Card protection code

Security feature on payment cards
The card security code is located on the back of MasterCard, Visa, Discover, Diners Club, and JCB credit or debit cards and is typically a separate group of three digits to the right of the signature strip.
On American Express cards, the card security code is a printed, not embossed, group of four digits on the front towards the right.

A card security code (CSC), card verification data (CVD), card verification number, card verification value (CVV), card verification value code, card verification code (CVC), verification code (V-code or V code), or signature panel code (SPC)[1] is a security feature for “card not present” payment card transactions instituted to reduce the incidence of credit card fraud.

The CSC is in addition to the bank card number which is embossed or printed on the card. The CSC is used as a security feature, in situations where a personal identification number (PIN) cannot be used. The PIN is not printed or embedded on the card but is manually entered by the cardholder during point-of-sale (card present) transactions. Contactless card and chip cards may electronically generate their own code, such as iCVV or a dynamic CVV.

CSC was originally developed in the UK as an eleven-character alphanumeric code by Equifax employee Michael Stone in 1995. After testing with the Littlewoods Home Shopping group and NatWest bank, the concept was adopted by the UK Association for Payment Clearing Services (APACS) and streamlined to the three-digit code known today. MasterCard started issuing CVC2 numbers in 1997 and Visa in the United States issued them by 2001. American Express started to use the CSC in 1999, in response to growing Internet transactions and card member complaints of spending interruptions when the security of a card has been brought into question.

In 2016, a new e-commerce technology called Motioncode was introduced, designed to automatically refresh the CVV code to a new one every hour or so.[2]


  • 1 Description
  • 2 Types of codes
  • 3 Location of code
  • 4 Security benefits
  • 5 Limitations
  • 6 Generation
  • 7 See also
  • 8 Citations
  • 9 Notes


The codes have different names:

  • “CAV” or “card authentication value” – JCB
  • “CID”: “card ID”, “card identification number”, or “card identification code” – Discover, American Express (four digits on front of card)[a][3]
  • “CSC” or “card security code” – debit cards,[which?] American Express (three digits on back of card)[3]
  • “CVC” or “card validation code” – MasterCard
  • “CVD” or “card verification data” – Discover, sometimes used as the common initialism for this kind of code
  • “CVE” or “Elo verification code” – Elo in Brazil
  • “CVN” or “card validation number” – China UnionPay
  • “CVV” or “card verification value” – Visa

Types of codes[edit]

There are several types of security codes:

  • The first code, called CVC1 or CVV1, is encoded on track two of the magnetic stripe of the card and used for card present transactions. The purpose of the code is to verify that a payment card is actually in the hand of the merchant. This code is automatically retrieved when the magnetic stripe of a card is read (swiped) on a point-of-sale (card present) device and is verified by the issuer. A limitation is that if the entire card has been duplicated and the magnetic stripe copied, then the code is still valid. (See credit card fraud § skimming.)
  • The second code, and the most cited, is CVV2 or CVC2. This code is often sought by merchants for card not present transactions occurring by mail, fax, telephone or Internet. In some countries in Western Europe, card issuers require a merchant to obtain the code when the cardholder is not present in person.[citation needed]
  • Contactless cards and chip cards may supply their own electronically generated codes, such as iCVV or a dynamic CVV.

Location of code[edit]

The card security code is typically the last three or four digits printed, not embossed like the card number, on the signature strip on the back of the card. On American Express cards, however, the card security code is the four digits printed (not embossed) on the front towards the right. The card security code is not encoded on the magnetic stripe but is printed flat.

  • American Express cards have a four-digit code printed on the front side of the card above the number.
  • Diners Club, Discover, JCB, MasterCard, and Visa credit and debit cards have a three-digit card security code. The code is the final group of numbers printed on the back signature panel of the card.
  • New North American MasterCard and Visa cards feature the code in a separate panel to the right of the signature strip.[4] This has been done to prevent overwriting of the numbers by signing the card.

Security benefits[edit]

As a security measure, merchants who require the CVV2 for “card not present” payment card transactions are required by the card issuer not to store the CVV2 once the individual transaction is authorized.[5] This way, if a database of transactions is compromised, the CVV2 is not included, and the stolen card numbers are less useful. Virtual terminals and payment gateways do not store the CVV2 code; therefore, employees and customer service representatives with access to these web-based payment interfaces, who otherwise have access to complete card numbers, expiration dates, and other information, still lack the CVV2 code.

The Payment Card Industry Data Security Standard (PCI DSS) also prohibits the storage of CSC (and other sensitive authorisation data) post transaction authorisation. This applies globally to anyone who stores, processes or transmits card holder data.[6]
Since the CSC is not contained on the magnetic stripe of the card, it is not typically included in the transaction when the card is used face to face at a merchant. However, some merchants in North America, such as Sears and Staples, require the code. For American Express cards, this has been an invariable practice (for “card not present” transactions) in European Union (EU) countries like Ireland and the United Kingdom since the start of 2005. This provides a level of protection to the bank/cardholder, in that a fraudulent merchant or employee cannot simply capture the magnetic stripe details of a card and use them later for “card not present” purchases over the phone, mail order or Internet. To do this, a merchant or its employee would also have to note the CVV2 visually and record it, which is more likely to arouse the cardholder’s suspicion.

Supplying the CSC code in a transaction is intended to verify that the customer has the card in their possession. Knowledge of the code proves that the customer has seen the card, or has seen a record made by somebody who saw the card.


  • The use of the CSC cannot protect against phishing scams, where the cardholder is tricked into entering the CSC among other card details via a fraudulent website. The growth in phishing has reduced the real-world effectiveness of the CSC as an anti-fraud device. There is now also a scam where a phisher has already obtained the card account number (perhaps by hacking a merchant database or from a poorly designed receipt) and gives this information to the victims (lulling them into a false sense of security) before asking for the CSC (which is all that the phisher needs and the purpose of the scam in the first place).[7]
  • Since the CSC may not be stored by the merchant for any length of time[5] (after the original transaction in which the CSC was quoted and then authorized), a merchant who needs to regularly bill a card for a regular subscription would not be able to provide the code after the initial transaction. Payment gateways, however, have responded by adding “periodic bill” features as part of the authorization process.
  • Some card issuers do not use the CSC. However, transactions without CSC are possibly subjected to higher card processing cost to the merchants,[citation needed] and fraudulent transactions without CSC are more likely to be resolved in favour of the cardholder.[citation needed]
  • It is not mandatory for a merchant to require the security code for making a transaction,[citation needed] hence the card may still be prone to fraud even if only its number is known to phishers.
  • It is possible for a fraudster to guess the CSC by using a distributed attack.[8]


The CSC for each card (form 1 and 2) is generated by the card issuer when the card is issued. It is calculated by encrypting the bank card number and expiration date (two fields printed on the card) with encryption keys known only to the card issuer, and decimalising the result.[9][10]

See also[edit]

  • Credit card fraud
  • ISO 8583 (data element #44 carries the Security Code response)


  • ^ “CIBC MasterCard – MasterCard SecureCode”. Archived from the original on 24 April 2014. Retrieved cite.citation{font-style:inherit}.mw-parser-output .citation q{quotes:”””””””‘””‘”}.mw-parser-output .id-lock-free a,.mw-parser-output .citation .cs1-lock-free a{background:url(“//”)no-repeat;background-position:right .1em center}.mw-parser-output .id-lock-limited a,.mw-parser-output .id-lock-registration a,.mw-parser-output .citation .cs1-lock-limited a,.mw-parser-output .citation .cs1-lock-registration a{background:url(“//”)no-repeat;background-position:right .1em center}.mw-parser-output .id-lock-subscription a,.mw-parser-output .citation .cs1-lock-subscription a{background:url(“//”)no-repeat;background-position:right .1em center}.mw-parser-output .cs1-subscription,.mw-parser-output .cs1-registration{color:#555}.mw-parser-output .cs1-subscription span,.mw-parser-output .cs1-registration span{border-bottom:1px dotted;cursor:help}.mw-parser-output .cs1-ws-icon a{background:url(“//”)no-repeat;background-position:right .1em center}.mw-parser-output code.cs1-code{color:inherit;background:inherit;border:inherit;padding:inherit}.mw-parser-output .cs1-hidden-error{display:none;font-size:100%}.mw-parser-output .cs1-visible-error{font-size:100%}.mw-parser-output .cs1-maint{display:none;color:#33aa33;margin-left:0.3em}.mw-parser-output .cs1-subscription,.mw-parser-output .cs1-registration,.mw-parser-output .cs1-format{font-size:95%}.mw-parser-output .cs1-kern-left,.mw-parser-output .cs1-kern-wl-left{padding-left:0.2em}.mw-parser-output .cs1-kern-right,.mw-parser-output .cs1-kern-wl-right{padding-right:0.2em}
  • ^ “This card is being rolled out by French banks to eliminate fraud”. 27 September 2016. Archived from the original on 3 October 2016. Retrieved 10 April 2018.
  • ^ a b Do I need to do anything before using my Gift Card or Business Gift Card?, “four digit Card Identification Code (CID) located on the front of the Card, three digit Card Security Code (CSC) on the back of the Card”
  • ^ “Card Security Features” (PDF). Visa. Archived from the original (PDF) on 16 February 2012.
  • ^ a b “Rules for Visa Merchants” (doc). p. 1.
  • ^ “Official Source of PCI DSS Data Security Standards Documents and Payment Card Compliance Guidelines”. Retrieved 25 December 2011.
  • ^ “Urban Legends Reference Pages: Visa Fraud Investigation Scam”. Retrieved 25 December 2011.
  • ^ Ducklin, Paul (5 December 2016). “How to guess credit card security codes”. naked security by SOPHOS. Retrieved 8 December 2016.
  • ^ “z/OS Integrated Cryptographic Service Facility Application Programmer’s Guide”. IBM. March 2002. p. 209.
  • ^ “z/OS Integrated Cryptographic Service Facility Application Programmer’s Guide”. IBM. March 2002. p. 258.
  • Notes[edit]

  • ^ American Express usually uses the four-digit code on the front of the card, referred to as the card identification code (CID), but also has a three-digit code on the back of the card, referred to as the card security code (CSC). American Express also sometimes refers to a “unique card code”.

  • Few Remember Just How Ridiculous and Lawless Bloomberg’s Muslim Surveillance Really Was

    Few Remember Just How Ridiculous and Lawless Bloomberg’s Muslim Surveillance Really Was

    “Oh my God, maybe that was an NYPD officer. Maybe I wasn’t being paranoid.”

    Pence named Trump’s coronavirus czar amid health fears

    Donald Trump appoints Vice-President Mike Pence to coordinate the response to the coronavirus outbreak.

    WHO: global community not ready to take same measures as China to contain coronavirus

    The World Health Organization (WHO) said in a report issued on Friday that much of the global community is not yet ready to implement the types of measures that have contained the fast-moving coronavirus outbreak in China.

    Anti-Vaxxers Are Terrified the Government Will ‘Enforce’ a Vaccine for Coronavirus

    Anti-vax groups on social media are claiming that the spread of the disease will lead to mandatory vaccinations and ‘unlimited surveillance.’

    A man was arrested after allegedly using counterfeit money to buy Girl Scout cookies

    A man in Oregon was arrested after he allegedly used counterfeit money to buy a box of Girl Scout cookies outside of a Walmart, Salem police said.

    Chinese social-media platform WeChat saw spikes in the terms ‘SARS,’ ‘coronavirus,’ and ‘shortness of breath,’ weeks before the first cases were confirmed, a study suggests

    A new paper from Chinese scientists found that posts on WeChat, China’s main social-media site, used keywords related to the new coronavirus weeks before the Chinese government confirmed cases. The study, which has not yet been peer reviewed, raises new quest…

    Clearview’s list of law-enforcement clients lost in data breach

    Losing data to an intruder is not a great look for a law enforcement partner.

    This browser tool uses AI to fix an exploit even Mark Zuckerberg is afraid of

    A Google web engineer made a browser tool for fun that edits humans out of a video feed in real time. The tool uses neural networks that detect and remove humans while still showing everything else going on in a video. It could be used as a clever privacy mea…

    Signs of Surveillance!.?.!Video screencapture of the live web based job’ signs of monitoring ‘indications of

    China Uighurs 'moved into factory forced labour' for foreign brands

    China Uighurs ‘moved into factory forced labour’ for foreign brands

    A report says China has moved minority Muslims into factory jobs, where their freedom is restricted.

    UAE says ready for ‘worst case’ scenarios as coronavirus spreads in Middle East

    The United Arab Emirates, a major international air transit center, is prepared for “worst case scenarios” as the new coronavirus spreads in the Middle East, a government official said on Wednesday.

    Departing MI5 chief: Break chat app crypto for us, kthxbai

    Sir Andrew Parker also claims UK spies are not doing bulk surveillance British spies are once again stipulating that tech companies break their encryption so life is made easier for state-sponsored eavesdroppers.…

    This is not Huawei to reassure people about Beijing’s spying eyes: Trivial backdoor found in HiSilicon’s firmware for net-connected cams, recorders

    Crap security? Shocked, shocked, we tell you This may shock you, but Huawei effectively built a poorly hidden, insecure backdoor into surveillance equipment that uses its HiSilicon subsidiary’s chips, it appears.…

    Man trampled by startled deer in McDonalds parking lot

    “I mean, just see the flash of him rolling over me and in a straight line, and he was gone,” the deer-trampled gentleman told WSOC-TV. ‘It was absolutely nuts,’ said Ken Worthy, a retired detective in North Carolina who was randomly plowed over by a startled …

    Pardon the Intrusion #10: Faces faces everywhere

    Subscribe to this bi-weekly newsletter here! Welcome to the latest edition of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we explore the wild world of security. Facial recognition systems for use by law enforcement are all the rage these days. C…

    Ring is finally requiring a basic security feature to help prevent hacks

    Mandatory two-factor authentication is coming soon to Amazon’s home surveillance system.

    State Actors Are Increasingly Targeting Journalists With Surveillance Malware

    Columbia Journalism Review is reporting it has witnessed more malware attacks targeting journalists. An article by Financial Times cyber security head Ahana Datta details attempts to compromise a Middle East correspondent’s phone via WhatsApp. The corresponde…