CVV, CVC, CVV2, iCVV, and Security Code

Understand card security codes and how they work in the physical and digital world

When we talk about card payments, few topics generate as much confusion as security codes: CVV, CVC, CVV2, iCVV, Security Code… are they all the same? What are they for? When are they used?

In this article, we will explain clearly and completely how these codes work, what the difference is between in-person (CP) and online (CNP) payments, and how this changes with technology: magnetic stripe, chip, NFC, and Tap to Phone.

What are card security codes?

All these codes are part of the same concept: verifying that the card is legitimate and reducing fraud.

They were created by the card networks (Visa, Mastercard, Amex) to add an extra layer of security to transactions, especially when the risk of fraud is higher.

What changes is:

Where the code is stored
Whether it is visible or not
In what type of transaction it can be used

CVV, CVC, CVV2, Security Code: are they the same thing?

Name	Who uses it	What it is
CVV	Visa	Generic term
CVC	Mastercard	Same concept
CVV2 / CVC2	Visa / Mastercard	Visual code for online purchases
Security Code	Amex / generic	Commercial name
iCVV	All	Internal code for chip/NFC

Online payments – Card Not Present (CNP)

CVV2 / CVC2 / Security Code

It's the code you enter when making an online purchase.

3 digits (Visa/Mastercard) – back of the card
4 digits (American Express) – front of the card
Used in:
E-commerce
Apps
Phone purchases

Objective:

Prove that whoever is paying has the physical card in hand

Important

This code cannot be stored by stores or platforms (PCI DSS rule)
It is used only at the time of authorization

In-person payments – Card Present (CP)

In the physical world, security works differently.

CVV2 in a physical store?

It doesn't exist. In in-person payments, the CVV2 is not used.

This is because the risk is mitigated by more advanced technologies.

Magnetic stripe (old cards)

CVV1 / CVC1

Recorded on the magnetic stripe
Not visible to the user
Read automatically by the terminal
Used only in fallback (when chip fails)

⚠️ The stripe is considered insecure and is being discontinued in several countries.

EMV Chip (contact payment)

Here begins modern security.

iCVV (Integrated CVV)

Replaces the CVV on the stripe
Stored on the chip
Never typed or displayed
Used internally only

Dynamic cryptography

Each transaction generates a unique cryptogram that cannot be reused.

Result: Even if someone copies the card data, the fraud is blocked.

NFC / Contactless payment

It works with the same logic as the chip, but without physical contact.

Uses iCVV
Uses dynamic cryptography
Can be done with:
Physical card
Digital wallets (Apple Pay, Google Pay)

CVV2 is not used or requested.

Tap to Phone / Tap to Pay

An evolution of in-person payment.

The cell phone becomes the card machine
The transaction is still in-person
Certified by international standards (EMV, PCI)

Security used:

iCVV
Dynamic cryptography
Protections of the device itself

What doesn't exist here:

Typing CVV
Treating it as an online purchase

Quick comparison

Technology	CVV1	CVV2	iCVV	Cryptography
Magnetic stripe	✅	❌	❌	❌
Chip	❌	❌	✅	✅
NFC	❌	❌	✅	✅
Tap to Phone	❌	❌	✅	✅
E-commerce	❌	✅	❌	❌

Why is the CVV becoming less important?

Because payment methods have evolved:

Tokenization
Digital wallets
Click to Pay
Strong authentication (3DS, biometrics)

In many modern cases, the CVV is no longer necessary.

Conclusion

Despite the different names, security codes follow a clear logic:

Online purchases → CVV2
In-person purchases → chip, NFC, cryptography
Modern technologies → less dependence on visual codes

The more advanced the technology, the more secure the transaction — and the smaller the role of the CVV.