This is a little confusing - each card has 3 Card Verification Values (which, depending on the type of card can be CVV, CID or CVC - lets use CVV)
CVV is stored on the track data.
CVV2 is the one on your card. It is transmitted as a separate field for non-card-present transactions (eCommerce, for instance).
CVV3, also known as dCVV (dynamic card verification value) is an EMV thing.
Most people use CVV to refer to CVV2.
This whole token thing is not AMEX only, Mastercard and Visa published specifications on this already and are certifying their acquirers. AMEX are late to the party :) The specifications are transitional at the moment, so the acquirer sends the token, and what's called the Token Service Provider (TSP, yay for TLA's) de-tokenizes it, then the real values are sent to the issuer for authorization.
The TSP can be the Switch (AMEX, Mastercard, Visa, etc.) or the card issuer, or a separate provider somewhere else that does only this.