Last editedMar 20222 min read
Any merchant with an online presence has to do everything they can to avoid processing fraudulent payments, and the CVV code helps make this easier. The CVV code performs the function of acting as an extra layer of security when a customer is making a Card Not Present (CNP) payment. In ecommerce terms, this covers all the payments a merchant ever receives, so CVV codes are used to verify that the customer making the purchase is in possession of the relevant payment card.
Why is it called a CVV code?
The name CVV code stands for card verification value. However, because the same process was developed by numerous platforms and payment card systems simultaneously, it is also sometimes known by a different name, such as CVV2, CVD or CCV. All of these names refer to systems which work in the same way, so understanding CVV codes will mean understanding them all.
Where to find a CVV code
On the majority of payment cards, such as Visa and MasterCard, the CVV Code is a three-digit number located on the signature strip on the back of the card. The exception to this is the American Express system, which uses a four-digit number on the front of the card. In simple terms, the CVV code acts as a security measure to ensure that the card being used to make a payment actually belongs to the person making the purchase.
CVV codes and fraud
All too often, fraudsters will be able to get hold of details from a payment card such as the long number and expiry date. Details such as these can be stolen using ‘skimming’ devices reading from ATM machines or payment terminals. Armed with only this information, and without the CVV code, the fraudsters will find themselves unable to use the card in question to make payments online.
The fact that merchants are not allowed to save the CVV codes entered by customers means that they are not vulnerable to incidents such as data breaches or hacking. Any merchant found to be saving CVV codes in contravention of the data compliance standards could find themselves paying a large fine, or having access to payment processing facilities withdrawn altogether.
How CVV codes work
When a customer makes a purchase online, they are asked to enter the CVV code, usually referred to as ‘the last three digits on the back of the card’. Once this has been done, the merchant passes the details of the card – the long number, the expiration date, the name and address of the customer and the CVV code – for authorisation by the acquiring bank.
This information is then passed by the bank to the card provider such as Visa, at which point the payment will be declined or approved. The whole process takes just seconds, and if a CVV code was included with the payment, the merchant will receive a CVV code indicating the status of the payment card. The code could be any one of the following:
M – the CVV matches the information on file with the cardholder’s bank
N – the CVV doesn’t match the information on file with the cardholder’s bank
U – the CVV has not been verified. This means that the issuing bank didn’t state whether the CVV is correct, and generally happens if the transaction is declined before the CVV has been checked.
I – no CVV was provided
S – the card-issuing bank doesn’t participate in the card verification scheme