methods, the code simply isn’t needed after the initial authorization.
All the Names for the Same Code
The alphabet soup of acronyms can be confusing, but they all describe the same thing:
- CVV / CVV2 (card verification value): the most common term, widely associated with Visa
- CVC / CVC2 (card verification code): typically used by Mastercard
- CID (card identification number): used by American Express and Discover
- CSC (card security code): a generic term that covers all of the above
When a checkout form asks for your “CCV,” “CVV,” “CVC,” or “security code,” it’s asking for the same number. Just look for the three-digit code on the back of your card (or four digits on the front if you have an American Express).
Dynamic Security Codes
The traditional printed security code is static, meaning it never changes for the life of your card. That’s a vulnerability: once someone sees it, they have it forever (or at least until your card expires). Newer technology is starting to address this with dynamic security codes that change periodically.
Some card issuers now offer cards with small embedded chips that generate a new code each time you tap, dip, or trigger the card through a mobile app. Once the code changes, any previously stolen version becomes useless. Other approaches use a companion app where you retrieve a temporary code that’s valid for only a short window, sometimes 30 to 60 minutes, before it rotates. Apple offers a similar feature called Advanced Fraud Protection for its Apple Card, where the security code changes periodically after you view it in the Wallet app.
These dynamic codes aren’t yet standard across the industry, but they represent the direction security is heading. If your card or issuer offers this feature, enabling it makes your card data significantly harder to exploit even if it’s compromised.
Keeping Your Code Safe
Since the security code is your main defense for online purchases, treat it like a password. Never share it over email or text. Only enter it on checkout pages where the URL starts with “https” and belongs to a merchant you trust. If someone calls claiming to be your bank and asks for the code, hang up. Your bank already has the ability to verify your identity without it.
Some people memorize their security code and then cover it with a sticker or permanent marker on the physical card. This way, if the card is lost or stolen, a thief can’t simply read the code off the back. As long as you remember the number, your own online shopping isn’t affected.