CVC / CVV (Card Verification Value)
The CVC/CVV is the 3-4 digit security code on a card that proves the buyer physically has the card, helping block fraud on online payments.
CVC / CVV is the short security code printed on a payment card — three digits on the back of Visa and Mastercard, four on the front of American Express. It exists to prove the person entering the card details actually has the card in hand, which matters for online (card-not-present) purchases where the card can't be swiped or dipped.
What CVC / CVV checks
When a card is used online, the merchant collects the code and passes it to the issuer for verification. The issuer returns a result: match, no match, or not provided. A code that doesn't match is a strong fraud signal, because a stolen card number leaked in a data breach usually doesn't include the printed security code.
The acronyms differ by network but mean the same thing: CVV2 (Visa), CVC2 (Mastercard), and CID (American Express). In Stripe, the check result surfaces on the charge's payment_method_details.card.checks.cvc_check field as pass, fail, or unavailable.
Why it matters
- Fraud prevention — pairing the code check with AVS filters out many stolen-number attempts before they settle.
- Card testing defense — automated card-testing attacks often can't supply a valid code, so a wave of CVC failures is an early warning.
- Storage rules — PCI DSS forbids storing the code after authorization, even encrypted. It's used once and discarded.
Because the code is single-use and never stored, tokenization of a saved card doesn't retain it — a returning customer's stored card is charged without re-checking the CVC unless the merchant collects it again.
In practice
A failed CVC check doesn't always block a payment on its own; the issuer decides whether to approve. Merchants and their fraud tools weigh it alongside the amount, the AVS result, and a risk score to decide whether to accept, challenge, or decline.
Related terms
Updated July 6, 2026