A CVV2 code is an acronym for Card Verification Value 2. Found on the back of most VISA cards, the CVV2 code is a three-number card security code. CVV2 codes are used to prevent fraud when purchases are made over the phone or the Internet. During purchases, merchants send the CVV2 code with other purchase information and wait for authentication. Merchants, however, are not allowed to keep security codes on file.
Credit card thieves and frauds called carders often attempt to use stolen credit card numbers that they have pieced together from credit card receipts or have intercepted over the Internet. Since they do not have the physical card, they may attempt to make purchases over the phone, over the Internet, by mail or by fax. Referred to as CNP, or card not present purchases, they are therefore vulnerable to fraud and challenging for credit card companies to protect.
In order to ensure transaction security, most major credit cards have either a pin code or a three-digit code encoded in the magnetic strip of the card to guarantee ownership of the card during in store purchases. A second security feature, called a CVV code, or card verification value, is located on the back of the card. It guarantees ownership when the credit card is used and the card is not physically available for verification.
The credit card company VISA calls the three-digit code CVV2. Mastercard calls the code CVC2, or card validation code, and it is also a three-digit code. Both are located on the back of the card after the 16-digit account number, next to the signature. American Express has its own version called the CID, or card identification number, which is a four-digit number found on the front of the card, next to the account number. Other companies have similar security codes.
When CNP purchases are made, the merchant sends the amount, the name on the card, the account number, the expiration date and the CVV2 code to the credit card company and awaits approval. The credit card company sends back a response code and explanation code if the transaction went through or not. If the CVV2 code is a match with the code on a file, the response code is M, if not it is N. Merchants are not allowed to store security codes for any reason, although they can force a CNP through without a code.