Personal
Business
Community
Company
Support
Open Account
Main page
Blog

Card Security Code Explained: CVV, CVC and Safe Online Payments

By
Emma Carter
21.05.2026
12 min
You're about to hit "Pay Now" on an online checkout, and the form asks for your "CVV." Or maybe it says "CVC." Or "Security Code." You flip your card over, find a three-digit number near the signature strip, type it in, and move on with your life. But what is that number actually doing? Why does every online merchant demand it? And how should you handle it to keep your payment card secure?
With card-not-present fraud accounting for €1.329 billion in losses across EU/EEA-issued cards in 2024 — a 29% year-on-year increase according to the joint EBA-ECB 2025 report on payment fraud — understanding your card security code isn't just useful trivia. It's a practical part of keeping your money safe when shopping online.
This article explains what CVV and CVC codes are, why they exist, how they protect you during online payments, and what you should (and shouldn't) do with them.
What Is a Card Security Code?
A card security code is a short numeric code printed on your payment card — separate from the card number — that proves you physically have the card during a remote transaction. When you shop in a physical store, the chip or NFC antenna in your card handles authentication. But when you shop online or pay by phone, the merchant can't verify your card is physically present. The card security code fills that gap.
The code is classified as sensitive authentication data (SAD) under the PCI Data Security Standard (PCI DSS), the global security framework that governs how every business handling card payments must protect cardholder information. Under PCI DSS Requirement 3.3.1, merchants are prohibited from storing the card security code after a transaction is authorised — even if the data is encrypted. This is intentional: if a data breach exposes card numbers and expiry dates, the security code won't be in the compromised data, because it was never stored.
What Is the Difference Between CVV and CVC?
There is no functional difference. When the card security code was introduced in the late 1990s, each card network trademarked its own name for what is the same feature. According to the PCI Security Standards Council's FAQ, the code is "referred to as CAV2, CVC2, CVN2, CVV2, or CID, depending on the payment brand."
Here's the full breakdown:
Acronym
Full Name
Card Network
Digits
Location on Card
CVV / CVV2
Card Verification Value
Visa
3
Back
CVC / CVC2
Card Verification Code
Mastercard
3
Back
CSC
Card Security Code
Generic industry term
3
Back
CID
Card Identification Number
American Express
4
Front
:::b2c-body-body-regular{color=#8D8E91}If a checkout form asks for "CVV" and you have a Mastercard, just enter the three digits from the back. The payment system treats CVV, CVC, and CSC identically. The naming is a branding distinction, not a technical one.
:::
Where Can I Find the CVV or CVC Code?
On a plastic card: For Visa and Mastercard — the vast majority of payment cards in Europe — the card security code is a three-digit number printed on the back, near the signature strip. On newer cards, it's often placed in a separate white panel to the right of the strip. The code is printed flat, not embossed or raised like the card number. For American Express, it's a four-digit number on the front of the card.
On a virtual card: The security code is displayed within your payment card app alongside the card number and expiry date. You typically need to authenticate — Face ID, fingerprint, or PIN — before the full details are revealed. With a Blackcat virtual card, the CVC is visible in the app after biometric verification, making safe online payments seamless without needing to handle a physical card.
Why Do Online Stores Ask for a Card Security Code?
The CVV/CVC exists for one purpose: verifying that the person making an online or phone payment actually has the card (or access to the virtual card details in their app).
Your card number and expiry date are not secret in the way most people assume. They appear on receipts, pass through payment processors, and are stored by merchants (with your permission) for card-on-file transactions. But the security code? Under PCI DSS Requirement 3.3.1, it must be deleted after authorisation. It cannot be stored for recurring transactions, card-on-file purposes, or concierge services — no exceptions, even if the data is encrypted.
How the verification works in practice:
  1. You enter your CVV/CVC code at checkout
  2. The merchant's payment processor sends it to your card issuer for verification
  3. The issuer confirms whether the code matches the card
  4. If it doesn't match, the transaction is flagged or declined
  5. The code is then discarded — not retained — by the merchant
Think of the card security code as a physical key that complements the digital lock of your card number. The number identifies the account. The security code proves you're the person who should be using it.
This mechanism is one reason why card fraud rates on SCA-authenticated transactions remain significantly lower than on non-authenticated ones, as confirmed by the EBA's December 2025 analysis.
When You Need Your Card Security Code — and When You Don't
Scenario
Code Required?
Why
Online purchase (website checkout)
✅ Yes
Card-not-present transaction — code proves possession
Phone order (reading card details to merchant)
✅ Yes
Same reason — remote transaction
Adding card to Apple Pay / Google Pay
✅ Yes (first time)
Initial verification of card ownership
In-app purchase with manual card entry
✅ Yes
Card-not-present
Contactless tap at a physical terminal
❌ No
NFC chip handles authentication
Chip-and-PIN at a point of sale
❌ No
PIN serves as authentication
Recurring subscription (after initial setup)
❌ No
Merchant uses tokenisation
ATM cash withdrawal
❌ No
PIN serves as authentication
Is It Safe to Share My CVV Online?
Yes — but only on a secure checkout page. The card security code is designed to be entered at the point of payment on a legitimate merchant's website. That's the one and only context where sharing it is safe.
It is never safe to share your CVV/CVC:
  • Via email, text message, chat, or social media
  • Over the phone to someone who called you (even if they claim to be your provider)
  • On a website without HTTPS (no padlock icon in the address bar)
  • In response to a pop-up or redirect from an unfamiliar source
No legitimate merchant, payment processor, or card issuer will ever ask for your card security code outside of a secure checkout flow. If someone requests it in any other context, it's a scam.
How to Keep Your Payment Card Details Safe Online
1 . Use a virtual card for unfamiliar merchants
This is one of the most practical steps for virtual card security. If you're buying from a website you haven't used before, use a virtual card linked to a dedicated wallet with a limited balance. If the merchant is compromised, your exposure is capped at that wallet's funds. Your main account stays untouched. This is the digital equivalent of not putting all your eggs in one basket.
2 . Enable real-time transaction notifications
Instant push notifications mean you know the moment your card is used — whether by you or someone else. If a fraudulent transaction occurs, you'll see it in seconds, not days. Blackcat's card security features include instant push notifications for every transaction.
3 . Use the instant freeze feature
If something looks wrong, freeze your card immediately from your card control app. This blocks all transactions until you unfreeze it. With Blackcat, instant freeze is available directly in the app — one tap, and the card is locked.
4 . Only enter card details on HTTPS websites
Look for "https://" in the URL and the padlock icon. Avoid entering card details on HTTP (non-secured) pages.
5 . Be cautious on public Wi-Fi
Open networks (airports, cafés, hotel lobbies) can be intercepted. Use a VPN or switch to mobile data before making an online payment.
6 . Don't write your security code alongside your card number
If you store card details anywhere (which ideally you shouldn't), never keep the security code with them. The entire point of the CVV/CVC is that it stays separate from the card number — PCI DSS mandates this separation.
7 . Check your statement (or transaction feed) regularly
Modern payment card apps show transactions in real time. Review them periodically. The sooner you spot something unfamiliar, the sooner you can act.
What Should I Do If My Card Details Are Exposed?
If you suspect your card number, expiry, or security code has been compromised:
  1. Freeze your card immediately from your app. With Blackcat, this takes one tap in the security section.
  2. Contact your card issuer to report the compromise and request a replacement card. The new card will have a new number and a new CVV/CVC — the old code becomes permanently useless.
  3. Review recent transactions for anything you don't recognise. Dispute any fraudulent charges with your provider.
  4. Change passwords on any accounts where the compromised card was stored for payments.
  5. Monitor your account closely for the following weeks.
The speed of response matters. The FICO European Fraud Map 2024 (published July 2025) found that card-not-present fraud dominates card fraud losses across Europe, with the UK alone recording £572.6 million in total card fraud losses in 2024, a 3.9% increase year-on-year. The faster you freeze a compromised card, the less damage can be done.
3D Secure: The Authentication Layer Beyond the CVV Code
Beyond the card security code, there's a second layer of protection you'll encounter during online payments: 3D Secure (3DS). This is the step where your payment app or issuer sends you a push notification, SMS code, or biometric prompt to approve the transaction.
3D Secure is mandated across the EU/EEA under the Payment Services Directive 2 (PSD2), which requires Strong Customer Authentication (SCA) for electronic payments. SCA means two of three factors must be verified: something you know (PIN or password), something you have (your phone or card), or something you are (fingerprint, Face ID).
The current protocol, 3DS2, is designed to work seamlessly with mobile apps and biometric authentication. All Blackcat cards support 3D Secure, adding this authentication layer on top of the CVV/CVC code. Together, they form a layered defence:
  • CVV/CVC proves you have the card
  • 3D Secure proves you are the account holder
  • Tokenisation (used for stored cards and mobile wallets) replaces your real card number with a device-specific token
Both the CVV/CVC match and the 3DS authentication must pass before the payment goes through.
The effectiveness of this layered approach is confirmed by the data. The EBA's December 2025 report found that SCA remains effective at reducing fraud for the transaction types it was designed to protect — particularly secure card payments where 3DS is applied. Fraud rates on SCA-authenticated card transactions are significantly lower than on transactions where SCA is not required (such as cross-border payments outside the EEA).
Are Virtual Cards Safer for Online Payments?
In several practical ways, yes.
A virtual card offers the same technical security as a plastic card — the same encryption, the same CVV/CVC verification, the same 3D Secure protocol. But it adds three advantages for online payment security:
Isolation. With a multi-wallet system like Blackcat's, you can create a separate virtual card for each wallet. If one card is compromised, only that wallet's balance is at risk — not your entire account.
Instant replacement. If a virtual card is compromised, you can freeze it and get a new one with a new number and CVC immediately — no waiting for postal delivery.
Authentication gating. The CVV/CVC on a virtual card is only visible after biometric authentication in your app. Nobody can "flip it over" and read the code — unlike a physical card sitting in a restaurant bill holder.
For regular online shoppers, using a virtual online payment card with a limited wallet balance is one of the simplest advanced security measures available.
Summary
Your card security code — CVV (Visa), CVC (Mastercard), CSC (generic), CID (Amex) — is a short printed code that proves you have your card during online or phone payments. The codes work identically: three digits on the back (four on the front for Amex), never stored by merchants after authorisation under PCI DSS, and designed as a key layer of defence against card-not-present fraud.
Keep it private. Enter it only on secure checkout pages. Use virtual cards for unfamiliar merchants, enable transaction notifications, and freeze your card instantly if anything looks wrong. Combined with 3D Secure authentication and a card control app that gives you real-time visibility and instant freeze, your card security code becomes part of a layered system that makes safe online payments genuinely achievable.
FAQ: Card Security Code
What is a card security code?
A card security code is a three- or four-digit number printed on your payment card, separate from the main card number. It's used to verify that you physically have the card during online or phone transactions. Under PCI DSS, merchants are prohibited from storing this code after a transaction is authorised, making it a key defence against card-not-present fraud.
What is the difference between CVV and CVC?
There is no functional difference. CVV (Card Verification Value) is Visa's name; CVC (Card Verification Code) is Mastercard's name. Both refer to the same three-digit code on the back of your card, serving the same purpose. The PCI Security Standards Council classifies them identically as sensitive authentication data.
Where can I find the CVV or CVC code?
On Visa and Mastercard cards, it's a three-digit number on the back, near the signature strip — often in a separate white panel. On American Express cards, it's a four-digit number on the front. On virtual cards, it's displayed in your payment app after biometric authentication.
Why do online stores ask for a card security code?
Because they can't physically verify your card is present. The security code acts as proof of possession: you can only know it if you have the card (or access to the virtual card in your app). It adds a layer of authentication beyond the card number and expiry date, which may be stored or exposed in data breaches.
Is it safe to share my CVV online?
Only on a secure checkout page (HTTPS with padlock icon) of a legitimate merchant. Never share your CVV/CVC via email, text, chat, or phone call. No legitimate company will ask for it outside a secure payment flow.
How can I protect my payment card details?
Use virtual cards for unfamiliar merchants (isolating risk per wallet), enable real-time transaction notifications, use instant freeze if something looks wrong, shop only on HTTPS websites, avoid public Wi-Fi for payments, and never store your CVV alongside your card number. A card control app with instant alerts and freeze gives you the most responsive protection.
What should I do if my card details are exposed?
Freeze your card immediately from your app, contact your card issuer to request a replacement (the new card gets a new number and CVV/CVC), review recent transactions for unauthorised charges, dispute any fraudulent payments, and change passwords on accounts where the compromised card was stored.
Are virtual cards safer for online payments?
In several practical ways, yes. A virtual card offers the same encryption and 3D Secure protection as a plastic card, but adds risk isolation (each card linked to a separate wallet), instant replacement (no waiting for postal delivery), and authentication-gated access (CVV only visible after biometric verification in your app).
Share this article