Their purpose is to confirm that you actually have the card in hand. Some websites, or things like google or apple wallet allow you to save the card number but not the cvv (or Csc). It’s not fool proof by any stretch of the imagination, but it is safer on the grand scheme of things than getting you to share your pin online.
You use your CVV to make online purchases with your card, you can think of it as a password. An online purchase will usually go something like this:
You get to the payment part and put in your card info (“XXXX-XXXX-XXXX”) you can think of that as being the username.
Now you need the password, your password is a “Hash” of the CVV. A hash is essentially encrypting it and turning it into gibberish that nobody can decipher.
The bank will store this hash and your card number in a database, but since nobody can decipher the hash they have no idea what the CVV actually is, just what it can turn into. They use this to make a super secure password for you, unless someone manages to get hold of the actual code the bank uses for these verifications, they could spend hundreds of years guessing how to get the hash just right before they have full access.
If someone can give them both of these credentials they will be allowed to make a purchase, if not they will have to try again (Or your card will freeze till the bank calls you to verify it is not illegal activity)
TL:DR
Banks verify card purchases as if you had a username and password, the card # is the user name, the CVV is the password
Latest Answers