Understanding Credit Card Security Codes

The information provided on this website does not, and is not intended to, act as legal, financial or credit advice. See Lexington Law’s editorial disclosure for more information.

Credit card security codes are an important security measure to prevent fraud and identity theft. They add an additional layer of safety when making purchases and help ensure the buyer is, in fact, the cardholder.

These security codes—often called CVV codes, short for “card verification value”—are three- or four-digit codes located directly on your credit card. They’re typically, but not always, asked for when making card-not-present transactions, such as those made online and over the phone. Here, we detail where to find them, how they work and why they’re important for consumer protection.

Where to Find Your CVV Code

The location of your CVV code depends on the credit card issuer:

  • Visa, Mastercard and Discover: The code will be three numbers on the back of the card to the right of the “authorized signature.”
  • American Express: The code will be four numbers on the front of the card above and to the right of the card number.
Where to locate your card's security code.

How to Find Your CVV Code Without the Card

Credit card security codes were designed to ensure that the person making a purchase actually has the card in their possession. Because of this, it’s impossible to look up your CVV code without having the physical card. This is why it’s important to have the physical card on hand if you need to make a purchase that requires a CVV code.

If an identity thief obtains your credit card number—for example, via shoulder surfing—may try to call the bank and pretend to be you in order to get the CVV code. However, banks typically don’t give out this information. Each financial institution has their own policies, but if you can’t read or access your CVV code, they will usually issue you a new card.

While most retailers require a CVV code when making card-not-present transactions, many don’t. In these instances, crooks would still be able to use your card.

How Are CVV Codes Generated?

According to IBM, CVV codes are generated using an algorithm. The algorithm requires the following information:

  • Primary account number (PAN)
  • Four-digit expiration date
  • Three-digit service code
  • A pair of cryptographically processed keys

Other Names for CVV Codes

Depending on the credit card company and when your card was issued, your security code may go by a different name. Even though there are many different abbreviations, the basic concept remains the same. Below are all the abbreviations and meanings for credit card security codes:

  • CID (Discover and American Express): Card Identification Number
  • CSC (American Express): Card Security Code
  • CVC (Mastercard): Card Verification Code
  • CVC2 (Visa): Card Validation Code 2
  • CVD (Discover): Card Verification Data
  • CVV (All): Card Verification Value
  • CVV2 (Visa): Card Verification Value 2
  • SPC (Uncommon): Signature Panel Code

Credit Card Security Code Precautions

While CVVs offer another layer of security to help protect users, there are still some things to be aware of when making card-not-present transactions.

  • Sign the back of your credit card as soon as you receive it.
  • Keep your CVV number secure. Never give it out unless absolutely necessary—and if you fully trust the person.
  • Review each billing statement to ensure there are no transactions you don’t recognize or didn’t authorize. If there are, contact your financial institution immediately and consider freezing your credit.
Credit card security precautions.

Protecting your identity requires constant vigilance—but emerging technology may have the potential to mitigate some of the risk of credit card fraud.

Shifting CVVs: The Future of Credit Card Safety?

Since chip-enabled cards replaced magnetic stripes, in-person credit card fraud has taken a big dip. Crooks are turning toward online and card-not-present methods of fraud. CVV codes are good at combating this type of fraud—but shifting CVVs, also referred to as dynamic CVVs, may be even better.

The technology works by displaying a temporary CVV code on a small battery-powered screen on the back of the card. The code regularly changes after a set interval of time. This helps thwart fraud because by the time a hacker has illegally obtained a shifting CVV code and tried to make a purchase, it will likely have changed.

Despite the security benefits, shifting CVVs haven’t been widely implemented due to high cost, and it remains to be seen if the technology and process can scale. Financial institutions have many measures in place, such as fraud alert, to notify you of potentially suspicious activity.

If you suspect you’ve been a victim of identity theft, call your credit card company, change your passwords and notify any credit bureaus and law enforcement agencies. By regularly checking your credit card statements, being careful about who you give your information to and being vigilant when making purchases, you’ll help do your part in keeping your identity secure.


Reviewed by John Heath, Directing Attorney of Lexington Law Firm. Written by Lexington Law.

Born and raised in Salt Lake City, John Heath earned his BA from the University of Utah and his Juris Doctor from Ohio Northern University. John has been the Directing Attorney of Lexington Law Firm since 2004. The firm focuses primarily on consumer credit report repair, but also practices family law, criminal law, general consumer litigation and collection defense on behalf of consumer debtors. John is admitted to practice law in Utah, Colorado, Washington D. C., Georgia, Texas and New York.

Note: Articles have only been reviewed by the indicated attorney, not written by them. The information provided on this website does not, and is not intended to, act as legal, financial or credit advice; instead, it is for general informational purposes only. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client or fiduciary relationship between the reader, user, or browser and website owner, authors, reviewers, contributors, contributing firms, or their respective agents or employers.