Most of you are quite familiar with Visa’s Card Verification Value 2 (CVV 2) – the three-digit number on the back of all Visa cards that is used to verify that customers are in physical possession of their cards in non-face-to-face transactions. What you probably know much less about is the other CVV number, the one that is stored in the card’s memory and is used to perform similar purposes, but in face-to-face transactions. Let’s take a look at it.
What Is CVV
The Card Verification Value (CVV) is a 3-digit number encoded on Visa credit and debit cards. CVV is stored within the card’s magnetic stripe, if available, or alternatively it can be stored in the chip of a smart credit or debit card.
CVV is a point-of-sale (POS) and ATM risk management service that protects card transaction participants from fraud-related losses resulting from mag-stripe counterfeit Visa cards. Each CVV is a unique value, calculated from data encoded in the magnetic stripe or the chip using the Data Encryption Standard (DES) algorithm.
Types of CVV
There are two types of card verification value, based on where the information is stored:
- CVV is the code stored in the card’s magnetic stripe.
- iCVV (Integrated Chip Card Card Verification Value) is the code stored in the card’s chip.
If a smart card features both a magnetic stripe and a chip, the same CVV number can be stored on both. Alternatively, issuers can choose to calculate different values, in which case the one stored on the chip is an iCVV.
The two types of CVV are calculated with an algorithm that uses a service code for CVV validation and the value 999 for iCVV validation. All other algorithm components are the same and include the:
- DES key.
- Primary account number (PAN).
- Card expiration date.
How Is CVV Validation Performed
The CVV value is submitted with all other magnetic stripe or chip data as part of the transaction authorization request. The CVV can be validated either by VisaNet — Visa’s payment system — or by the issuer itself. The issuer can approve, refer, or decline transactions that fail CVV or iCVV validation, depending on its procedures.
When an authorization request is received, VisaNet or the issuer:
- Calculates the CVV or the iCVV.
- Verifies the CVV or the iCVV on the card by comparing it to the calculated value.
- Sends a response code to the processor that indicates whether the validation was successful or it failed. A failed validation can indicate a counterfeit card, but it can also be due to an incorrect reading or encoding of the CVV or iCVV. The available CVV validation response codes are:
- Refer to issuer.
- Pick up.
You don’t really need to know all that much about the CVV, as in face-to-face transactions your POS terminal simply collects it, together with all other mag-stripe or chip information, and routes the whole thing for authorization. You never get to handle it the way e-commerce and MO / TO merchants do CVV 2 numbers. Still, if you are going to be accepting cards for payments, educating yourself on the basics can’t be all bad.
Image credit: Saveup.com.