The CVV code (Card Verification Value code) is a three- or four-digit number printed on credit cards, usually on the back. It was created to protect merchants and credit card issuing banks from fraudulent purchases in what are termed “cardholder not present” purchases. They are also referred to as CVC2 codes (Card Validation Codes), CID codes (Card Identification Codes) and CCID codes (Credit Card Identification Codes).
There are two types of CVV codes. The first one, the CVV1 code, is imprinted onto the magnetic strip on the back of every credit card. This code is used to impart information to the merchant who is scanning the card when the card and the cardholder are present.
The second type, the CVV2 code, is printed only onto the card itself and does not appear on the magnetic strip. The purpose of this second code is to make theft of the card information by electronic devices, a process known as skimming, more difficult.
In the case of skimming, when an unsuspecting card holder uses his card in an ATM or retail scanner that has been attached to a skimming device, the information from the magnetic strip of the card is copied and transferred to the device. Later the criminals can decode the information and “clone” a fake card with a fake magnetic strip, or simply use the information to make fraudulent purchases online.
Since the CVV2 code is not part of the information contained on the magnetic strip, it cannot be copied onto the skimming device. This renders the “cardholder not present” transaction void if the merchant requests the CVV2 code to complete the transaction. According to IT Facts, only 56% of online merchants request CVV2 codes to complete transactions even though studies have shown there is a 25% reduction in chargebacks from businesses that require them. In some countries the use of the CVV2 code is mandatory for all credit card transactions or the merchant risks losing his account.
The only other option for criminals using skimming devices to fraudulently obtain credit card information is to read and then copy the CVV2 code and then manually enter that information. Then they must match the written CVV2 code to the electronic information they have stolen. This makes the skimming process much more time consuming, dangerous and costly.
Most major credit cards such as MasterCard, Discover and Visa use a three-digit CVV2 code that is found printed, not embossed like the credit card number itself, on the back of the card on or near the signature panel. Lately, some card issuers have repositioned the CVV2 code in its own box to the right of the signature panel, as people unintentionally obscure the CVV2 by signing their cards.
American Express and Diner’s Club employ a four-digit number printed on the front of the card, again not embossed, that lies slightly above and to the right of the credit card number. Cardholders using these cards are asked to give out their “CID” number, not the CVV2 number.
It is important to note that CVV2 codes do not protect card holders from phishing scams, that is, fraudulent websites set up to attract credit card holders and lure them into giving out their information, including their CVV2 codes. Whatever the come-on at the website that you are visiting, a phishing scam will require you to manually enter your CVV2 code as part of the transaction. Once provided, they possess all the information necessary to use the card fraudulently, either right away or sometime down the road when you least expect it.
Essentially, a CVV2 code is a private, non-electronic communication between you and your credit card company. Be careful who you give it out to, as it is a very important number in your financial life.