What’s a CVV?
A Credit Verification Value (CVV) is the 3 or 4-digit number on your card needed to make online purchases. It’s also called a Card Verification Code (CVC) or a Card Security Code (CSC). Unlike your card number, online stores aren’t allowed to save your CVV, so it needs to be entered each time you make a purchase. If your card details ever get leaked, the CVV won’t be included, so attackers can’t use it to make fraudulent purchases online. It acts as an additional layer of verification.
But attackers can still get a hold of your CVV through online attacks they carry out (see below) or through a data breach. A dynamic CVV changes to a new one every 12 or 24 hours. This makes it more difficult for scammers to use your credit card details for online transactions– they would have to do it before your code changes.
How scammers can get hold of your CVV
- Phishing forms: Scammers will create phishing forms that look like legitimate webpages. These forms capture your card details if you enter them.
- Scam phone calls: Scammers will call you pretending to be from a trusted institutions – such as the fraud team at your bank or your credit card and try to get your details.
Scam calls - Own Your Online External Link - Keystroke logging: If a scammer gets unauthorised access to your device, they can install malicious software that records every keystroke and capture your card details, as well as other credentials, such as your passwords and pins.
What it looks like
Some credit and debit cards equipped with dynamic CVVs have an electronic screen on the back where the CVV normally is. The code on this screen changes at fixed intervals, usually every 24 hours. The screen is usually battery powered and this can result in increased costs for the card. A more common, and cheaper, alternative is to have dynamic codes on your digital card, with at least one major New Zealand bank already offering this technology to its customers. Your banking app generates a new code for your card every 12 hours that you can use for online transactions.
Having a card with anti-fraud measures is a good start, but there are other things you can do to keep fraudsters from getting their hands on your information.
- Be wary of suspicious sites. They may impersonate the website of a reputable company, but there are red flags you can look out for.
Stay safe when you are shopping online - Own Your Online External Link - Make sure your personal information is secure. Look for a padlock symbol next to the URL in your browser, or check the URL starts with https:// rather than http://.
- Only use trusted payment systems like PayPal, Apple Pay or Google Wallet, and avoid supplying payment details in an email.
- Keep an eye on your bank or credit card statements for unusual activity. If you spot something, contact your bank immediately.
Does this work? 
Banks around the world have reported significant reduction in fraudulent purchases for customers using dynamic CVVs. But there are no silver bullets in the world of cyber security that will spell the end of online fraud. It is important to note that CVV numbers are not used for all types of transactions, such as when shopping at a physical store or when using an ATM.
If you are using the dynamic CVV feature on your digital card, your physical card will still have a CVV printed on it. So, if someone gets their hands on your physical card, they can still use it to pay for things online.
A dynamic CVV does add a layer of security to your online transactions and is best used with other practices for staying secure online.