Mail order and telephone order (MO/TO) and other card-not-present transactions have higher fraud rates than face-to-face transactions. When a card's magnetic stripe is read by a point-of-sale (POS) terminal, Visa's Card Verification Value (CVV) or MasterCard's Card Validation Code (CVC) can be verified during the authorization. However, when the card is not present the CVV or CVC cannot be validated. To help reduce fraud in the card-not-present environment, acquirers, merchants, and issuers can use the CVV2 or CVC2 program.

What is CVV2 or CVC2?
The CVV2/CVC2 is a three-digit security code that is printed on the back of cards. The number appears in reverse italic at the top of the signature panel at the end (see sample). This program helps validate that a genuine card is being used during a transaction. All MasterCard cards, both credit and debit, were required to contain CVC2 by January 1, 1997; all Visa cards must contain CVV2 by January 1, 2001.

How does CVV2 or CVC2 work?
Card-not-present merchants are being directed to ask cardholders for CVV2/CVC2 when cardholders place orders. Merchants ask the cardholder to read this code from the card. The merchant then asks for CVV2/CVC2 verification during the authorization process. The issuer (or processor) validates the CVV2/CVC2 and relays the decline/approve results during the authorization process. Merchants, by using the CVV2/CVC2 results along with the Address Verification Service (AVS) and authorization responses, can then make more informed decisions about whether to accept transactions.

Where is the CVV2 or CVC2 code on my card?