What Is Dynamic CVV? Definition, Payment Flow, and Examples
Dynamic CVV (dCVV) is a security value that changes by time or event to reduce how long captured credentials remain useful. This guide focuses on dCVV's real role, boundaries, and common points of confusion.
Key points
- Definition: Dynamic CVV (dCVV) is a security value that changes by time or event to reduce how long captured credentials remain useful.
- Flow position: An expiration date helps determine whether credentials remain within their valid period; CVV or CVC supports credential checks in defined channels; a dynamic value changes under the product's rules.
- Do not confuse: dCVV / CVV/CVC
How it fits into the payment flow
For dCVV, the relevant process is as follows: An expiration date helps determine whether credentials remain within their valid period; CVV or CVC supports credential checks in defined channels; a dynamic value changes under the product's rules. These elements have different purposes, generation methods, and storage rules.
A practical review of dCVV should account for this: A merchant should collect only what the transaction needs and manage it within the applicable PCI DSS scope. Card replacement, token lifecycle updates, and issuer policy can all affect later stored-credential payments.
Practical example
An issuer app refreshes a dynamic CVV under the product's rules, making the older value unusable. Rotation narrows the usage window but does not replace device and account protection.
How it differs from related terms
| Term | Definition |
|---|---|
| Dynamic CVV | is a security value that changes by time or event to reduce how long captured credentials remain useful |
| CVV/CVC | is a short card security value commonly checked in card-not-present payments and is not the cardholder's PIN |
| Cardholder | is the person authorized to use a card or card account, with rights and duties defined by the account and issuer agreement |
dCVV focuses on the fact that it is a security value that changes by time or event to reduce how long captured credentials remain useful. CVV/CVC, by contrast, is a short card security value commonly checked in card-not-present payments and is not the cardholder's PIN. They can appear in one transaction while answering different questions.
Use cases and limits
A key limit of dCVV is the following: PCI DSS prohibits retaining card verification codes and similar sensitive authentication data after authorization, even when encrypted. Never send a security code through chat, email, or an untrusted form.
Frequently asked questions
These answers address two common search questions about dCVV.
Is it the same as CVV/CVC?
No. Dynamic CVV (dCVV) is a security value that changes by time or event to reduce how long captured credentials remain useful. CVV/CVC is a short card security value commonly checked in card-not-present payments and is not the cardholder's PIN. Compare the object, processing stage, and responsible party.
Can a merchant store a security code after authorization if it is encrypted?
For dCVV, no. PCI SSC states that card verification codes and other sensitive authentication data must not be stored after authorization, even when encrypted.
These primary sources support the definition and process for dCVV. Current product, network, and local rules still control a real transaction.