Staying within PCI DSS Requirements when Storing CVC/CVV2 Information
As more companies work to achieve PCI compliance, questions are arising to gain understanding around what can, and cannot be stored. This type of question has often come up surrounding the handling of CVC and CVV2 card information from the back of credit and debit cards. The answer to this question is vital for companies, as it impacts their ability to achieve PCI compliance.
So, “can you store CVC/CVV2 post authorization and stay within the PCI DSS requirements?” The answer is “no.” According to the PCI DSS requirement 3.2, the storage of sensitive authentication data after authorization is strictly prohibited. Even if this data is encrypted, it is still not allowed. The requirement goes into more detail, stating that you should not store the card-verification code or value (the three or four digit codes on the back of the payment card), which is used to verify card-not-present transactions.
It should be clarified that the PCI DSS does allow the storage of this information up until authorization, however after that it must not be stored. According to Roger Nebel, an independent PCI DSS auditor, “This was done so that merchants who process in batch mode could hold on to the CVV until they process their batch and then get authorization which might take a day or two. After that it must not be stored. Thus once there is authorization, all the places the CVV had been stored, whether on paper or in a file, must be cleansed of the CVV. The service provider and the merchant must not keep it post-authorization. Paper copies need to be shredded, and any and all files, database records, etc., must be securely erased of the CVV.”