Visa dCVV2 Generate and Authenticate

A simple way to add dynamic data to remote commerce transactions.

available for use by

Issuer Banks

Regional Availability

View Details
  • N. America
  • Asia-Pacific
  • Europe
  • LAC


Free to use in Sandbox. Contact Visa for pricing and commercial details to use in Production.

Woman looking at phone next to her laptop

Add dynamic data to remote commerce transactions

As Chip technology becomes more prevalent globally, fraudsters are targeting card-absent transactions more often. The use of dynamic Card Verification Value 2 (dCVV2) is one tool issuers may consider to reduce fraud risk in this environment. 

On a standard card, the 3-digit CVV2 value is printed on the back. Because the value is static, it could be reused for fraudulent transactions following compromise during a data breach. By contrast, the dCVV2 value is not static and updates periodically. This greatly reduces the opportunity for reuse because, once the value is updated, issuers can identify older or expired values and decline transactions accordingly.  Compromised accounts may not automatically require card reissuance, saving on the costs of card production and distribution, customer service, fraud investigation, and attrition.

The Visa dCVV2 Authenticate service checks the dCVV2 code during authorization processing, and forwards the result (pass/fail) to the issuer, or responds to the acquirer on the issuer’s behalf.  Visa dCVV2 Generate provides a cost effective way for issuers to make dCVV2 codes available to their cardholders via a mobile banking, SMS, or standalone mobile app.  

Key Features

Icon showing merchant

Dynamic data in remote commerce transactions

Visa dCVV2 Generate offers a simple, fast way to add dynamic data to remote commerce transactions. Because dCVV2 follows the same format as regular CVV2, no merchant or infrastructure changes are required and cardholders are already familar with how it works.

Icon showing code block

Codes validated by VisaNet

dCVV2 Codes generated by Visa can be validated by Visa during the authorization process (using the Visa dCVV2 Authenticate service) meaning that issuers do not need to invest in developing the validation capability in house or wait for their processor to offer the capability.

Visa also offers the Visa dCVV2 Convert service, that can replace the dCVV2 code in authorization messages with a static CVV2, so issuers do not need to identify and treat transactions with dCVV2 as exceptions.

icon showing reduce costs

Helps reduce costs associated with fraud

Fraud occuring in the remote or card-absent environment is not generally the financial responsibility of issuer; however, while the cost of the transaction itself may be offset, issuers still incur significant costs associated with fraud investigation, customer service, replacement card production and distribution,  reduced future usage and customer attrition.

As stolen dCVV2 can be identified and declined by issuers, it can help reduce remote commerce fraud, and cards may not need to be replaced in the event of a data compromise. 

Why Use It?

Using a dynamic CVV2 instead of a static CVV2 may significantly reduce the potential for fraud to occur on accounts following a data compromise. Providing dCVV2 codes to cardholders via a mobile banking app or via SMS may be a more cost effective way distibuting them, when compared to adding dCVV2 capability to the physical card. The Visa dCVV2 Generate service enables issuers to trial and launch dCVV2 capabilty with minimal host development costs or risks.  Additionally using the Visa dCVV2 Authenticate service minimizes the host developments needed to check the codes during authorization.

How Does It Work?

Using the Visa dCVV2 Generate API, Issuers and approved third parties may request up to 24 dCVV2 codes for the same account number.  dCVV2 codes generated using the service are time-based and based on the Visa dCVV2 Technical Specification. Issuers can store dCVV2 codes at their host, or push them to their mobile app to be displayed on request by the cardholder. Alternatively issuers may call in to the service while their cardholder is transacting, and request a single code in real-time.

Once delivered to the cardholder, the code is used exactly as a static code would be - it's entered into a merchant's web site or provided to a merchant verbally over the phone. The code is then included in the authorization message, and can be validated by Visa (if the issuer subscribes to the Visa dCVV2 Authenticate service), the Issuer, or the Issuer's processor.  


APIs Included

dCVV2 Generate Request

This API should be used to request between 1 and 24 dCVV2 values and have those values returned.

dCVV2 Authenticate

For issuers who wish to enroll, unenroll or inquire on the status of account numbers in the dCVV2 Authenticate service.

Ready to start with Visa dCVV2 Generate?
Need Support?