CVV Codes
Encrypted CVV Input Field
CVV codes are the most sensitive payment field. SmartField encrypts 3-4 digit CVV codes with AES-256-GCM. The code never appears in the DOM, browser autosave, or screen recordings.
The Problem
CVV Codes entered in a standard HTML input are immediately accessible to any JavaScript on the page:
// Any script, extension, or tracker:
document.querySelector('input').value
// Your cvv codes in plaintext
The Solution
<smart-field type="password" encrypt-key="/api/sf-key"
placeholder="Enter cvv codes"></smart-field>
Now the same attack returns AES-256-GCM encrypted data. The cvv codes never exist as plaintext in the browser.
What the User Sees
The user types normally. The screen shows animated cipher characters: ΣΩΔψξλμπ
The real cvv codes are stored in a WeakMap (invisible to JavaScript) and encrypted with AES-256-GCM (unreadable without the server key).
Server-Side Decryption
// Node.js
const sf = require('@smartfield-dev/server');
await sf.init();
const data = await sf.decrypt(req.body.field);
// Your cvv codes in plaintext, server-side only
Frequently Asked Questions
How does SmartField encrypt cvv codes?+
SmartField generates a new AES-256 key and IV for every encryption. CVV Codes are encrypted before they exist in the DOM. The AES key is wrapped with RSA-2048. Only your server can decrypt.
Can trackers like Hotjar capture cvv codes?+
No. Hotjar records DOM content. SmartField stores cvv codes in a WeakMap inside a closed Shadow DOM. Hotjar only captures cipher characters.
What server languages are supported?+
SmartField provides SDKs for Node.js, Python, Java, Go, PHP, and Ruby. All tested and verified.
Related Pages