The Merchant’s Guide To CVV2 & CVV Checks
If you’re a merchant and you blink, you might miss an essential detail in our ever-changing payment landscape. That’s because payment security, as well as general payment technology, continues to grow and evolve each year.
Merchants often say that payment security is one of the most difficult to understand (not to mention intimidating) topics. We aim to change that here at Merchant Maverick. So whether you’re looking for an easy-to-understand CVV definition or you want to understand more about how the CVV number affects the checkout process, stay with us. We’ll address all the notable points when it comes to this somewhat mysterious code on the back (and sometimes front) of nearly every credit and debit card.
Table of Contents
What’s A CVV?
A CVV (or sometimes CVV2) is a three or four-digit number printed on every credit card you’ll come across nowadays. This small code is not stored in the EMV chip or the magstripe, as the purpose is to ensure that anyone who makes a purchase has the card on their person. The goal in using the CVV code is to prevent unauthorized use of a credit card in any card-not-present transaction. That usually means online purchases, but it can also include manually entered transactions, too.
Before we go any deeper into this post, we need to address the elephant in the room — because if we don’t things could get confusing. You may encounter more than one name for the CVV numbers because the payment brands didn’t all agree on the same term (go figure). Depending on whom you talk to, you may hear any of the following terms, but these all refer to the same thing:
- Card Verification Value (CVV or CVV2): Visa and Mastercard
- Card Verification Code (CVC): This term refers to the CVV / CID code
- Card Identification Number (CID): Discover and American Express
Visa, Mastercard, and Discover all put this numerical code at the back of their cards, near the signature space. American Express, however, chose to put its CID on the front of the card. Regardless of where you find it, the code does the same thing — it helps a merchant confirm that the owner of the card is in charge of the purchase.
Note that this code isn’t transmitted when a credit card is swiped, dipped, or tapped during a card-present transaction. The CVV number is another layer of security that helps merchants prevent different types of fraud and reduce their liability. Keep reading to find out more reasons you should care — and where to go from here.
Why Do You Need A CVV Code?
As we mentioned above, if you take a payment over the phone or have an online shop, a CVV code provides an additional way to confirm that the cardholder is actually buying from you. But that’s not the only reason you would need to have a CVV/CVV2 number during a transaction.
The major card brands began requiring merchants to submit this code in card-not-present transactions in 2018. Why did they do it? Because online fraud is increasing. LexisNexis noted in its 2018 True Cost Of Fraud report that the cost of fraud is also rising. In 2017, every dollar ($1) of fraud cost a merchant $2.77. In 2018, however, that number increased to an average of $2.94. And unfortunately, if you are in the digital space, the cost is even a bit higher.
Another big issue that a CVC code helps prevent for merchants is a chargeback. A chargeback is when a customer requests that the funds from a payment be reversed (usually because the charge wasn’t authorized). Chargebacks can happen for a variety of reasons, and while a CVV code can’t protect you from all of them, it is evidence that the customer did authorize the sale because they would have had to have the card in hand to enter the code. In this way, a CVV code can protect you from “friendly fraud” — when a customer claims they didn’t purchase from you at all, knowing full well they did!
Want to arm yourself with important insights about chargebacks? Check out The Complete Guide To Preventing And Winning Chargebacks.
CVV Checks For Merchants
To recap, only card-not-present transactions for which you don’t physically swipe, dip, or tap require you to worry about a CVV code. That means that even if your customer is present, you will need to get the CVC if you manually enter the credit card data through your virtual terminal, POS system or mobile POS app.
If you take any payments online or you send and receive invoice payments, your customers will also plug the CVV code in during the checkout process. For more on card-not-present sales, check out What Is A Card-Not-Present Transaction?
It’s important to note that merchants who process in-person payments with a card reader or terminal do not need to worry about CVV codes, nor should anyone give out their own code willy-nilly. The code is only useful to confirm a card when you don’t process with the magnetic strip or EMV chip.
Let’s take a closer look at the two main scenarios when you’d need to worry about the added security of a CVV/CVV2 number.
Entering CVV Numbers For Manually Entered Transactions
If you already utilize a PCI compliant payment processing company, you’ll notice that your payment form for manual entry already has a spot for a CVV code. As stated earlier, that’s because the payment companies now require it on all card-not-present purchases. All processors nowadays know the scenarios it is applicable to ask for the CVV code, and you or your customer will be automatically prompted to enter it if necessary. So remember, the CVV2 number is not needed at all if you swipe, dip or tap the card in your shop.
Here’s a screenshot of a virtual terminal through Square with the CVV section highlighted. This is a merchant-facing screen for manual card entry. Again, CVV and CVV2 refer to the same number, but Square is just covering its bases by using both terms.
It’s important to note that no merchant should ever store the CVV code on their servers or record them in any way. In fact, the Payment Card Industry-Data Security Standard (PCI-DSS) regulations prohibit storing of this number at all. While collecting a CVC at the moment of purchase and not storing it is not a perfectly airtight security measure, it’s additional protection for merchants to authenticate online and over-the-phone purchases when you can’t visually check identification.
CVC Code Entry For eCommerce
For those of you who have an eCommerce presence, a CVC code is also required by the major payment companies during processing. Of course, any online sale is considered a card-not-present transaction, and as such, you should be aware of the risks. Fraudsters often target small businesses looking for vulnerabilities, so it’s important to have a PCI compliant processor and payment gateway.
Heading Fattmerchant Payline CDGcommerce Shopify Square Review Visit Site ReviewVisit Site Review Visit Site ReviewVisit Site Review Visit Site Key Features Advanced Billing & Invoicing Versatile Service Free Gateway Included Advanced Shopping Cart Basic Webstore, All-in-one Shopping Cart Compatibility Many Many Many Shopify Only Many Gateway Compatibility Many Many Many Many Square Only Pricing Model Subscription Cost-Plus Cost-Plus Flat Rate Flat Rate Standard eCommerce Rates 0.00% + $0.10 markup 0.50 + $0.10 markup 0.30% + $0.10 markup 2.90% + $0.30 2.90% + $0.30 Entry-Level Monthly Fee $99 $0 $10 $29 $0
More Tools For Online Security
An excellent feature to look for if you take payment via your online shop is AVS (Address Verification System). As the name suggests, the processor authenticates your customers address during checkout. Whether this feature costs you extra or not depends on the processing company you choose. Many processors do include the feature automatically with their flat or tiered pricing plan. Even if you do pay a bit extra, however, keep in mind that AVS significantly reduces your risk of fraud. Transactions processed with AVS likely have downgraded risk factors and may even save you money, so keep that in mind as well. For more about AVS, check out What Is AVS For Credit Card Processing?
We also couldn’t talk about online security without mentioning 3D Secure technology. With 3D Secure technology, the card brands step in to provide an extra authentication step during checkout. The actual process varies by card network and by issuing bank, but for business owners, once you’ve implemented this step, you don’t need to do anything else specific. Ask your payment processor if 3D security is a built-in feature or if not, how you can add it to your site. For more information, check out our post, What Are Verified by Visa and 3D Secure?
Payment Security Is Essential For Businesses
This post aimed to clear up any confusion regarding why and how a CVV (Or CVV2, or CVC or CID) number is vital for your small business. Hopefully we’ve made the airtight case that the CVV code is an essential piece of information any time you process a card-not-present transaction, but otherwise, don’t fret over it at all.
Because payment companies mandate all merchants to collect the CVV during online or manual card entry, you’ll need to find a payment processing company that’s up-to-date with the latest policies. Keep in mind that merchants can’t store the CVV data to be PCI compliant, so never write it down. Even with card-on-file transactions, merchants shouldn’t store the CVV code; if you do, you could be liable in a data breach.
In addition to CVV, we also introduced you to some other important tools that can help keep your payment landscape safer for you and your customers. If you’re shopping around for your online shop, look for a processor that specializes in online payments and gives you the right tools, including AVS checks or 3D Secure technology. Check out our Merchant Account Comparisons to find out more about features, fees, and support.