According to global financial security standards (specifically PCI DSS), your CVV (Card Verification Value)—the 3 or 4-digit security code—should never be stored by a merchant or service provider after a transaction is authorized. It is strictly "Sensitive Authentication Data" (SAD) that must be deleted immediately after the payment is processed. While merchants are allowed to store your 16-digit card number and expiration date (if encrypted), they are legally prohibited from retaining the CVV in any database, even if it is "hidden." In 2026, when you see a "Saved Card" on a website like Amazon or Uber, the platform has stored a "token" for your card, but they will often ask you to re-enter the CVV for security. If a company is found to be storing CVV data, they face massive fines and the loss of their ability to process credit cards. Your CVV technically only "lives" in the magnetic stripe or chip of your physical card and within the highly secure, encrypted verification servers of your bank.