I Entered a Fake CVV — Here’s Why the Bank Immediately Rejected It

**Recently, I ran into something interesting while adding a credit card to an online payment system.

I wasn’t making a purchase — just saving the card.

Out of curiosity, I entered a fake CVV.

The card was immediately declined.**

That raised an important technical question:

- Is CVV really verified even when no payment is made?
- How is CVV generated by banks?
- How does CVV verification actually work?

This article breaks down the technical process of CVV generation and validation, including the cryptographic mechanisms used by banks and card networks like Visa and Mastercard.

What Is CVV in Payment Systems?

As Undergraduate I thought CVV as:

“Just a 3-digit security number on the back of the card.”

Technically, that’s not accurate.

CVV (Card Verification Value) is a cryptographic value generated by the issuing bank using:

• PAN (Primary Account Number – card number)
• Expiry date
• Service code
• A secret cryptographic key (known only to the bank)
• DES or 3DES encryption
• A Hardware Security Module (HSM)

It is not random.
It is not guessable.
It is not stored by merchants.

Why It Failed Even Without a Purchase

In my scenario I assumed:

“If I’m not making a payment, the CVV shouldn’t matter.”

But here’s what actually happens.

When you “add a card,” most systems perform one of the following:

1. Zero-amount authorization
2. Small temporary authorization (refundable)
3. Network-level card validation

So even if you are not paying, the system still:

1. Sends card details to the payment gateway
2. Gateway routes request via the card network (e.g., Visa / Mastercard)
3. The issuing bank validates the CVV
4. If CVV does not match → Declined

So yes — CVV is verified even when you’re “just adding” a card.

How CVV Is Generated (Technical Deep Dive)

Let’s go deeper.

Step 1: Data Preparation

The bank combines:

PAN (Card Number)
Expiry Date (YYMM)
Service Code (e.g., 101)

Example:

4539148803436467
2708
101

Concatenated into one data block.

Step 2: Encryption

The bank encrypts this data using:

• DES or 3DES algorithm
• A secret key stored inside an HSM

The secret key never leaves the bank’s secure infrastructure.

Even if you know:

• The card number
• Expiry date
• Service code

Without the secret key, you cannot compute the correct CVV.

Step 3: Extract CVV Digits

After encryption:

• The output is a long numeric/hexadecimal value
• The bank extracts specific decimal digits
• Typically, the first 3 digits become the CVV

Example output after encryption:

839275192837465

Take first 3 digits:

839 → CVV

That’s the number printed on your card.

Clean Technical Flow Diagram

Here’s the simplified flow when you enter your card online:

User
  |
  |  Enter Card + CVV
  v
Merchant Website
  |
  |  Encrypted Request
  v
Payment Gateway
  |
  |  Routed via Network
  v
Card Network (Visa / Mastercard)
  |
  v
Issuing Bank
  |
  |  Recalculate CVV using:
  |  - PAN
  |  - Expiry
  |  - Service Code
  |  - Secret Key (HSM)
  |
  |  Compare with entered CVV
  |
  +--> Match → Approve
  |
  +--> Mismatch → Decline

Important:

The merchant never calculates CVV.
The payment gateway never generates CVV.
Only the issuing bank can validate it.

Why Merchants Cannot Store CVV

Under PCI-DSS compliance rules defined by PCI Security Standards Council:

Merchants are strictly prohibited from storing:

• CVV
• PIN
• Full magnetic stripe data

This is why you must re-enter CVV even when a card is saved.

Can CVV Be Brute-Forced?

Technically, there are only 1000 combinations (000–999).

But in practice:

• Banks apply rate limiting
• Fraud detection systems monitor attempts
• Card networks flag suspicious activity
• Multiple failed attempts block transactions

So brute-force attacks are effectively prevented.

Final Takeaway

My fake CVV failed because:

• The system performed a real authorization check
• The issuing bank recalculated the CVV
• The values did not match
• The bank declined the request

What looks like a simple 3-digit number is actually part of a secure cryptographic architecture involving:

• Symmetric encryption
• Hardware Security Modules
• Network-level routing
• Fraud detection systems
• PCI compliance frameworks

Sometimes a simple experiment reveals the complexity of global payment infrastructure.