CVV stands for Card Verification Value, a three- or four-digit security code printed on your credit card. Its job is to prove you physically have the card in your hand when you’re making a purchase online or over the phone, where a merchant can’t watch you swipe or insert the card.
What the CVV Actually Does
When you shop in person, the chip or magnetic stripe on your card confirms it’s real. But when you buy something online, there’s no way for the merchant to verify you’re holding the card rather than just typing in a stolen card number. That’s where the CVV comes in. By asking for it, the merchant adds a layer of confirmation that you have the physical card, not just the account number. Because the card number and the CVV are often printed on opposite sides of the card, someone who snaps a quick photo of one side still won’t have everything they need to complete a purchase.
Where to Find It on Your Card
The location and length of the code depend on which card network issued your card.
- Visa and Mastercard: Three digits, printed on the back of the card, usually near or on the signature strip.
- American Express: Four digits, printed on the front of the card. Amex calls it a CID (Card Identification Number) rather than a CVV.
You’ll also see various labels for this code depending on the card network or the checkout form you’re filling out. CVV, CVC (Card Verification Code), CVC2, and CSC (Card Security Code) all refer to the same thing. If a website asks for any of these, it wants the short number printed on your card, not your PIN or your full card number.
Why No Merchant Can Store Your CVV
You might wonder why you have to re-enter your CVV every time you shop somewhere new instead of having it saved on file. That’s by design. The Payment Card Industry Data Security Standard (PCI DSS) prohibits merchants from storing your CVV after a transaction is authorized. Even encrypted storage is not allowed. The rule exists so that if a retailer’s database gets hacked, the thieves walk away with card numbers but not the security codes needed to use them for online purchases.
This is also why a data breach at a major retailer doesn’t automatically mean every stolen card number can be used for fraudulent online shopping. Without the CVV, the card data is far less useful to a thief. Merchants who don’t store cardholder data at all eliminate one of the biggest targets for attackers.
How to Keep Your CVV Safe
Because the CVV is your primary defense for online transactions, treat it like a PIN. Never share it over email, text, or social media. Only enter it on websites you trust, and look for “https” in the URL before typing payment details. If someone calls claiming to be your bank and asks for your CVV, hang up. Your bank already has the information it needs and will never ask for that code over the phone.
Some people memorize their CVV and then cover it with a small sticker or marker on the physical card. That way, if the card is lost or someone photographs it, the code isn’t visible. This only works if you’ve genuinely memorized it, since you’ll still need it for online checkouts.
Dynamic CVVs and Newer Technology
A static three- or four-digit code has limits. If a thief gets both your card number and your CVV through a phishing site or skimmer, they can use that information until you cancel the card. Dynamic CVV technology addresses this by generating a new code periodically, sometimes every 30 to 60 minutes or after each use. Once the code changes, any previously stolen CVV becomes worthless.
One approach embeds a chip in the card itself that produces a fresh code each time you tap, dip, or trigger it through a mobile app. Another requires you to open a companion app on your phone to retrieve a temporary code before making an online purchase. The code is valid for only a short window. A handful of banks and credit unions have started offering dynamic CVV cards to their customers, though the technology is still far from standard in the U.S. Card-not-present fraud losses are expected to approach nearly $13 billion in the U.S. by 2026, which is pushing more issuers to consider adopting it.
Even without a dynamic CVV card, virtual card numbers offered by many major issuers serve a similar purpose. They generate a temporary card number and security code for online shopping, keeping your real card details out of merchant databases entirely.