What Is a Validation Code?

A validation code—also known as a CVV, CV2, or CVV2 code—is a series of three or four numbers located on the front or back of a credit card. It is intended to provide an additional layer of security for credit card transactions that take place online or over the phone.

Most credit card issuers place their validation codes on the back of the card, on the far-right side of the signature panel. On American Express (AXP) cards, however, the validation code is printed on the front of the card.

Key Takeaways

  • A validation code is one of the security measures deployed to reduce credit card fraud.
  • It consists of a three or four-letter code printed on the front or back of a credit card.
  • Unfortunately, instances of credit card fraud have continued to climb in recent years, with nearly 40% of global cases occurring in the United States—by far the worst of any country.

How Validation Codes Work

As online shopping continues to grow in popularity, the threat of identity theft and other forms of credit card fraud has become increasingly severe. One measure taken to try to mitigate against this risk is the use of validation codes when making credit card purchases.

In a typical transaction, a customer will be asked to provide their name, billing address, card number, expiration date, and validation code. Although many of these details, such as the name and address, could be obtained from other sources; the card number, expiration date, and validation code can theoretically only be obtained from possessing the card itself. As an added measure, the validation code is generally printed on the back of the card, making it more difficult for would-be thieves to glean all the necessary information from a single photograph of the credit card.

To further enhance these security measures, consumer protection laws prevent merchants from storing customers’ validation codes after a purchase has been made—although unscrupulous sellers may still record this information illegally. An additional measure of protection is provided by the personal identification numbers (PINs) which cardholders must enter when making payments using point-of-sale (POS) terminals. 

Real World Example of a Validation Code

Although security measures such as the validation code raise the difficulty of committing identity theft or making purchases using a stolen credit card, they are unlikely to deter a sufficiently motivated thief. In practice, credit card fraud has continued to climb in recent years, surpassing 150,000 reported cases in 2018. The United States is by far the most acutely affected country, representing nearly 40% of global cases.

Merchants are not allowed to store card security codes after a customer makes a purchase, which provides extra protection against credit card theft. Still, validation codes can be stolen, and cardholders should protect their card’s validation code just as they would protect the card number and expiration date. The validation code is a key piece of data that can enable thieves to make fraudulent transactions with someone else’s card.

However, if a thief does use a stolen card, the cardholder's liability is limited to $50 under the The Fair Credit Billing Act (FCBA), depending on when the theft is reported. Customers who realize their card is missing, or detect suspicious or unauthorized purchases or other activity, should contact their credit card issuer immediately to report the problem and alert them to a possible case of fraud. The card issuer can then cancel or deactivate the card.