Did you know? PCI-DSS forbids storage of CVV

Did you know? PCI-DSS forbids storage of CVV

A recent Ecommerce Checkout Report stated that “55% of the Top 100 retailers require shoppers to give a CVV2, CID, or CVC number during the checkout process.” That’s great for anti-fraud and customer verification purposes, but it also creates a high level of risk around inappropriate information storage.

To clarify, the CVV (Card Verification Value) is actually a part of the of the magnetic track data in the card itself. CVV2/CVC2/CID information is the 3 or 4 digit code on the back of the signature strip of a credit or debit card (or on the front of American Express cards).

The Payment Card Industry Data Security Standard (PCI DSS) clearly states* that there are three pieces of data that may not be stored after authorization is complete (regardless of whether you are handling card-present or card-not-present transactions):

  1. Magnetic stripe data (Track 1 or 2)
  2. PIN block data (and, yes, this means ‘encrypted PIN block’ too)
  3. CVV2/CVC2/CID

– Ananth