November 30, 2023


The CVV (card verification value) is a 3 or 4-digit number on the back of credit and debit cards that is used in combination with the PAN (primary account number) to add an additional layer of security to transactions. Entering both the PAN and CVV as part of an online transaction is intended to verify that the customer has access to the physical card.

Depending on the card brand, this may also be referred to as CSC (card security code), CVC (card verification code), CAV (card authentication value) CVD (card verification data) etc.

The CVV is generated for each card by the issuer using an algorithm known only to the issuer based on the card number and expiry date.

Just like the PAN, merchants may not store the CVV. According to PCI DSS requirements (3.2):

“Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions) after payment processing authorization is complete.”

To reuse a card for subsequent card on file transactions, the card needs to be tokenized and stored in a PCI compliant vault. Subsequent transactions can then be flagged as being card-on-file or recurring transactions, indicating that the same card is being reused by the same customer.