The three-digit code on the back of your credit card is a security code designed to prove you physically have the card when making purchases online or over the phone. It goes by several names depending on the card network: CVV, CVC, CVC2, CSC, or CID. You’ll find it printed on the back of most cards, usually near the signature panel, and it serves a different purpose than your card number or expiration date.
What the Code Is Called on Each Network
Every major card network uses its own acronym for essentially the same thing. Visa calls it CVV2 (Card Verification Value). Mastercard uses CVC2 (Card Verification Code). Discover and American Express both use CID (Card Identification Number). Regardless of the label, they all function the same way: a short numeric code that verifies you have the physical card in hand.
One key difference is length and placement. Visa, Mastercard, and Discover print a three-digit code on the back of the card. American Express uses a four-digit code printed on the front. If you’ve ever been confused when a checkout page asks for a “3-digit security code” and you’re holding an Amex, that’s why. Look on the front, above or to the right of your card number, for four digits.
Why This Code Exists
When you swipe, tap, or insert your card at a store, the terminal reads data from the chip or magnetic stripe. That physical interaction confirms the card is present. But when you shop online or buy something over the phone, there’s no chip reader involved. These are called “card-not-present” transactions, and they carry a higher risk of fraud because anyone who has stolen your card number could potentially use it.
The security code adds a layer of protection. Someone who obtained your card number through a data breach or by looking over your shoulder likely doesn’t also have the security code, since it’s stored separately from the card number in payment systems. Entering the correct code signals to the merchant and the card network that you probably have the actual card. It’s not foolproof, but it significantly narrows the window for fraud.
It’s worth noting that the security code response is separate from the authorization code you see on a receipt. Authorization confirms the card is valid and has available funds. The security code check is purely a fraud detection tool.
Why Merchants Can’t Save It
You might wonder why some websites ask for your security code every single time, even when your card is “saved” in your account. That’s not a glitch. Industry rules explicitly prohibit merchants from storing your security code after a transaction is authorized.
The PCI Data Security Standard (PCI DSS), which governs how businesses handle card data, classifies the security code as “sensitive authentication data” under Requirement 3.2. Once a purchase is authorized, the code must be deleted. Merchants cannot keep it on file for future transactions, even if you give them permission. A customer’s consent has no bearing on this rule. The restriction also can’t be worked around with encryption or other technical methods. The code simply cannot be retained, period.
This is why recurring subscriptions and saved-card purchases work without the security code. Card networks allow merchants to process repeat charges using the card number and expiration date alone once the initial transaction has been verified. The tradeoff is that when you shop with a new merchant or update your payment details, you’ll need to enter the code again.
Where to Find It on Your Card
On Visa, Mastercard, and Discover cards, flip the card over. You’ll see a three-digit number printed near the signature strip, typically on the right side. Some newer card designs have moved it to a slightly different spot on the back, but it’s always clearly separate from the main card number.
On American Express cards, the four-digit code is on the front. It’s printed in small type above and to the right of the embossed (or printed) card number. Don’t confuse it with the last four digits of your account number, which may also appear nearby.
If you use a virtual card number through your bank’s app or a digital wallet, the security code is displayed digitally alongside the virtual card number. It works the same way.
Dynamic Security Codes
The printed security code on a physical card is static. It stays the same for the entire life of that card and only changes when you’re issued a replacement. Some banks and card issuers are now offering dynamic security codes that change periodically, making stolen codes useless within minutes or hours.
Dynamic codes work in a couple of ways. Some issuers send a one-time code via text message or email when you’re ready to make a purchase. That code expires after the transaction is complete or within a few hours, and any future purchase requires generating a fresh one. Other implementations use a small electronic display embedded in the physical card itself, with the code refreshing every 30 to 60 minutes. Both approaches make it far harder for someone to use a stolen security code, since it’s only valid for a short window.
What to Do if Your Code Is Compromised
If you suspect someone has your card number and security code, contact your card issuer immediately to request a new card. The replacement will come with a new card number and a new security code. In the meantime, most issuers can freeze the card instantly through their mobile app to prevent unauthorized charges. Since merchants aren’t allowed to store the security code, a data breach at a retailer is less likely to expose it. But if your physical card is lost or stolen, both your card number and security code are at risk.
Treat the security code with the same care as your PIN. Don’t share it over email, don’t write it on a sticky note attached to your card, and be cautious about entering it on unfamiliar websites. It’s a small number with a big job.