top of page

What is a CVC? Understanding the Credit Card Security Code



When’s the last time you used your credit card to buy something online? Did you need to input that special small code printed on your card to do it? And hey – what exactly is that code for, anyways? Where did it come from? And most importantly of all, how does it work?

 

That little code, often called the card security code (though you’ll soon see it has many more names than that), is one of the most important protections that credit and debit cards have. Read on to learn more about the history and functionality of this small but mighty code.


What is a Card Security Code?

A card security code is a sequence of three or four numbers that is printed on a debit or credit card. Card security codes protect customers against Card-Not-Present (CNP) card fraud, which occurs when stolen credit card information is used to make a fraudulent payment from a distance, like in an online or over-the-phone transaction. The card security code essentially takes the place of a personal identification number (PIN) that the cardholder would manually enter if they were buying something in-person; it proves that the cardholder has the correct credit card in their hands. More on that below.


Card security codes are called different names by different credit card companies. Refer to the table below for a list of common names for card security codes.

Credit Card Company

Their Name for Card Security Codes

Acronym

American Express

Card Security Code

or

Card ID/Card Identification Code

CSC

or

CID

Mastercard

Cardholder/Card Verification Code

or

Cardholder/Card Verification Code 2

CVC

or

CVC2

Visa

Card Verification Value

or

Card Verification Value 2

CVV

or

CVV2

Discover

Card Verification Data

or

Card ID/Card Identification Code

CVD

or

CID

JCB

Card Authentication Value

CAV

Elo (Brazilian Financial Services Company)

Elo Verification Code

CVE

China UnionPay, Google

Card Validation/Verification Number

CVN

Various

Signature Panel Code

SPN

 

Every other payment card company uses one of these monikers to refer to their security code.


How To Find Your Card’s Security Code

Card security codes are typically found printed on the back of credit cards. Remember: the card security code will never be embossed on the card, because it shouldn’t be able to be read by a mechanical credit card imprinter (which can only read embossed things).

 

American Express card security codes are a notable exception as their CSCs are four digits long and printed on the front of the card.



Most other credit cards’ security codes are three digits long and printed on the back of the card, next to the signature strip.

 

Who Invented Card Security Codes?

The concept of card security codes emerged as a response to growing credit card fraud in the 90s. In the UK in 1995, an Equifax employee named Michael Stone added an 11-digit code to credit cards as a novel measure to curb the credit card fraud that was exploding at the time. His invention was eventually green-lit by the UK Association for Payment Clearing Services. This organization was responsible for trimming Stone’s 11-digit code down to the three or four-digit value that you see on your credit card today.

 

As the 90’s and early 2000’s progressed, internet shopping boomed and card security suffered as fraud techniques became more sophisticated. As a result, card security codes became commonplace all around the world to keep up with this “arms race” against fraudsters.


How Do Card Security Codes Work?

If you’ve enabled 2-factor authorization on any of your devices or online accounts, you understand the basic principle of your card’s security code. It acts as another identifier – along with your credit card number and expiration date – to prove that you have the physical card in hand. Your bank has your security code on record and will decline a transaction if your code doesn’t match what they have on file.

 

The Payment Card Industry Data Security Standard (PCI DSS) strictly prohibits merchants, virtual payment gateways, and other organizations that handle credit card data from storing card security codes on their databases or in their computers, which means that card security codes cannot be stolen in hacking attacks. It is also prohibited to store card security codes in a card’s magnetic stripe or chip, which means that the card security code cannot be captured by skimming devices or other forms of card cloning. In theory, this makes it difficult for fraudsters to get their hands on a card’s security code -- even if they’ve already stolen the card’s other information.

 

When a cardholder makes a purchase, they are typically required to provide the card security code along with the card number and expiration date. If all three of these pieces of card information are correct, it is assumed that the purchaser is the legitimate cardholder and not a fraudster using stolen card information.

 

For recurring transactions, such as online subscriptions, consumers typically only have to enter in their security code on the first transaction – typically during signup. Subsequent charges do not use the code as long as the other credit card details haven’t changed. Keep in mind, merchants should not store your CVC/CVV, which explains why recurring transactions bypass the code altogether.


What Do Card Security Codes Do?

The primary purpose of card security codes is to reduce CNP fraud by adding an extra ownership verification step. Online and over-the-phone transactions are inherently riskier than those where the card is physically presented, as they do not allow merchants to verify the cardholder’s identity directly. The card security code adds an extra security step, making it harder for fraudsters to use stolen card information without the actual card in their presence.


What Can’t Card Security Codes Do?

Card security codes cannot protect card information when a card is stolen physically and used for Card-Present (CP) fraud, which occurs when a stolen or fraudulent credit card is physically presented to a merchant. After all, if the fraudster has the card in-hard, they have access to your name, card number, expiration date, as well as the security code. Remember, card security codes are meant to prevent CNP fraud.

 

However, even though card security codes were invented for this specific instance, it’s up to the merchant to use this fraud protection technology or not. In fact, online stores are not required to ask their customers for a card security code. If you make a purchase online with your payment card and the merchant does not ask for a card security code, the card security code cannot protect you against card fraud.

 

Card security codes also become useless if a fraudster correctly guesses them with the help of a distributed attack. A distributed attack uses computers to generate thousands of possible security codes. These possible codes are rapidly inputted into thousands of websites at a time, ensuring a positive match in a matter of seconds.

 

Of course, card security codes are only as effective as they are secret. They are powerless against types of fraud where a cardholder is tricked into disclosing their security code, such as phishing attacks. In fact, if your card security code is compromised by any means, you’re out of luck; the fraudster now has control of your credit card for CNP fraud.


Why Card Security Codes Aren't Enough

Although card security codes were invented to protect users from card-not-present fraud, the data shows quite the opposite: CNP fraud has been increasing year-over-year. The rapid rise of ecommerce has led to fraudsters who are more motivated than ever to steal your card’s security code.

 

And because printed card security codes only provide protection via verification – remember, they’re really just an additional ownership verification step – these codes are rapidly becoming an archaic tool against increasingly sophisticated fraud tactics.

 

And the proof is in the pudding: even with security codes being as ubiquitous as they are, CNP fraud has only gone up. Traditional card security codes are no longer doing the job against CNP fraud.


The New Generation of Card Security Codes

To keep up with the security arms race, innovative solutions have been coming onto the market to shore up card security and combat CNP fraud. Today, many card issuers use dynamic card security codes (sometimes known as dCVVs), codes that change periodically, via digital wallets and e-cards. This makes it even more challenging for fraudsters to exploit stolen card information.

 

EVC (Ellipse Verification Code) technology brings a dynamic security code to the actual payment card itself, bridging the digital and the physical. When an EVC-equipped card is tapped or dipped during an in-person transaction, or triggered with a mobile app, the dynamic security code changes to a random, new card security code.




Final Thoughts on Card Security Codes

The card security code is a small but mighty feature in the world of credit and debit card security, and its introduction marked a significant step forward in the fight against fraud. Today, its efficacy is boosted when combined with emerging technologies like EVC, making credit cards well-suited and up-to-date for e-commerce, thereby safeguarding our financial transactions both in-person and online.

Recent Posts

See All

Comments


bottom of page