PCI DSS Compliance Blog: Staying within PCI DSS Requirements when Storing CVC/CVV2 Information

« Element Releases its Account Updater Technology – Helping Companies Securely Update and Maintain Customers’ Card Data | Main | Collecting and Storing AVS, While Staying Within the PCI DSS Requirements »


Staying within PCI DSS Requirements when Storing CVC/CVV2 Information

Card-padlock As more companies work to achieve PCI compliance, questions are arising to gain understanding around what can, and cannot be stored. This type of question has often come up surrounding the handling of CVC and CVV2 card information from the back of credit and debit cards. The answer to this question is vital for companies, as it impacts their ability to achieve PCI compliance.

So, “can you store CVC/CVV2 post authorization and stay within the PCI DSS requirements?” The answer is “no.” According to the PCI DSS requirement 3.2, the storage of sensitive authentication data after authorization is strictly prohibited. Even if this data is encrypted, it is still not allowed. The requirement goes into more detail, stating that you should not store the card-verification code or value (the three or four digit codes on the back of the payment card), which is used to verify card-not-present transactions.

It should be clarified that the PCI DSS does allow the storage of this information up until authorization, however after that it must not be stored. According to Roger Nebel, an independent PCI DSS auditor, “This was done so that merchants who process in batch mode could hold on to the CVV until they process their batch and then get authorization which might take a day or two. After that it must not be stored. Thus once there is authorization, all the places the CVV had been stored, whether on paper or in a file, must be cleansed of the CVV. The service provider and the merchant must not keep it post-authorization. Paper copies need to be shredded, and any and all files, database records, etc., must be securely erased of the CVV.”

For more information on Element’s PCI compliance solutions, please view our PCI Compliance Guide or contact us.


TrackBack URL for this entry:

Listed below are links to weblogs that reference Staying within PCI DSS Requirements when Storing CVC/CVV2 Information:


Complementing.... It is important to consider this PCI DSS V2.0 Note:
"It is permissible for issuers and companies that support issuing services to store sensitive authentication data if there is a
business justification and the data is stored securely".

This note is new for 2.0 version, was important to clarify that issue.

The comments to this entry are closed.

Search Blog

Your email address:

Bookmark and Share


About PCI DSS Compliance Blog

Email Us

PCI Compliance Resources

Industry News on Twitter

Visit Element on