What is a Card Verification Value (CVV)?

Knowing what a CVV is, where to find it, and how it protects you helps you make better decisions about sharing your card details - and recognize when something might not be right.

Where CVV Codes Come From and What They Actually Do

A CVV is a three- or four-digit number on your payment card- it’s not part of your main card number, and it’s not the same as your PIN- it sits alongside your card number and expiration date as a third piece of identifying information.

The idea is simple. When you make a purchase in person, the merchant can physically see your card and swipe or tap it. But when you shop online or pay over the phone, none of that happens. The seller has no way to confirm you’re holding the card; it’s the gap a CVV was built to fill.

A card number can leak through hacked databases, phishing attempts, or skimming devices. A CVV is harder to get because it isn’t stored by merchants after a transaction is processed.

This matters more than most people know. Card-not-present fraud - meaning fraud on transactions where no physical card is swiped - makes up 73% of all card payment fraud in the United States; it’s a big share, and it’s the main reason the CVV requirement became standard practice across the payment industry.

The CVV works as one layer in a wider system. A fraudster who only has your card number still needs your expiration date and your CVV to complete most online purchases; it’s three separate pieces of information to steal instead of one- it doesn’t make fraud impossible. But it raises the bar considerably.

Your CVV is generated by an encrypted formula that combines your card number, expiration date, and a secret key held by your card issuer; it’s why no two cards share the same CVV even if the card numbers look similar.

Visa, Mastercard, and Amex Don’t All Do It the Same Way

The core idea is the same across card networks. But each one has its own name for the code and puts it in a slightly different place on the card.

Visa calls theirs a CVV2 and it sits on the back of the card as a 3-digit number. Mastercard does the same thing with a 3-digit code. But they call it a CVC2. American Express breaks from the pattern - their code is 4 digits long and printed on the front of the card, not the back. Amex calls it a CID.

That front placement on Amex cards does trip people up. If you are looking on the back of an Amex card for a 3-digit code, you’ll not find one. The 4-digit CID sits above the card number on the right side.

Card Network	Code Name	Digit Count	Location on Card
Visa	CVV2	3 digits	Back of card
Mastercard	CVC2	3 digits	Back of card
American Express	CID	4 digits	Front of card

The different names can seem a little confusing. But they all serve the same job. When a website asks for your CVV, they just want whichever code your card has - whatever it happens to be called on your network.

The extra digit on Amex cards gives their CID a slightly bigger number of possible values, which matters when you look at how hard these codes actually are to guess.

How Strong Is a CVV Code, Really?

A three-digit CVV has 1,000 possible combinations - 000 through 999; it’s not quite a lot. A motivated attacker doesn’t need to physically steal your card to guess it; they can run through possible values systematically, which is what an enumeration attack does.

In an enumeration attack, fraudsters use automated scripts to try small purchases across websites, cycling through CVV values until one works. Transaction amounts are kept low to stay under detection, and the stolen card number does the rest of the work. Enumerated transactions rose 22% in late 2024, which tells you this isn’t a theoretical concern.

The CVV was never designed to be the only line of defense - it works as one layer in a stack of fraud checks - velocity limits, device fingerprinting, and behavioral tells all help fill the gaps. But on its own, a three-digit code is a pretty thin barrier.

Card networks and payment processors do have tools to catch enumeration in progress. Repeated failed transactions from the same device or IP address can trigger blocks, and some networks use machine learning to flag unusual patterns. But refined attackers spread attempts across cards, merchants, and long timeframes to stay below detection thresholds.

The CVV still stops a large share of fraud attempts, and that’s also the case when paired with address verification and transaction monitoring. But it’s worth understanding what it can and can’t do, because that context matters for the laws covered in the next section.

The CVV is an actual checkpoint - not an impenetrable wall. Knowing its limits helps explain why the wider payment system puts so many other laws in place around how CVV data gets handled after you type it in.

The Rules That Stop Merchants From Storing Your CVV

There is a rule in the payment industry that merchants are not allowed to store your CVV after a transaction goes through. This rule comes from the Payment Card Industry Data Security Standard, known as PCI DSS, and it applies to any business that processes card payments, regardless of its size.

The reasoning behind the rule is straightforward. If a retailer kept your CVV in a database alongside your card number and expiration date, a single breach of that database would give fraudsters everything they need to make purchases in your name. The rule limits what a hacker can walk away with by requiring businesses to delete CVV data after authorization.

When attackers get into a retailer’s systems, they usually find card numbers and personal details - but not CVVs, because those should not be there. That gap in the stolen data makes the information harder to use for card-not-present fraud.

When businesses break this rule, either through poor system design or negligence, the consequences reach far beyond a fine. Cardholders whose data gets exposed find it much harder to protect themselves because the stolen records are more immediately useful to criminals.

It is worth knowing that PCI DSS compliance is not automatic. Businesses self-assess or get audited depending on how many transactions they handle, and not every merchant passes with a clean record. Some smaller merchants in particular might not know what data their payment systems are logging silently.

Your CVV security is not entirely in your own hands. The businesses you buy from carry a part of that responsibility, and the laws that govern how they manage your data are there for a reason.

Keeping Your CVV Out of the Wrong Hands

The laws on merchants are there for a reason. But they only go so far. What happens on your end matters just as much.

The most basic rule is to never share your CVV over email or phone unless you initiated the contact and are sure of who you are speaking to. Legitimate banks and card issuers will not call you and ask for it. If someone does ask, that’s a strong signal something is wrong.

Shopping online carries its own risks. Stick to sites you trust and look for “https” in the address bar before entering any card details. A site that looks a little off - strange fonts, broken layouts, an address that almost matches a familiar brand - is worth a second look before typing anything in.

Some banks and card providers let you generate a virtual card number for online purchases - a temporary number linked to your account, so your card details stay out of the transaction entirely. It’s one of the more helpful tools available to online shoppers and worth using if your bank gives you access to it.

E-commerce fraud losses are expected to reach $107 billion globally by 2029, and card details are a big part of what makes that possible. Regular checks of your statements are one of the simplest ways to catch unauthorized charges early. Small test charges - sometimes just a few cents - can be a sign that someone is probing your account before making a bigger move.

You don’t need to be nervous about every online buy. A few steady habits go a long way toward keeping your card information where it belongs - in your hands and nowhere else.

Your CVV Is Small but Mighty - Treat It That Way

Your role in this is easy. Guard your CVV the same way you guard your PIN - don’t share it unless you are completing a legitimate purchase, stay away from entering it on sites that don’t have HTTPS, and stay alert to any request for it outside of a standard checkout. If you ever suspect your card details have been compromised, contact your card issuer immediately. Most will replace your card and with it, a brand new CVV.

The next time a checkout page asks for those three or four digits, you’ll know why they are there - and just how much weight that little code quietly carries. Staying informed about how credit card risk scores work can also help you understand how merchants and banks evaluate suspicious activity behind the scenes.