Credit Card Security Codes and Shopping Carts
  Last Edited - 05/25/2010 7:26pm PDT
  Category Path - Editorial > Blogs > Tips, Tricks and Astounding Revelations
Short & Sweet Version:
To conform to PCI security standards, Modular Merchant's shopping cart software does not record or store a credit card's "security code number" (or CVV2 number).

Long & Fancy Version:
In order to conform to the Payment Card Industry's (PCI) Cardholder Information Security Program (CISP) security standards, security features are in place to protect both merchants and their customers from both potential liabilities, fines and loss of PCI service.

These security features focus on the well known, but oft misunderstood, Credit Card Security Code. (Also known as the CCSC, CSC, CVC, CVV, CVC1, CVV1, CVC2, CVV2 or CCID code.) This article will refer to the Credit Card Security Code as the "CVV2" code.

Where is the CVV2 number found on a credit card?

MasterCard, Visa, Discover, and JCB credit and debit cards have a three-digit code as the final group of numbers printed on the back signature panel of the card. (See Figure 1.)

Figure 1: Card Security Code number location on MasterCard, Visa, Discover and JCD cards.

American Express cards have a four-digit code printed on the front side of the card above the number. It is printed flat, not embossed like the card number. (See Figure 2.)

Figure 2: Card Security Code number location on American Express cards.

The CVV2 number is is a three or four digit number, depending on the type of credit card. It's not encoded into the card's magnetic stripe.

What is the purpose of the CVV2 number?

A credit card is kind of like a safe... a safe with its combination written right on the front of it in big embossed numbers. Unfortunately, this isn't the most secure way to "lock" the safe, as anyone with eyeballs can potentially obtain the combination and use it.

To combat credit card fraud, several additional security measures have been introduced, such as Address Verification Systems (AVS) and the CVV2 number. Returning to the safe analogy, the CVV2 number is like a "secret access code" for opening the safe, conveniently located directly on the back of it.

The CVV2 number isn't stored in the credit card's magnetic stripe, so it is excluded from the credit card information recorded when a merchant swipes a credit card in a card-present transaction. If you use your credit card at Bob's Supermarket, Bob won't have your card's CVV2 number on file. This system implies a level of protection to the bank and cardholder, because the card's CVV2 number won't be available if the magnetic stripe data is stolen.

For card-not-present transactions, such as orders placed online, the inclusion of the CVV2 number during the checkout process suggests that the person placing the order is the legitimate cardholder.

What are the PCI regulations regarding the CVV2 number?

The PCI has introduced a set of regulations intended to reduce credit card fraud. These regulations are collectively known as the Cardholder Information Security Program, or CISP. All merchants who accept credit cards are required to conform to CISP standards, which are straightforward when it comes to CVV2 numbers: CISP compliance forbids the CVV2 number from being retained after a transaction is completed.

"All merchants are prohibited from storing CVV2 data. When asking a cardholder for CVV2, merchants must not document this information on any kind of paper order form or store it on any database." ( - Page 14)

This prohibition includes the storage of a CVV2 number in your shopping cart records for both past transactions and orders scheduled for processing on a future date. Waitaminute, if the CVV2 number cannot be kept on file for an order to be processed in the future, how are merchants supposed to sell subscription products in their shopping cart? Won't all the future orders be declined due to the missing CVV2 number? I'll address these questions by discussing several CVV2 myths.

Three CVV2 Myths & Misconceptions

Myth 1: Including the CVV2 number in e-commerce transactions reduces the transaction's discount rate.
Originally, I assumed this too. However, discussions with several industry professionals contradicted my assumption. technical support, our own payment gateway's Chief Compliance Officer and Visa's own Payment System Risk manager all confirmed the same thing: the presence of the CVV2 number for "MO/TO E" (Mail Order, Telephone Order, E-Commerce) transactions has zero affect on the discount rate charged to the merchant.

Will your payment gateway charge you a lower percentage for shopping cart transactions if the credit card's CVV2 number is included? Nope. Okay, but then why even use CVV2 in the first place? Myth #2 addresses this.

Myth 2: CVV2 is the primary anti-fraud tool for internet merchants.
The industry professionals I spoke with clarified that, for internet merchants, CVV2 is primarily a tool for reducing the merchant's liability, not an anti-fraud tool. (Sure, it helps reduce fraud, but that's not always its most useful application for internet merchants.)

The example provided by the industry professionals I spoke with was a merchant with a website that sells subscription products. A customer comes to the website and purchases a subscription to the product. The ongoing invoices for the customer's subscription are then automatically rebilled by the shopping cart on a monthly basis. The initial order, placed directly by the customer on the website, would include the CVV2 number. This initial transaction triggers the customer's automated monthly subscription. Since retaining the CVV2 number is prohibited, it won't be included in the customer's ongoing monthly orders.

However, since the customer provided this number with the original transaction, the merchant has a "paper trail" they can follow to confirm the validity of the customer's credit card. The initial order placed by the customer can reinforce the validity of future automated transactions. In this scenario, the CVV2 number's primary function isn't as an anti-fraud device; but as a liability device, legitimizing the future transactions.

For guidelines for recurring transactions for internet merchants, refer to page 51 of Visa's Rules for Visa Merchants document, available at:

Myth 3: I must collect the CVV2 number for either all or none of my e-commerce transactions.
So, now we've established that the presence of the CVV2 number doesn't affect the discount rate applied to shopping cart transactions, and it's allowable to include it in only in transactions placed directly by the customer. The next logical question is, "Won't my payment gateway decline credit card transactions without the CVV2 number?"

Some merchants think that if they exclude the CVV2 number from automated transactions, such as scheduled orders, that they must also exclude it from regular orders placed directly by customers in the shopping cart's checkout area. This isn't the case. Payment Gateway accounts can usually be configured so that the CVV2 number is optional; it will only be evaluated if included in the transaction data. This allows the CVV2 number to be included in orders placed by customers in the storefront, and excluded in subsequent scheduled orders placed as part of that customer's subscription to a product or service.

How does Modular Merchant handle CVV2 numbers?

Modular Merchant's credit card security features are designed to protect both the merchants we work with and their customers. Merchants who fail to comply with the PCI CISP standards face potential fines from the Payment Card Industry, litigation, and permanent revocation of their ability to accept credit cards.

To prevent the potential security headaches listed above, CVV2 numbers are neither retained in system memory or recorded in store records, and any pre-existing CVV2 data that is on file is deleted from all accounts. The CVV2 number is neither displayed nor referenced, in whole or in part, within the store's administration area, storefront or database.

Orders automatically placed using the Scheduled Order system do not include the CVV2 number. Clients that use the Scheduled Order system should contact their Payment Gateway to review their gateway account's settings to ensure that it's configured to be compatible with the PCI-compliant manner that the Modular Merchant shopping cart software will handle the CVV2 number for automated scheduled orders.

PCI/CISP compliance can be a confusing issue for merchants. Here's some additional recommended reading on the subject:
Visa CISP website

Rules for Visa Merchants


Powered by ModularKB