Card security code
What is a card security code?
Card security code (CSC) is a three- or four-digit number printed (not embossed) on a payment card that verifies the person entering the card details physically holds the card. It's checked during online, phone, and mail-order payments, where no one can inspect the card in person.
Card networks introduced the CSC in the late 1990s to add a fraud check for e-commerce, and each network adopted it under its own name and format. The code is printed on the card surface and is never written to the magnetic stripe or chip, so copying a card's stored data doesn't capture it. At checkout the merchant collects the CSC in a dedicated field and sends it to the issuer with the card number and expiry date; the issuer returns a match or no-match result, and the merchant discards the value once the payment is authorized.
Key facts
- Also known as: CVV2 (Visa), CVC2 (Mastercard), CID (American Express), and CSC (Discover) – all names for the same printed .
- Length: three digits on Visa, Mastercard, and Discover; four digits on American Express.
- Location: printed on the back of Visa, Mastercard, and Discover cards; on the front of American Express cards.
- Where it's used: – online, phone, and mail order.
- Not a standalone approval: the CSC verifies possession only; the card number, expiry, and any required authentication still apply.
- Storage: card data security standards bar merchants from keeping the code after a payment is authorized.
Card security code by network
Each network uses a different name for the same printed code:
| Network | Name | Digits | Location |
| Visa | Card Verification Value 2 (CVV2) | 3 | Back |
| Mastercard | Card Validation Code 2 (CVC2) | 3 | Back |
| American Express | Card Identification Number (CID) | 4 | Front |
| Discover | Card Security Code (CSC) | 3 | Back |
How it compares
The "2" in CVV2 and CVC2 separates the printed code from the verification value encoded in the card's magnetic stripe (CVV1 / CVC1). The stripe value is read automatically when a card is swiped in person, so it only applies to card-present payments. The printed CSC covers the opposite case: it confirms possession of the card when there's no terminal to read the stripe or chip. This is why a stolen card number and expiry date alone often fail at an online checkout that asks for the CSC. For the broader concept behind both values, see .
Why it matters
The CSC gives merchants and issuers a signal that's hard to fake without the physical card.
- Because the code is printed and never stored in the stripe or chip, card data lifted through or a database breach won't include it.
- In a , a matching CSC is one of the few signals that the person entering the details is holding the card rather than keying in a stolen number.
- A CSC mismatch acts as a risk indicator: the can decline the authorization, or the merchant can route the payment through for a stronger identity check.
- Card data security standards bar merchants from keeping the code after authorization, so it stays useless to anyone who later breaks into stored card records.


