Tagada
All termsSecurityAdvancedUpdated April 22, 2026

What Is CAVV?

CAVV (Cardholder Authentication Verification Value) is a cryptographic code generated by an issuer's Access Control Server during 3D Secure authentication, proving to card networks and issuers that a cardholder was genuinely verified for a specific transaction.

Also known as: Cardholder Authentication Verification Value, AAV (Accountholder Authentication Value), AEVV (American Express Verification Value), Authentication Verification Value

Key Takeaways

  • CAVV is a cryptographic proof generated by the issuer's ACS confirming the cardholder completed 3D Secure authentication for a specific transaction.
  • A valid CAVV triggers liability shift, moving fraud chargeback responsibility from the merchant to the issuing bank.
  • CAVV is transaction-specific and cryptographically bound — it cannot be reused or replicated across different transactions.
  • Card networks use different names: Visa calls it CAVV, Mastercard uses AAV, Amex uses AEVV — but the function is identical.
  • Missing or invalid CAVV in an authorization request can result in declined transactions or loss of chargeback protection.

How CAVV Works

The CAVV is the final cryptographic output of a successful 3D Secure authentication session. It is produced by the issuing bank's Access Control Server (ACS) and travels back through the authentication chain to the merchant, who must then include it in the authorization request sent to the card network. Understanding this flow is critical for any payment team integrating 3DS or troubleshooting authentication failures.

01

Cardholder Initiates Checkout

The cardholder enters their card details at checkout. The merchant's payment form or SDK detects that the card is enrolled in 3D Secure by querying the card network's directory server.

02

Authentication Request Sent

The merchant or payment service provider sends an authentication request (AReq) to the card network's directory server, including the transaction amount, merchant data, and device fingerprint collected during the checkout session.

03

Directory Server Routes to ACS

The directory server identifies the card's issuing bank and forwards the request to that issuer's Access Control Server. The ACS holds the keys and risk logic needed to authenticate the cardholder.

04

ACS Authenticates the Cardholder

The ACS either silently authenticates (frictionless flow using risk signals) or challenges the cardholder with a one-time password, biometric prompt, or app notification. This is the step regulated by Strong Customer Authentication requirements in markets like the EU.

05

ACS Generates the CAVV

Upon successful authentication, the ACS generates the CAVV — a Base64-encoded cryptographic value (28 characters for Visa) bound to the specific transaction data: amount, currency, date, and merchant ID. It is computationally infeasible to forge without the issuer's private keys.

06

CAVV Returned in Authentication Response

The ACS returns an authentication response (ARes) containing the CAVV along with the ECI indicator. This response travels back through the directory server to the merchant's payment integration.

07

Merchant Passes CAVV in Authorization

The merchant's payment gateway includes the CAVV, ECI, and the 3DS transaction ID (XID or dsTransID) in the authorization request sent to the acquirer and card network.

08

Issuer Validates CAVV and Responds

The issuer receives the authorization request, re-derives the expected CAVV using the same cryptographic inputs, and compares it to the submitted value. A match confirms authentic 3DS completion. The issuer approves or declines and the liability shift is applied.

Why CAVV Matters

CAVV is the technical foundation of the liability shift mechanism — one of the most consequential financial protections available to online merchants. Without a valid CAVV on file, a merchant processing a fraudulent card-not-present transaction has no legal or contractual basis to contest the resulting dispute. The downstream costs go far beyond the transaction value itself.

According to Visa's published 3D Secure data, merchants who authenticate transactions through 3DS experience up to a 40% reduction in fraud rates compared to unauthenticated card-not-present flows. EMVCo's 2023 industry report documented that global 3DS transaction volume surpassed 70 billion transactions, reflecting the scale at which CAVV-based authentication now operates. A separate Mastercard study found that 3DS2's frictionless authentication path — which still generates a valid CAVV — reduces unnecessary friction-induced cart abandonment by up to 70% compared to 3DS1, directly impacting conversion rates at scale.

The business case for ensuring CAVV completeness is therefore twofold: it protects against fraud-coded chargebacks through liability shift, and it enables smoother checkout flows that improve authorization approval rates.

Liability Shift Requires a Valid CAVV

Liability shift is not automatic with 3D Secure enrollment. The CAVV must be present in the authorization request and pass the issuer's cryptographic validation. A failed authentication attempt that still returns an attempted ECI value (ECI 06 for Visa, ECI 01 for Mastercard) also provides partial liability shift, but only if the CAVV is correctly passed through.

CAVV vs. ECI

CAVV and ECI are generated together by the ACS and are always interpreted as a pair. Neither value alone is sufficient to determine the authentication outcome or the liability shift status of a transaction. Merchants and developers sometimes confuse the two, but they serve entirely different roles.

AttributeCAVVECI
Full nameCardholder Authentication Verification ValueElectronic Commerce Indicator
FormatBase64-encoded string (~28 chars)2-digit numeric code
Generated byIssuer's Access Control Server (ACS)ACS or directory server
PurposeCryptographic proof of authenticationClassification of authentication outcome
Included in auth requestYes — passed to issuer for validationYes — interpreted by acquirer and network
Triggers liability shiftYes, when valid and paired with correct ECIYes, when paired with valid CAVV
Visible to merchantYes — stored and passed through PSP/gatewayYes — returned in authentication response
Network-specific namingCAVV (Visa), AAV (MC), AEVV (Amex)Identical term across all networks
Fails silently if wrongIssuer rejects or declines authorizationIncorrect ECI can negate liability shift

Think of ECI as the label that classifies what happened during authentication (fully authenticated, attempted, not authenticated), and CAVV as the unforgeable stamp that proves that classification is legitimate.

Types of CAVV

CAVV values are not all equal. The authentication outcome — reflected in the ECI indicator — determines both the format of the CAVV and the degree of liability protection it confers. Three main variants exist across the Visa specification, with direct equivalents on Mastercard and other networks.

Fully Authenticated CAVV (ECI 05 / 02) Generated when the cardholder successfully completes all authentication steps, whether through a frictionless risk-based decision or an explicit challenge. This provides full liability shift for fraud-coded chargebacks. The ACS sets the authentication result code within the CAVV to indicate full success.

Attempted Authentication CAVV (ECI 06 / 01) Generated when the card is enrolled in 3DS but the issuer's ACS is unable to authenticate the cardholder — for example, the cardholder abandons the challenge or the ACS is temporarily unavailable. The network's attempt server generates a substitute CAVV. Partial liability shift applies: the merchant is protected against fraud disputes but not against all chargeback reason codes.

Non-Participating / No CAVV (ECI 07 / 00) No CAVV is generated when the card is not enrolled in 3D Secure or when authentication is bypassed (e.g., merchant-initiated transactions, recurring payments after initial authentication). No liability shift is available. Merchants should track which transaction segments fall into this category and assess their fraud exposure accordingly.

3DS2 Transaction Status Codes

In 3D Secure 2, the ACS returns a transStatus field: Y (authenticated), A (attempted), N (not authenticated), U (unable to authenticate), C (challenge required), R (rejected). Only Y and A statuses produce a valid CAVV that can be passed in the authorization request.

Best Practices

Correctly handling CAVV data requires coordination across merchant operations, payment integrations, and backend infrastructure. Failures typically happen at the handoff points between authentication and authorization.

For Merchants

Always store the full authentication response. Retain the CAVV, ECI, XID/dsTransID, and transaction status from every authentication attempt. You will need these fields if a chargeback is disputed — card network rules require merchants to produce authentication evidence to invoke liability shift.

Never retry authorization without re-authenticating. If an authorization is declined and you retry, do not reuse the CAVV from the previous attempt. The cryptographic binding to the original transaction data makes the CAVV invalid for a new authorization request. A new 3DS session must be initiated.

Segment reporting by ECI value. Build dashboards that break out authorization approval rates and fraud rates by ECI code. This surfaces whether your 3DS integration is generating full-authentication (ECI 05/02) versus attempted-authentication (ECI 06/01) outcomes — a meaningful difference in liability protection and often in issuer approval rates.

Understand exemptions carefully. Transaction Risk Analysis (TRA) exemptions, low-value exemptions, and merchant-initiated transactions do not generate a CAVV. Ensure your payment team understands which transaction types carry no authentication value and therefore no liability shift.

For Developers

Pass all three authentication fields. Authorization requests must include the CAVV, ECI, and the 3DS transaction reference (XID for 3DS1, dsTransID for 3DS2) as a complete set. Omitting any one field may cause the issuer to ignore the authentication data and process the transaction without liability shift, even if authentication occurred.

Validate the ARes before proceeding. Parse the authentication response and check the transStatus field before extracting the CAVV. Only proceed to authorization if transStatus is Y or A. If transStatus is N (authentication failed) or R (rejected), do not attempt authorization with that card in the same session.

Handle SDK and 3DS server errors explicitly. Network timeouts or ACS unavailability produce a transStatus of U (unable to authenticate). Your integration should surface this state to the payment logic layer — not silently fall back to unauthenticated authorization — so the merchant can decide whether to apply an exemption or re-attempt.

Log raw authentication responses server-side. Never rely solely on client-side callbacks to capture CAVV data. Implement server-to-server notification handling (challenge results, ACS callbacks) so authentication values are persisted securely even if the cardholder's browser session is interrupted.

Common Mistakes

Passing a stale or mismatched CAVV. The CAVV is cryptographically bound to the transaction amount, currency, and date used during authentication. If any of these fields change between authentication and authorization — a common scenario when taxes or shipping are calculated after 3DS — the issuer's validation will fail. Always authenticate with the final confirmed transaction amount.

Conflating 3DS enrollment with successful authentication. A card being enrolled in 3D Secure does not guarantee a CAVV will be generated. If the cardholder abandons the challenge or the ACS returns an error, the authentication fails without a usable CAVV. Integrations that assume enrollment equals authentication will submit authorizations with missing or invalid authentication fields.

Ignoring CAVV handling for recurring transactions. Only the initial transaction in a recurring series requires 3DS authentication with a full CAVV. Subsequent merchant-initiated transactions use a different authorization flow with the original transaction reference. Attempting to run a new 3DS flow for each recurring charge — or omitting authentication data entirely — creates both compliance and liability exposure depending on the card network's rules.

Discarding the authentication response after authorization. Some integrations extract only the authorization approval code and discard the raw 3DS authentication data. When a fraud-coded chargeback arrives months later, the merchant cannot produce the CAVV and ECI evidence required to invoke liability shift. Store all authentication response data for the full dispute window (typically 120–540 days depending on network rules).

Applying 3DS exemptions without understanding the liability consequences. Low-value exemptions and TRA exemptions bypass 3DS authentication entirely, which means no CAVV is generated and no liability shift applies. Teams that liberally apply exemptions to reduce friction often see those exemptions create concentrated fraud exposure in exactly the transaction segments that are exempt.

CAVV and Tagada

Tagada's payment orchestration layer handles CAVV propagation transparently across the acquirer and processor connections it manages. When a merchant authenticates via 3DS through Tagada's routing infrastructure, the CAVV, ECI, and 3DS transaction reference are automatically forwarded in the authorization request to the downstream processor — no manual field mapping required.

Authentication Data Across Routes

When Tagada routes a transaction to a different acquirer than the one used for the authentication session, the platform ensures the CAVV and ECI fields are correctly translated to the target processor's API format — including handling network-specific field names (CAVV for Visa paths, AAV for Mastercard paths). This prevents silent authentication data loss during acquirer fallback or load-balancing events, which is one of the most common sources of unexpected liability shift failure in multi-acquirer setups.

Tagada also surfaces authentication outcome breakdowns in its reporting dashboard, segmented by ECI code and processor. This allows payment teams to identify whether specific acquirer routes are producing lower rates of fully-authenticated (ECI 05/02) outcomes versus attempted (ECI 06/01), which can signal configuration issues in the 3DS server or ACS connectivity problems that erode liability-shift coverage over time.

Frequently Asked Questions

What does CAVV stand for?

CAVV stands for Cardholder Authentication Verification Value. It is a cryptographic code generated by the card issuer's Access Control Server (ACS) at the conclusion of a 3D Secure authentication flow. Mastercard uses the equivalent term AAV (Accountholder Authentication Value), while American Express calls it AEVV. Regardless of network branding, all these values serve the same purpose: cryptographically proving that the cardholder authentication step actually took place before an authorization was submitted to the issuer.

Why is CAVV important for merchants?

For merchants, a valid CAVV is the key that unlocks liability shift. When a transaction carries a valid CAVV, financial responsibility for fraud-related chargebacks transfers from the merchant to the card issuer. This means that if a fraudster uses a stolen card and the transaction was properly authenticated, the merchant is protected from the resulting chargeback. Without a valid CAVV, merchants bear the full cost of fraud disputes, which can account for 1–3% of gross revenue in high-risk categories such as digital goods and travel.

How is CAVV different from CVV?

CVV (Card Verification Value) is a static 3- or 4-digit code printed on the physical card, used to verify card possession in card-not-present environments. CAVV is a dynamic, transaction-specific cryptographic value generated during 3D Secure authentication by the issuer's server. CVV confirms you have the card; CAVV confirms the cardholder was actively authenticated by their bank for that exact transaction. Only CAVV triggers liability shift — CVV alone provides no chargeback protection for merchants against fraud-coded disputes.

What happens if the CAVV is invalid or missing?

If the CAVV is absent from an authorization request where 3D Secure was attempted, or if the issuer's cryptographic validation of the CAVV fails, the transaction may be declined or processed without liability shift. The CAVV is cryptographically bound to specific transaction data — amount, currency, date, and merchant — so a tampered or replayed value will fail validation. Submitting a transaction with an invalid CAVV can also flag the merchant for investigation by the card network and may result in scheme fines.

Does CAVV apply to 3D Secure 2?

Yes. CAVV is used in both 3D Secure 1 and 3D Secure 2 flows. In 3DS2, the authentication response message (ARes) from the issuer's ACS contains the CAVV when authentication is successful (transStatus = Y) or attempted (transStatus = A). The cryptographic structure is more robust in 3DS2 to accommodate richer data fields, but the role is identical: the value is passed in the authorization request to prove authenticated status and trigger liability shift from merchant to issuer.

Is CAVV the same across all card networks?

The concept is universal but naming varies by network. Visa calls it CAVV, Mastercard calls it AAV (Accountholder Authentication Value), American Express uses AEVV (American Express Verification Value), and Discover also uses AAV. Each network maintains its own cryptographic specification for generating and validating the value, but payment processors and orchestration platforms abstract these differences so merchants typically interact with a single authentication value field regardless of which network processes the transaction.

Tagada Platform

CAVV — built into Tagada

See how Tagada handles cavv as part of its unified commerce infrastructure. One platform for payments, checkout, and growth.

Try Tagada freeDocumentation

Related Terms

Security

3D Secure

An authentication protocol that adds a verification step during online card payments to confirm the cardholder's identity. 3D Secure reduces fraud, shifts liability to the issuing bank, and is required for PSD2 compliance in Europe.

Security

Strong Customer Authentication (SCA)

Strong Customer Authentication (SCA) is a regulatory requirement under PSD2 that mandates multi-factor verification for electronic payments in Europe, combining at least two of three elements: knowledge, possession, and inherence.

Payments

Authorization

The real-time process where a card network and issuing bank approve or decline a payment transaction. Authorization verifies the card is valid, the account has sufficient funds, and the transaction passes fraud checks.

Fraud

Liability Shift

Liability shift transfers fraud-related chargeback responsibility from the merchant to the card issuer when specific authentication or technology requirements are met, reducing the merchant's financial exposure to fraudulent transactions.

Fraud

Chargeback

A forced reversal of a payment transaction initiated by the cardholder's bank. Chargebacks can result from fraud, customer disputes, or processing errors. High chargeback rates (above 1%) can lead to account termination and placement on the MATCH list.

Previous

Cash Advance

Next

Central Bank Digital Currency (CBDC)