LiveChat 
Support 
What Is a Card Security Code (CVV)? A Plain-English Guide for Shoppers and Store Owners
If you have ever paid for something online, you have been asked for it: that short three- or four-digit number printed on your payment card, separate from the long card number. It goes by several names — CVV, CVC, CID, or CSC — and most people type it in without ever thinking about what it actually does.
Here is the short, reassuring answer. The card security code (CVV) is a small number used to prove that the person making an online or phone payment is physically holding the card. It exists to protect you from fraud, and it is built around one elegant security rule that most shoppers never hear about — a rule that also happens to be the single most important thing for online store owners to understand. Let’s walk through all of it, calmly and clearly.
Key Takeaways
• A CVV (card security code) is the 3- or 4-digit code on your card used to verify that you have the physical card during online and phone purchases.
• It goes by different names depending on the card brand: CVV, CVC, CID, or CSC — they all do the same job.
• For most cards the code is 3 digits on the back; on American Express it is 4 digits on the front.
• The CVV is an anti-fraud measure for “card-not-present” payments, where a stolen card number alone shouldn’t be enough to make a purchase.
• Payment security rules (PCI DSS) forbid merchants from storing the CVV after a transaction is authorized — it is meant to be used once and discarded.
• Online store owners should never handle or store raw card data or CVVs themselves. A PCI-compliant payment gateway does that job, so sensitive data never touches your server.
What exactly is a card security code (CVV)?
A card security code is a short numeric code printed on (not embossed into) your credit or debit card. Its whole purpose is to act as a quick proof of possession: if you can read that number off the card, you almost certainly have the real card in your hand.
The reason it has so many names is simply that each card network chose its own label. They all describe the same kind of code:
| Term | Stands for | Used by |
|---|---|---|
| CVV | Card Verification Value | Visa |
| CVC | Card Verification Code | Mastercard |
| CID | Card Identification Number | American Express, Discover |
| CSC | Card Security Code | Generic / industry term |
When a checkout page says “CVV,” “CVC,” “security code,” or “CID,” it is asking for the same thing. Don’t let the different acronyms worry you — they are interchangeable in everyday use.
Where is the CVV located on my card?
This is the most common practical question, and the answer is reassuringly simple:
- Most cards (Visa, Mastercard, Discover): the security code is the 3-digit number printed on the back, usually inside or just after the signature strip.
- American Express cards: the code is 4 digits printed on the front, typically above and to the right of the main card number.
If you ever can’t find it, that location difference — back-of-card three digits versus front-of-card four digits — is the thing to remember. Notice also that the security code is *printed*, not raised like the main card number. That detail matters more than it looks, and we’ll come back to it.
Why does the CVV exist in the first place?
To understand the CVV, it helps to know the term “card-not-present” transaction. That simply means any payment where the merchant can’t physically see or swipe your card — online checkouts and phone orders being the classic examples. In a shop, the card is present: it gets swiped, inserted, or tapped, and the chip or magnetic stripe proves it is real. Online, none of that happens.
So how does a website gain some confidence that the customer actually has the card, rather than just a stolen card number? That is the job of the CVV. The card number, the expiry date, and the name might be exposed in a receipt, a data breach, or a discarded statement — but the security code is an extra factor that is harder to obtain unless you are holding the physical card.
In other words, the CVV is a deliberate anti-fraud layer for online payments. It raises the bar so that a card number on its own is less useful to a thief.
How is the CVV used during an online payment?
The process is quick and mostly invisible to you:
- At checkout, you enter your card number, expiry date, and the security code.
- The merchant’s payment system passes those details (over an encrypted connection) to the payment processor and, ultimately, the card issuer — your bank.
- The issuer checks whether the CVV you entered matches the code on file for that card.
- If it matches (along with the other checks), the transaction is approved; if not, it is declined.
The key point: the merchant does not “judge” your CVV. The issuing bank does. The store is just a messenger passing the code along to be verified, and — as we are about to see — it is supposed to forget the code the moment that verification is done.
What is the one rule every merchant must follow with CVVs?
Here is the heart of the matter, and the rule that defines responsible payment handling.
| Data type | Can a merchant store it? | Why |
|---|---|---|
| Card number (PAN) | Yes, but only with strict protection (encryption, access controls) | Needed for things like refunds and recurring billing |
| Cardholder name / expiry | Yes, under protection | Needed to process and reconcile payments |
| CVV / security code | No — must never be stored after authorization | It is a one-time proof of possession; storing it would defeat its purpose |
| PIN | No — never stored by merchants | A secret used for in-person/ATM authentication |
That third row is the one to tattoo on the inside of your eyelids. Under the Payment Card Industry Data Security Standard (PCI DSS) — the global rulebook for handling card data — merchants are explicitly prohibited from storing the CVV after a transaction has been authorized. The code is *transient by design*: used once, verified, and then gone.
Why must the CVV never be stored?
Think about what would happen if the rule were the opposite. Imagine a store kept a tidy database of every customer’s card number, expiry date, *and* security code. Now imagine that database leaks — which, unfortunately, happens. A thief would suddenly hold everything needed to make fraudulent online purchases: the full card details *plus* the proof-of-possession code.
By forbidding CVV storage, the payment-security world removes that worst-case scenario. Even if a merchant’s database is breached and card numbers are exposed, the one piece that proves possession — the security code — was never kept. The stolen numbers are far harder to use online because the missing CVV can’t be conjured from a leaked database.
Here is the clever bit that most people, including many merchants, never fully appreciate: the CVV’s security comes from the fact that it is deliberately disposable. Card numbers get saved — that’s how recurring subscriptions and one-click reorders work — but they live under heavy protection. The CVV is the opposite: payment-security standards explicitly forbid keeping it after authorization, *precisely so that a breach can’t hand thieves a ready-to-use card.* The “never stored” rule isn’t a limitation bolted on afterward; it *is* the feature. And for online store owners this carries a genuinely liberating lesson. You should never be in the business of touching, storing, or securing raw card data or CVVs at all — that is exactly what PCI-compliant payment gateways exist to do. The safest store is one where sensitive card data never lands on your server: a proper payment processor handles the card and the CVV, while your site simply handles the order. The CVV being un-storable by rule is a protection for your customers, and the smart merchant designs their store to *inherit* that protection rather than shoulder the risk.
CVV vs card number vs PIN — what’s the difference?
These three are easy to mix up, but they serve very different roles:
- The card number (PAN) is the long 15–16 digit number that identifies your account. It is *embossed or printed* on the card and is the least secret of the three — it appears on receipts and statements.
- The CVV (security code) is the short printed code that proves possession for *online and phone* payments. It is meant to be used and discarded, never stored by merchants.
- The PIN is your secret personal number for *in-person and ATM* transactions. You should never be asked for your PIN during a normal online purchase, and a legitimate online store never stores it.
A simple way to remember it: the card number says *which* account, the CVV helps prove you *hold the card* online, and the PIN authenticates you *in person*. If any website asks for your PIN to complete an ordinary online order, treat that as a serious warning sign.
What does this mean for online store owners?
If you run an online store, the lesson above turns into a clear, practical design principle: do not handle raw card data or CVVs yourself. It is tempting to think you need to “collect” card details to take payment, but the modern, secure approach is the opposite — keep that data off your server entirely.
Here is how responsible stores are built:
- Use a PCI-compliant payment gateway or processor. Providers like established payment gateways are built specifically to capture, encrypt, and verify card data and CVVs on *their* systems, not yours. The card details often never even pass through your server.
- Never write code that stores the CVV. Not in a database, not in logs, not in a temporary cache, not in an email. The rule is absolute.
- Encrypt everything in transit. A valid SSL/TLS certificate so the entire checkout runs over HTTPS is non-negotiable — it protects the data while it travels from the shopper to the gateway.
- Keep your platform hardened and updated. Outdated plugins, themes, and server software are how attackers get in. A secure, monitored hosting environment dramatically reduces that risk.
- Understand your responsibility. Even when a gateway handles the card data, your store is still part of the security chain. Your job is a secure checkout, a properly maintained site, and never storing prohibited data.
The reassuring truth is that this *reduces* your burden. By offloading sensitive card handling to specialists, you shrink the amount of dangerous data you are responsible for to almost nothing. For the bigger picture on building a store this way, see our eCommerce hosting pillar guide.
How DarazHost helps you do payments the right way
Doing payments securely starts with a secure foundation, and that is exactly what DarazHost provides. Our hosting gives online stores the platform to handle payments the *right* way — with fast SSD hosting and free SSL so your entire checkout is encrypted end to end, a hardened, continuously monitored platform, and the reliability your store needs to stay open and trusted.
That foundation lets you do the most important thing of all: integrate a PCI-compliant payment gateway that handles card data and CVVs so you never store them. DarazHost keeps the sensitive data off your plate and gives you a secure, dependable base to build on — backed by 24/7 support whenever you need a hand. It is secure ecommerce hosting designed so that the riskiest data never has to live on your server in the first place.
Frequently asked questions
Is it safe to enter my CVV on a website? Yes — when the site is legitimate and the connection is secure. Look for “https://” and a padlock in the address bar, which means the page is encrypted. A reputable store passes your CVV to its payment processor for a one-time verification and is required by payment-security rules never to store it. Avoid entering your CVV on sites that look untrustworthy or that arrive via unsolicited links.
Why does a website need my CVV if it already has my card number? Because the card number alone doesn’t prove you are holding the physical card. The CVV is an extra anti-fraud check for card-not-present payments. Requiring it makes a leaked or stolen card number far less useful to a fraudster, since they would also need the security code printed on the card.
Should an online store ever ask me to email my CVV or save it for next time? No. A legitimate merchant will never ask you to email your security code, and they are not permitted to store it for future use. If a site offers to “save your CVV” for faster checkout, that is a red flag — saved-card features store the card number under protection, but the CVV is re-entered each time precisely because it must not be kept.
What is the difference between a CVV and an OTP? A CVV is the fixed code printed on your card. An OTP (one-time password) is a temporary code your bank sends — usually by text or app — for an extra verification step during a transaction. They work together in some payment flows but are different things: the CVV is on the card, the OTP comes from your bank in the moment.
As a store owner, do I need to be PCI compliant if I use a payment gateway? You still have PCI responsibilities, but a good gateway dramatically reduces them. When card data and CVVs are captured and processed entirely on the gateway’s systems — never touching your server — your compliance scope shrinks significantly. Pair that with a secure host, SSL, and a well-maintained site, and you keep your obligations manageable while keeping customers protected.
