Definition - What does Card Verification Value (CVV) mean?
A card verification value (CVV) is a security feature present in credit, debit and ATM cards to facilitate "card not present" transactions. It is an extra security feature meant to ensure that only the actual physical holder of the card can use it remotely and that someone who has gotten only the card number and some personal information cannot provide this value without the actual card.
A card verification value may also be known as a card verification number (CVN), card verification data (CVD), card security code (CSC), verification code (V Code) or card code verification (CCV).
The CVV is actually two security codes present in banking cards. The first, CVV1, is located on track-2 of the magnetic stripe of the card. The other, CVV2, is the three- or four-digit code that you can usually find on the back of your credit card to the right of the card number or the signature strip. The first code on the magnetic strip is meant to verify that the card is actually in the hands of the merchant during a transaction and is retrieved by swiping the card on a point-of-sale device. The second code written on the card is meant for remote transactions, where it's impossible for the merchant to see the card.
CVV codes are generated by the issuer and calculated by encrypting the bank card number together with the service code and expiration date and a secret encryption code known only by the issuer. This is then converted to decimal code to create a three- or four-digit code.
Card issuers require merchants not to store the CVV2 on any transaction database so that it cannot be stolen along with credit card numbers. Virtual payment terminals, payment gateways and ATM machines do not store the CVV2, which ensures that any individual who may have access to these payment interfaces and therefore complete access to card numbers, card holder names and expiration dates still lack the CVV2.
Unfortunately, this security feature cannot guard against phishing, where the card holder unknowingly yet willingly divulges the CVV2 together with the name, card number and the expiration date to the phisher.