The CSC on a card is the card security code, a three- or four-digit number printed on your credit or debit card that helps verify you physically have the card when making purchases online or over the phone. You’ll be asked for it almost every time you buy something without swiping or inserting your card.
Where to Find It on Your Card
On Visa and Mastercard cards, the CSC is a three-digit number printed on the back of the card, on the right side of the signature strip. On American Express cards, it’s a four-digit number on the front of the card, above and to the right of the card number.
The code is printed on the card but not embedded in the magnetic stripe or chip. That distinction matters: it means the number can’t be captured by a card skimmer at a gas pump or ATM, which is the whole point of having a separate code.
Why It Goes by So Many Names
Different card networks brand the same feature under different names, which is why you’ll see various abbreviations on checkout forms. Visa calls it a CVV2 (card verification value). Mastercard uses CVC2 (card validation code). American Express calls it a CID (card identification number). Discover also uses CID. Regardless of the label, they all work the same way and serve the same purpose. When a website asks for your “CVV,” “CVC,” “CSC,” or “security code,” it’s asking for this number.
How It Protects You
The CSC exists specifically for “card not present” transactions, meaning any purchase where the merchant can’t physically see your card. Online shopping, phone orders, and mail orders all fall into this category. By requesting the code, the merchant gets an indication that the person placing the order actually has the card in hand, not just a stolen card number.
That said, the CSC isn’t foolproof. If someone steals your physical card, they have the code too. Phishing emails that trick you into entering your full card details, including the security code, also bypass this protection. The code works best against the most common type of fraud: someone who has obtained your card number and expiration date (from a data breach, for instance) but doesn’t have the card itself.
Why You Have to Enter It Every Time
Industry rules set by the PCI Security Standards Council prohibit merchants from storing your security code after a transaction is authorized. This applies even if the merchant encrypts the data. The card number and expiration date can be stored (with proper security measures), but the CSC cannot. That’s why a retailer that has your card on file for repeat purchases may still ask you to re-enter the code, or may skip asking for it entirely on subsequent orders because the initial verification was enough for their fraud system.
This storage ban is a key layer of protection. When a retailer suffers a data breach, hackers may get card numbers and expiration dates, but they shouldn’t get security codes because the merchant was never allowed to keep them.
Dynamic Security Codes
Some newer cards replace the static printed code with a tiny screen on the card that displays a code that changes automatically, typically every 30 to 60 minutes. These dynamic security codes make stolen codes useless almost immediately, since a code captured by a fraudster expires before it can be used.
Two versions of this technology exist. One uses a small battery and internal clock built into the card to rotate the code on a set schedule. The other draws power from a chip reader or ATM terminal during in-person transactions and updates the code each time the card is dipped. In both cases, the issuer’s system knows which code is valid at any given moment.
For cardholders, the experience is identical: you read the code off your card and type it in during checkout. Merchants don’t need to change anything on their end either, since the dynamic code is submitted in the same checkout field as a traditional static code. These cards are still relatively uncommon in the U.S. but are more widely issued in parts of Europe.
Keeping Your Code Safe
Never share your CSC over email, text, or social media. Legitimate companies will only ask for it through a secure checkout page or a payment terminal. If someone contacts you claiming to be your bank and asks for the code, that’s a red flag, since your bank already has the ability to verify your card without it.
Some people memorize their security code and then cover it with a small sticker or permanent marker on the physical card. This prevents someone who briefly handles your card (a waiter, a cashier) from copying the number. As long as you remember the code, this doesn’t affect your ability to use it online.