card security code ( CSC ; Also called card verification data [ CVD ] or a card verification number , card verification value [ CVV ] Card Verification Value code , card verification code [ CAC ], verification code [ V-code or V code ] , card verification code , [1] or signing code panel [ SPC ] [2] ) is a security feature for ” card not present “Payment card transactions to reduce the incidence of credit card fraud .

The CSC is in addition to the bank card which is embossed or printed on the card. The CSC is used as a security feature, in situations where a PIN can not be used. The PIN is not printed or embedded on the card is manually ENTERED goal by the cardholder During the point-of-sale (card present) transactions. Contactless card and chip cards may electronically generate their own code, such as iCVV or a dynamic CVV.

CSC was originally developed in the UK as an 11 character alphanumeric code by Equifax employee Michael Stone in 1995. After testing with the Littlewoods Home Shopping group and NatWestbank, the concept was adopted by APACS (the UK Association of Payment Clearing Services) and streamlined To the three-digit code known today. MasterCard started issuing CVC2 numbers in 1997 and Visa in the United States issued them by 2001. American Express started to use the CSC in 1999, in response to growing internet transactions and card member’s complaints of spending interruptions Into question.

In 2016, a new e-commerce technology called Motioncode was introduced, designed to automatically refresh the CVV code to a new one every hour or so. [3]


The codes have different names:

  • “CID”, “Card ID”, “Card Identification Number”, or “Card Identification Code” – Discover , American Express (four digits on front of card) [a] [4]
  • “CSC” or “Card Security Code” – debit cards , which? ] American Express (4 digits on back of card) [4]
  • “CVC2” or “Card Validation Code” – MasterCard
  • “CVD” or “Card Verification Data” – Discover , sometimes used as the common acronym for this kind of code
  • “CVE” or “Elo Verification Code” – Elo in Brazil
  • “CVN2” or “Card Validation Number 2” – China UnionPay
  • “CVV2” or “Card Verification Value 2” – Visa

Types of codes

There are several types of security codes:

  • The first code, called CVC1 or CVV1, is encoded on track two of the magnetic stripe of the card and used for card present transactions. The purpose of the code is to verify that it is actually in the hand of the merchant. This code is automatically retrieved when the magnetic stripe of a card is swiped to a point of sale and is verified by the issuer. A limitation is that if the whole card has been duplicated and the magnetic stripe copied, then the code is still valid. (See credit card fraud § skimming .)
  • The second code, and the most cited, is CVV2 or CVC2. This code is Often Sought by merchants for card not present transactions Occurring by mail, fax, phone or Internet. In some countries in Western Europe, card issuers require a merchant to obtain the code when the cardholder is not present in person. Citation needed ]
  • Contactless cards and chip cards may provide their own electronically generated codes, such as iCVV or a dynamic CVV.

Location of code

The card security code is typically the last three or four digits printed, not embossed like the card number, on the signature strip on the back of the card. On American Express cards, the card security code is the four digits printed (not embossed) on the front towards the right. The card security code is not encoded on the magnetic stripe but is printed flat.

  • American Express cards have a four-digit code printed on the front side of the card above the number.
  • Diners Club , Discover, JCB , MasterCard, and Visa credit and debit cards have a three-digit card security code. The code is the final group of numbers printed on the back signature of the card.
  • New North American MasterCard and Visa cards feature the code in a separate panel to the right of the signature strip. [5] This has been done to prevent overwriting of the numbers by signing the card.

Security benefits

As a security measure, merchants who require the CVV2 for ” card not present ” payment are required by the card issuer not to store the CVV2 once the individual transaction is authorized. [6] This way, if a database of transactions is compromised , the CVV2 is not included, and the stolen card numbers are less useful. Virtual terminals and payment gateways do not store the CVV2, therefore employees and customer service representatives with access to web-based payment thesis Who Otherwise interfaces-have access to full card numbers, expiration dates, and other information Lack still the CVV2 code.

The Payment Card Industry Data Security Standard (PCI DSS) also prohibits the storage of CSC (and other post-authorization data) authorization. This applies globally to anyone who stores, processes or transmits card holder data. [7] Since the CSC is not contained on the magnetic stripe of the card, it is not typically included in the transaction. However, some merchants in North America, such as Sears and Staples , require the code. For American Express cards, this has been an invariable practice for European Union (EU) countries like Ireland and the United Kingdom since the start of 2005. This provides a level of protection to the bank / cardholder, in which a fraudulent merchant or employee can not simply capture the magnetic stripe from the card. To do this, the merchant or its employee would also have to note the CVV2 visually and record it, which is more likely to arouse the cardholder’s suspicion.

Supplying the CSC code in a transaction is intended to verify that the customer has the card in their possession. Knowledge of the code proves that the customer has seen the card, or has seen a record made by somebody who saw the card.


  • The use of the CSC can not protect against phishing scams, where the cardholder is tricked into entering the CSC among other card details via a fraudulent website. The growth in phishing has reduced the real-world effectiveness of the CSC as an anti-fraud device. There is also a scam where a phisher has already obtained the card account number (perhaps by hacking a merchant database or from a poorly designed receipt) and gives this information to the victims The CSC (which is all that the phisher needs). [8]
  • Since the CSC may not be stored by the merchant for any length of time [6] (after the original transaction in which the CSC was quoted and then authorized) Able to provide the code after the initial transaction. Payment gateways, however, have responded by adding “periodic bill” as part of the authorization process.
  • Some card issuers do not use the CSC. HOWEVER, transactions without CCS are Subjected to Higher Possibly card processing cost to the merchants, citation needed ] and fraudulent transactions without CCS are More Likely to be resolved in favor of the cardholder. Citation needed ]
  • It is not mandatory for a security code to make a transaction, hence the card may still be prone to fraud even if its number is known to phishers.
  • It is possible for a fraudster to guess the CSC by using a distributed attack. [9]

Generation of CSC

The CSC for each card (form 1 and 2) is generated by the card issuer when the card is issued. It is calculated by encrypting the bank card number and expiration date (two fields printed on the card) with encryption keys and only decimalising the result. [10] [11]

See also

  • Credit card fraud
  • ISO 8583 (data element # 44 carries the Security Code response)


  1. Jump up^ American Express usually uses the four-digit code on the front of the card, referred to as the Card Identification Code (CID), but also has a three-digit code on the card Security Code (CSC). American Express also sometimes refers to a “Unique Card Code”.


  1. Jump up^ “Authorize.Net – Developer Frequently Asked Questions:” . Retrieved 2009-03-29 .
  2. Jump up^ “CIBC MasterCard – MasterCard SecureCode” . Archived from the original on 24 April 2014 . Retrieved 2012-07-12 .
  3. Jump up^ -french-banks-to-Eliminate-fraud /
  4. ^ Jump up to:b Do I need to do anything before using my Gift Card or Gift Card Business? , “Four digit Card Identification Code (CID) on the back of the Card,
  5. Jump up^ “Card Security Features” (PDF) . Visa. Archived from the original(PDF) on 2012-02-16.
  6. ^ Jump up to:b “Rules for Visa Merchants” (doc) . p. 1.
  7. Jump up^ “Official Source of PCI DSS Data Security Standards Documents and Payment Card Compliance Guidelines” . . Retrieved 2011-12-25 .
  8. Jump up^ “Urban Legends Reference Pages: Visa Fraud Investigation Scam” . . Retrieved 2011-12-25 .
  9. Jump up^ Ducklin, Paul (December 5, 2016). “How to guess credit card security codes” . Naked security by SOPHOS . Retrieved 8 December 2016 .
  10. Jump up^ “z / OS Integrated Cryptographic Service Facility Application Programmer’s Guide” . IBM. March 2002. p. 209.
  11. Jump up^ “z / OS Integrated Cryptographic Service Facility Application Programmer’s Guide” . IBM. March 2002. p. 258.