It’s for the cases when someone doesn’t physically have your card. Getting the 16 digit number and expiration date is fairly easy to a degree. It to get the CVV you need to physically have the card and see it. It’s just an extra layer of protection to ensure the person actually has the card.

It’s primarily used for what is called “card not present” transactions. When a merchant can’t verify you have a physical card. Such as an online payment.

Just one more layer of security. Nothing is perfect overall, nor is any layer of security alone perfect . But when you add up all the different layers it gets more and more difficult to cause issues.

It is for card not present transactions – i.e. they steal your card number from a website.

They are not allowed to store the CVV number. They use the CVV to verify the card when you first use it, and if you keep the card on file they may not request it again (they aren’t required to submit this as a part of payment processing) but they do not keep the CVV itself.

This is so when a hacker gets into a database w/ a ton of credit card numbers they are unable to make transactions with just the numbers.

In accordance with the card issuers agreement the CVV# cannot be stored after the transaction has been processed, and a merchant cannot process a transaction w/out the CVV#. This is why a merchant will always ask for your CVV# even if they have your credit card information on file.

Edit: changed wording from store to merchant to prevent confusion.

>If a credit card gets stolen they have access to the CVV number as easily as the 16 digits

Yes but there are cases where someone can have your 16 digits but *doesn’t have the physical card.* Like if your card is visible on the table in a photo that gets posted on social media.

Credit card numbers can be quite easily generated, actually. They follow a very specific pattern, with the first four to eight  numbers describing the issuer. Then the rest of the numbers are the account number. Except the last number, which is a checksum. So someone who might want to use someone else’s card online could easily generate a valid card without much fuss, since the options are not that many. 

So the cvv is an identifier that’s specific to that card, to make sure the user is the actual owner. 

If someone steals your physical credit card, you immediately tell the bank to cancel void it.

Otherwise CVV is doing exactly the job it’s meant to, being a security number only the physical holder of the card knows.

On your physical card, the data on the magnetic strip is just the card number and the expiration date. The beginning of the card number is a reference code to the card management company (Visa, Master, Amex, Discover, etc.) and the issuing bank, and the rest is your identifier.

When skimmers started being a thing, picking up and storing the magnetic swipe, card companies introduced PINs. Well, then skimmers were built that had button overlays that could steal the PIN.

So they added more security. A CVV that was used essentially only for online purchases so that someone who skimmed the card info couldn’t make online purchases with skimmed swipe data. Even still, cameras got small enough and good enough to be able to read the CVV in a skim attack.

So the current state of things is this:

Your swipe is rarely used, preventing skimming; chip or tap is common at most retailers, which can be read by a skimmer but as it’s encrypted and doesn’t code to the card number, it’s much less useful. Either way, you also use your PIN or ZIP code as a second factor of authentication to ensure it’s actually the cardholder using the card in person. (Some cards may allow PIN-less and ZIP-less purchases, but they’re rare and typically only on low-dollar purchases.)

If the card stripe is skimmed, the thief cannot just make a physical copy because of the vast majority of retailers who have transitioned to chip-insertion readers where the card issuer forces a chip read at point of sale. They can’t really use the card online, even if they have the PIN, because they need the CVV. If they do get the CVV, they also need the ZIP code.

And at that point, the thief has your whole wallet and you have larger problems at hand.

Originally it was because the card number got copied when they took a carbon-copy impression of the card while the CVV didn’t, because the CVV was only printed on it, not embossed. So the CVV didn’t appear on the copies, just on the cards.

That meant it was a useful tool for telling if someone was calling in with the card in hand, or if all they had was an old copy from a previous transaction.

But since then, the card companies made a rule that no matter HOW you stored card numbers; be it a photograph, database, carbon imprint or what have you, you’re not allowed to store the CVV. Technically you obviously CAN, but if you’re caught storing them you get a hefty fine.

So that makes it still reasonably useful for determining whether the person attempting the transaction actually has the physical card present right there, vs just a saved copy of the card number.