A card security code (CSC; also called card verification data [CVD] or a card verification number, card verification value [CVV], card verification value code, card verification code [CVC], verification code [V-code or V code], card code verification, or signature panel code [SPC]) is a security feature for "card not present" payment card transactions instituted to reduce the incidence of credit card fraud.
The CSC is in addition to the bank card number which is embossed or printed on the card. The CSC is used as a security feature, in situations where a PIN cannot be used. The PIN is not printed or embedded on the card but is manually entered by the cardholder during point-of-sale (card present) transactions. Contactless card and chip cards may electronically generate their own code, such as iCVV or a dynamic CVV.
CSC was originally developed in the UK as an 11 character alphanumeric code by Equifax employee Michael Stone in 1995. After testing with the Littlewoods Home Shopping group and NatWest bank, the concept was adopted by APACS (the UK Association of Payment Clearing Services) and streamlined to the three-digit code known today. MasterCard started issuing CVC2 numbers in 1997 and Visa in the United States issued them by 2001. American Express started to use the CSC in 1999, in response to growing internet transactions and card member complaints of spending interruptions when the security of a card has been brought into question.
In 2016, a new e-commerce technology called Motioncode was introduced, designed to automatically refresh the CVV code to a new one every hour or so.
The codes have different names:
There are several types of security codes:
The card security code is typically the last three or four digits printed, not embossed like the card number, on the signature strip on the back of the card. On American Express cards, the card security code is the four digits printed (not embossed) on the front towards the right. The card security code is not encoded on the magnetic stripe but is printed flat.
As a security measure, merchants who require the CVV2 for "card not present" payment card transactions are required by the card issuer not to store the CVV2 once the individual transaction is authorized. This way, if a database of transactions is compromised, the CVV2 is not included, and the stolen card numbers are less useful. Virtual terminals and payment gateways do not store the CVV2 code, therefore employees and customer service representatives with access to these web-based payment interfaces who otherwise have access to complete card numbers, expiration dates, and other information still lack the CVV2 code.
The Payment Card Industry Data Security Standard (PCI DSS) also prohibits the storage of CSC (and other sensitive authorisation data) post transaction authorisation. This applies globally to anyone who stores, processes or transmits card holder data. Since the CSC is not contained on the magnetic stripe of the card, it is not typically included in the transaction when the card is used face to face at a merchant. However, some merchants in North America, such as Sears and Staples, require the code. For American Express cards, this has been an invariable practice (for "card not present" transactions) in European Union (EU) countries like Ireland and the United Kingdom since the start of 2005. This provides a level of protection to the bank/cardholder, in that a fraudulent merchant or employee cannot simply capture the magnetic stripe details of a card and use them later for "card not present" purchases over the phone, mail order or Internet. To do this, a merchant or its employee would also have to note the CVV2 visually and record it, which is more likely to arouse the cardholder's suspicion.
Supplying the CSC code in a transaction is intended to verify that the customer has the card in their possession. Knowledge of the code proves that the customer has seen the card, or has seen a record made by somebody who saw the card.
The CSC for each card (form 1 and 2) is generated by the card issuer when the card is issued. It is calculated by encrypting the bank card number and expiration date (two fields printed on the card) with encryption keys known only to the card issuer, and decimalising the result.
Manage research, learning and skills at defaultLogic. Create an account using LinkedIn or facebook to manage and organize your IT knowledge. defaultLogic works like a shopping cart for information -- helping you to save, discuss and share.