Logo

CAVV

Cardholder Authentication Verification Value, 3DS authentication value, 3D Secure cryptographic value

Reading time5 min

← Back to glossary

CAVV (Cardholder Authentication Verification Value) is a unique cryptographic code generated by an issuing bank to confirm that a customer successfully completed a 3D Secure authentication. This value is passed from the authentication step into the final authorization request. It serves as cryptographic proof that the legitimate cardholder approved the transaction, protecting merchants from fraud liability.

The Cardholder Authentication Verification Value is a security identifier created during the 3D Secure authentication process for online transactions. It appears in the payment processing flow when the merchant sends the final authorization request to the issuing bank. Operationally, passing a valid CAVV ensures liability shift for chargebacks, reduces fraud risk, and significantly improves the transaction approval rate for e-commerce payments.

What is a CAVV in payment processing?

When a customer makes an online purchase, merchants often use 3D Secure (3DS) to verify the shopper’s identity. However, verifying the identity is only the first half of the process. The issuing bank needs mathematical proof during the actual payment authorization that this authentication took place.

The CAVV provides that proof. It is a secure, base64-encoded string created by the issuer’s Access Control Server (ACS) and returned to the merchant after a successful 3DS check.

Without this value, the bank receiving the authorization request has no way to verify that the authentication step actually occurred. If the merchant claims a transaction is fully authenticated but fails to provide the CAVV, the issuer will likely reject the request, leading to unexpected checkout issues for the customer.

How does the CAVV work during a transaction?

Understanding how this value moves through the payment lifecycle clarifies why missing or malformed data causes payment failures. The process requires a clean handoff between the authentication system and the authorization system.

Here is the step-by-step flow of how the value is generated and used:

  • Authentication request: The customer clicks “Buy”, and the merchant’s 3DS server contacts the issuing bank to verify the user.
  • Customer verification: The issuer evaluates the risk. They may quietly approve it (frictionless flow) or ask the customer for a one-time password (challenge flow).
  • CAVV generation: Once verified, the issuer generates the CAVV and sends it back to the merchant’s payment gateway.
  • Payment authorization: The merchant’s gateway packages the payment details, inserts the CAVV into the specific 3DS data field, and sends the authorization request to the network.
  • Issuer validation: The issuing bank receives the authorization, validates the cryptographic signature of the CAVV, and approves the transaction.

Why does the CAVV matter for merchants?

For businesses processing online payments, correctly managing 3D Secure data is a major operational priority. The presence of a valid CAVV directly impacts both revenue and risk.

First, it guarantees a liability shift. When a transaction includes a valid CAVV, the financial liability for fraudulent chargebacks shifts from the merchant to the issuing bank. This protects the merchant’s bottom line from stolen card usage.

Second, it dramatically boosts approval rates. Issuing banks are highly sensitive to risk in card-not-present environments. When an issuer sees a valid CAVV attached to a request, their automated risk models recognize the transaction as safe. This directly translates to more approved payments and higher overall revenue.

How do CAVV errors cause payment declined scenarios?

Even when a customer successfully authenticates, technical missteps in passing the data can result in a transaction declined by the issuer.

A common issue occurs when payment gateways or routing layers drop the CAVV between the authentication and authorization steps. If a merchant’s 3DS provider is separate from their acquiring bank, the handoff of this cryptographic string must be flawless.

Additionally, formatting errors can cause a card declined response. The CAVV is a highly specific cryptographic string. If a system accidentally truncates the value or alters its encoding before sending it to the network, the issuer will fail the validation check. Because the issuer sees a corrupted security value, they will almost always decline the payment to prevent potential fraud.

CAVV vs ECI: What is the difference?

Merchants reviewing 3D Secure logs will often see the CAVV alongside another acronym called the ECI (Electronic Commerce Indicator). While they work together, they serve different purposes.

The ECI is a simple two-digit code that communicates the outcome of the authentication attempt. It tells the issuer whether the authentication was fully successful, simply attempted, or bypassed.

The CAVV is the actual cryptographic proof supporting that ECI claim. Think of the ECI as a person claiming they have a ticket to an event, while the CAVV is the unique barcode on the ticket that the security guard scans to verify the claim is true.

How does payment optimization handle CAVV issues?

Handling 3D Secure data requires precise orchestration. When a payment fails due to missing or corrupted authentication data, merchants need a strategy to salvage the revenue without blindly submitting the same flawed request.

This is where a platform like SmartRetry comes in. Designed for payment optimization and intelligent retries of declined payment transactions, SmartRetry helps merchants recover revenue and improve transaction approval rates. If a system detects a soft decline related to missing authentication data, intelligent routing rules can determine the best path forward.

Instead of accepting lost revenue, modern payment teams use these optimization tools to safely retry failed payments. By stripping out corrupted 3DS fields and retrying the transaction through an optimized fallback route, merchants can often successfully recover payments that would otherwise be permanently lost.

Frequently asked questions about this term

A CAVV is a cryptographic value generated by the issuer after a successful 3D Secure check. It is sent in authorization to prove the cardholder authentication happened.
After 3D Secure authentication, the issuer returns the CAVV to the merchant or gateway. That value is then added to the authorization request for issuer validation.
A valid CAVV supports liability shift on eligible fraud chargebacks and helps issuers recognize lower-risk e-commerce payments, which can improve approval rates.
Declines happen when the CAVV is missing, dropped between systems, truncated, or encoded incorrectly, so the issuer cannot validate the authentication proof.
ECI shows the authentication outcome, while CAVV is the cryptographic proof behind that result. They work together, but they are not the same field.

Share this article