RD Virtual Card
RD Virtual Card

What Is CVV/CVC? Definition, Payment Flow, and Examples

Quick answer

CVV/CVC is a short card security value commonly checked in card-not-present payments and is not the cardholder's PIN. This guide focuses on CVV/CVC's real role, boundaries, and common points of confusion.

Last updated: 2026-07-14 · RDVCC Payments Research

Key points

  • Definition: CVV/CVC is a short card security value commonly checked in card-not-present payments and is not the cardholder's PIN.
  • Flow position: An expiration date helps determine whether credentials remain within their valid period; CVV or CVC supports credential checks in defined channels; a dynamic value changes under the product's rules.
  • Do not confuse: CVV/CVC / One-time Password

How it fits into the payment flow

For CVV/CVC, the relevant process is as follows: An expiration date helps determine whether credentials remain within their valid period; CVV or CVC supports credential checks in defined channels; a dynamic value changes under the product's rules. These elements have different purposes, generation methods, and storage rules.

A practical review of CVV/CVC should account for this: A merchant should collect only what the transaction needs and manage it within the applicable PCI DSS scope. Card replacement, token lifecycle updates, and issuer policy can all affect later stored-credential payments.

Practical example

An online checkout uses CVV for the current card-not-present validation. Cardholder consent to save the card does not permit the merchant to retain that code after authorization.

How it differs from related terms

TermDefinition
CVV/CVCis a short card security value commonly checked in card-not-present payments and is not the cardholder's PIN
One-time Passwordis a code valid for one action or a short period and can be an authentication factor without automatically constituting complete SCA
Address Verification Servicecompares numeric address data submitted at payment with issuer records and returns a match result for risk assessment

CVV/CVC focuses on the fact that it is a short card security value commonly checked in card-not-present payments and is not the cardholder's PIN. One-time Password, by contrast, is a code valid for one action or a short period and can be an authentication factor without automatically constituting complete SCA. They can appear in one transaction while answering different questions.

Use cases and limits

A key limit of CVV/CVC is the following: PCI DSS prohibits retaining card verification codes and similar sensitive authentication data after authorization, even when encrypted. Never send a security code through chat, email, or an untrusted form.

Frequently asked questions

These answers address two common search questions about CVV/CVC.

Is it the same as One-time Password?

No. CVV/CVC is a short card security value commonly checked in card-not-present payments and is not the cardholder's PIN. One-time Password (OTP) is a code valid for one action or a short period and can be an authentication factor without automatically constituting complete SCA. Compare the object, processing stage, and responsible party.

Can a merchant store a security code after authorization if it is encrypted?

For CVV/CVC, no. PCI SSC states that card verification codes and other sensitive authentication data must not be stored after authorization, even when encrypted.

Primary sources

These primary sources support the definition and process for CVV/CVC. Current product, network, and local rules still control a real transaction.