Three numbers. They live on the back of your card — four if you have an Amex, and they live on the front, because Amex has always done things differently. You type them every time you shop online without thinking much about it. But those three digits are genuinely load-bearing, and merchants who understand them tend to lose considerably less money to fraud than the ones who treat them as just another form field.

Where CVV came from

It's 1994. Online shopping barely exists. But card-not-present fraud — fraud over the phone and through mail orders — is already a serious problem. A British payment standards body called APACS developed the concept of a short verification value that would be printed on the card but not encoded in the magnetic stripe. Visa adopted it commercially as CVV (Card Verification Value) in 1997. Mastercard followed with CVC (Card Verification Code). American Express called theirs CID — and put it on the front in four digits, because they were never going to do the same thing as everyone else.

The core insight was deceptively simple: if a fraudster skims your magnetic stripe, they can clone it. But they can't reproduce a number that isn't encoded there to begin with.

CVV1, CVV2, and the ones nobody talks about

Most people don't know there are actually multiple CVV values associated with a single card, generated separately for different transaction types:

How it's actually generated

This part is genuinely clever. Your CVV2 isn't a random number — it's deterministically computed from three inputs:

  1. Your 16-digit card number (the PAN)
  2. Your card expiry date
  3. A secret key held by your issuing bank

The algorithm runs these through a 3DES encryption process and extracts three decimal digits from the result. There's no database of "card → CVV" pairs anywhere. When you type your CVV online, the bank recalculates the expected value on the fly using the same formula and checks whether it matches. If someone doesn't have the bank's secret key, they cannot derive a valid CVV from the card number alone. The only practical ways to know a valid CVV2 are: holding the physical card, photographing both sides, or buying it from someone who has done one of those things.

What a CVV check actually confirms

When a transaction goes through with a matching CVV2, the issuer has confirmed exactly one thing: the person submitting this transaction knows the three digits printed on the physical card.

That's more useful than it sounds. The majority of card data sold on underground markets comes from breaches of merchant databases — and PCI DSS explicitly prohibits storing CVV2. A fraudster who bought 5 million card numbers in a breach dump typically has the card number, expiry, name, and billing address, but not the CVV2. CVV checking blocks that entire category of attack.

~55%of merchants use CVV checks as part of their fraud prevention
$28Bin projected card-not-present fraud losses in 2026

What CVV doesn't confirm (read this part carefully)

CVV matching is necessary but not sufficient. Here's what it doesn't tell you:

Why $33.79 billion in chargebacks still happened in 2025

Despite widespread CVV adoption, chargeback losses hit $33.79 billion in 2025 across an estimated 261 million disputed transactions. CVV checking reduces one category of fraud. It doesn't cover friendly fraud, account takeover, or cases where the fraudster has the physical card (or a photo of it).

For merchants who need to know whether a card is genuinely active — not just that someone knows its CVV — the answer is a live authorization check: a zero-dollar inquiry or small auth hold sent directly to the card network. This tells you in real time whether the card will authorize before you attempt an actual charge.