When buying a ticket on the Trainline app I accidentally put the wrong CVC for my debit card. I received a notification from Monzo telling me the payment was rejected to a wrong CVC but then I can see that just after that the same payment (or a copy?) went through and I was able to retrieve my train ticket.
I tried again, putting another bogus CVC and it worked again.
Isn’t that a serious security issue?
Could just be how the retailer processes payments, not everywhere even uses CVC numbers. I would imagine Trainline defaulted back to an alternative way to get the payment.
This used to be the same with Giffgaff (it may still be), it’s up to the merchant at the end of the day if they want to enforce it.
As others have said, it is up to the merchant and their agreement and risk profile with their bank. When I was handling payments for a company, our agreement said we had to match CVC, otherwise we weren’t covered in case of fraudulent payments (and I think our system just rejected payments with wrong CVC anyway), but I guess a merchant can choose different terms that allow wrong CVCs if they want to take on the extra risk to ensure more payments go through 
I just contacted Trainline and they told me that they always reject unsafe payments and that they have no idea what happened 