I need some help to clarify my understanding of CVV. We've had some recent counterfeit debit card fraud and I've narrowed it down to 1 common point of purchase, I know for sure 1 other local bank has narrowed it down to the same merchant and I'm confident others will as well. The transactions were all approved and passed CVV (all fraudulent transactions were card present). If these cards were skimmed at this merchant, the CVV can be skimmed correct? Or would this have to have been a compromise on the back end somewhere like a server or their merchant processor? I guess I'm not clear as to how the CVV works, is it simply part of the track data, or does there need to be another piece like something that comes back from the processor during the approval? Any help would be greatly appreciated.

they could have been skimmed. but it could have also been compromised at that merchant or its acquirer depending on if they store that info. The CVV is encoded in the track 2 data on your cards.

Thanks for the clarification XODUS.