How Visa card verification values are used

The Visa International Service Association (VISA) and MasterCard International, Incorporated have specified a cryptographic method to calculate a value that relates to the personal account number (PAN), the card expiration date, and the service code.

The Visa card-verification value (CVV) and the MasterCard card-verification code (CVC) can be encoded on either track 1 or track 2 of a magnetic striped card or chip card and are used to detect forged cards. Because most online transactions use track-2, the CCA verbs generate and verify the CVV¹ by the track-2 method.

The Visa CVV Generate verb calculates a 1-byte to 5-byte value through the DES-encryption of the PAN, the card expiration date, and the service code using two data-encrypting keys or two MAC keys. The Visa CVV Verify verb calculates the CVV by the same method, compares it to the CVV supplied by the application (which reads the credit card's magnetic stripe or chip) in the CVV_value, and issues a return code that indicates whether the card is authentic.

The CVV Key Combine verb combines two operational DES keys into one operational TDES key. The verb accepts as input two single-length keys that are suitable for use with the CVV (card-verification value) algorithm. The resulting double-length key meets a more recent industry standard of using TDES to support PIN-based transactions. In addition, the double-length key is in a format that can be wrapped using the TR31 Translate verb.