Skip to content

What is CVV verification? (CVV/CVC/CVV2 explained)

Jay StevensBy Jay Stevens · Founding EngineerReviewed by Jordan MederichUpdated 4 min read
Summarize with AI

Quick answer

CVV verification (also called CVC, CVV2, or CID depending on the card network) is a fraud prevention check used in card-not-present transactions. The customer enters the 3- or 4-digit security code printed on their card, and the payment processor sends it to the issuer for verification. Unlike AVS, which is advisory, a CVV mismatch typically results in a hard decline — the issuer refuses the transaction outright. The code is not stored after authorization (PCI DSS prohibits it), so recurring billing after the first charge does not re-verify CVV. A CVV failure on a legitimate customer usually means they misread or mistyped the code.

What CVV verification means

CVV stands for Card Verification Value — the 3-digit code on the back of Visa, Mastercard, and Discover cards, or the 4-digit code on the front of American Express cards. Different networks use different names: Visa calls it CVV2, Mastercard calls it CVC2, American Express calls it CID. They all serve the same purpose: proving the customer has physical possession of the card.

When a customer enters the CVV at checkout, the payment processor sends it to the issuing bank along with the card number and transaction details. The issuer compares it against the code on file. A match adds confidence that the cardholder is present; a mismatch suggests the card number was obtained without the physical card — a common fraud pattern.

CVV vs AVS

CVV and AVS are both fraud prevention tools, but they behave differently. AVS compares the billing address and returns a result code — the issuer does not decline based on AVS alone. CVV verification is stricter: a mismatch typically causes a hard decline. The issuer refuses the transaction outright.

AVS mismatches are common for legitimate customers (moved, typo, alternate address). CVV mismatches are less common — the code is printed on the card, so a customer with the card in hand should be able to enter it correctly. A CVV failure is a stronger fraud signal than an AVS failure.

CVV and recurring billing

PCI DSS (Payment Card Industry Data Security Standard) prohibits storing CVV after authorization. The code is used once to verify the initial transaction, then discarded. This means recurring billing — subscriptions, installments, saved cards — cannot re-verify CVV on subsequent charges.

When a stored card declines for a CVV-related reason on a recurring charge, the decline code will typically be something else (like 05 Do Not Honor or 14 Invalid Card Number) because the processor never sent a CVV. The CVV-specific decline codes only appear when a CVV was submitted and mismatched.

Recovering from CVV declines

A CVV mismatch is a hard decline — retrying the same transaction will not help. Recovery requires reaching the customer to re-enter the correct code. The customer may have misread the code (especially the stylized fonts on some cards), transposed digits, or confused CVV with another number.

Revatto handles these recoveries: AI detects the decline, reaches the customer via email and SMS under your brand, and a human follows up when needed. You only pay when the payment is recovered — 20% of the first recovered payment, $0 monthly.

See what Revatto would recover for you

Failed payments recovered automatically — no engineering, no manual chasing. We do the work; you keep the revenue.

See Your Recovery Potential

Frequently asked questions