Glossary

Card Verification Value (CVV)

A three- or four-digit security code printed on the back of a credit or debit card (or on the front for American Express). The value is not stored on the magnetic stripe or chip, so it cannot be captured by a card skimmer. When submitted with a card-not-present transaction, the CVV gives the issuing bank a way to verify that the physical card is in the customer’s possession.

How It Works

Why the Code Exists Separately From the Card Number

The card number, expiration date, and cardholder name are encoded in multiple places — the magnetic stripe, the embedded chip, and the printed surface of the card. A criminal who steals a card number through a data breach has all three. The CVV is different. It is printed only on the surface of the card and is never stored on the stripe or the chip. PCI DSS rules also forbid merchants from storing the CVV after authorization, so it does not accumulate in databases that might leak.

That separation is what makes the code useful as a fraud signal. A stolen card number with a matching verification value usually means the card is being used by someone holding it. A stolen card number without the code means the criminal has the number from a breach but does not have the physical card.

Each card brand has its own name for the code: CVV2 on Visa, CVC2 on Mastercard, CID on American Express and Discover. The functional purpose is the same across all four. In practice the industry uses “CVV” as the catch-all term regardless of the card brand.

The Codes

Common CVV Response Codes

When a merchant submits a card-not-present transaction, the verification value travels with the card details to the issuing bank. The issuer compares the submitted code against the value on file and returns a single-letter response code in the same authorization message that approves or declines the transaction.

M — Match

The submitted code matches the issuer’s record. Strong fraud signal — the cardholder is likely holding the physical card.

N — No match

The submitted code does not match. Stronger fraud signal than an address mismatch — the code is harder for a fraudster to obtain than a billing address.

P — Not processed

The merchant did not submit a verification value. Often a configuration choice rather than a fraud signal — but it removes the verification layer entirely.

U — Issuer unable to process

The issuer does not support verification or is temporarily unable to process the request. No signal returned.

Why It Matters

The Cost of Skipping the Code

A CVV mismatch is a stronger fraud signal than an address mismatch — addresses leak constantly through data breaches, but the three-digit value on the back of a physical card is one of the smallest pieces of cardholder data still relatively scarce in the underground market. An issuer reviewing a fraud chargeback where the merchant accepted a transaction with a CVV mismatch will weigh that response heavily in the cardholder’s favor. The chargeback is harder to win.

The code also affects interchange qualification. Many card-not-present interchange categories require a passing match for the lowest qualification tier. A failed match or a “not processed” response can downgrade the transaction to a higher-cost interchange category, raising the cost of that specific transaction and contributing to a higher overall effective rate across the month.

The CFPB’s guidance on card-not-present transactions notes that merchants bear greater responsibility for verifying cardholder identity in remote transactions — CVV and address-verification data is the primary mechanism for meeting that standard.

Common Questions

Frequently Asked Questions

Can a merchant store the CVV after a transaction?

No. PCI DSS rules explicitly prohibit storing the CVV after authorization, even in encrypted form. The code may be transmitted to the issuer for verification but must not be retained in the merchant’s records. A merchant found storing CVV data faces immediate PCI compliance violations and potential fines from the card networks.

Does a CVV mismatch automatically decline a transaction?

No. The issuer typically still approves the authorization as long as the card has funds and is not flagged. The CVV mismatch is reported in the response, but the merchant decides whether to accept, hold, void, or flag the transaction. Some processors offer optional configuration to auto-decline mismatch responses, but it is not the default on most accounts.

Why is the code on the front of an American Express card?

American Express uses a four-digit code printed above the card number on the front rather than a three-digit code on the back. The functional purpose and security model are the same — the code is not stored on the stripe or chip and cannot be captured by a skimmer. The placement difference is historical, not functional.

🔗 Related Terms

Expand your understanding with these related payment processing concepts:

AVS Card-Not-Present Fraud Detection PCI Compliance Keyed Transaction Chargeback Ratio

📚 Related Resources

AVS / CVV Mismatch

What to do at the moment a mismatch response comes back

3D Secure

Auth-time fraud verification with liability shift to issuer

How Chargebacks Work

The dispute process CVV failures contribute to

High-Risk Payment Processing

Specialized underwriting for elevated CNP exposure

Effective Rate Calculator

Find your true cost per dollar processed

Merchant Services

Industry-specific CNP fraud configurations

Next Step

Want to Know How CVV Mismatches Affect Your Account?

Send us your last processing statement. We will show you what your processor is doing with mismatch responses, what your card-not-present chargeback exposure looks like at your current volume, and what configuration changes would close the gap.

Request a Free Statement Review

No obligation • No pressure • Response within one business day

Call (833) 382-1992 Email hello@brooksidepayments.com