When buying a ticket on the Trainline app I accidentally put the wrong CVC for my debit card. I received a notification from Monzo telling me the payment was rejected to a wrong CVC but then I can see that just after that the same payment (or a copy?) went through and I was able to retrieve my train ticket.
I tried again, putting another bogus CVC and it worked again.
As others have said, it is up to the merchant and their agreement and risk profile with their bank. When I was handling payments for a company, our agreement said we had to match CVC, otherwise we weren’t covered in case of fraudulent payments (and I think our system just rejected payments with wrong CVC anyway), but I guess a merchant can choose different terms that allow wrong CVCs if they want to take on the extra risk to ensure more payments go through