The CVV number is data that cannot be retained or stored.
A card verification code or value (referred to as CAV2, CVC2, CVV2, or CID, depending on the payment brand) is a 3- or 4-digit number found on a payment card's front or back. These values are considered sensitive authentication data (SAD) and must not be stored after authorization, in accordance with PCI DSS Requirement 3.2.
Card verification codes/values are typically used for authorization in card-not-present transactions. They are unnecessary for card-on-file or recurring transactions, and storing them for these purposes is prohibited under PCI DSS Requirement 3.2.
PCI DSS allows the collection of card verification codes/values before authorization of a specific purchase or transaction but strictly prohibits their retention after authorization. Some service providers may offer a concierge-style service that retains cardholder details for potential future transactions, but even this is prohibited under PCI DSS Requirement 3.2.
To comply with Requirement 3.2, all card verification codes/values must be entirely removed from an entity's systems. Cryptographic techniques cannot be used as a workaround. Any process claiming to remove these codes/values but still able to retrieve them for future authorization requires assessment by a qualified assessor (QSA or ISA) to confirm complete removal.
It's important to note that PCI DSS Requirement 3.2 applies regardless of any customer permission to store sensitive authentication data. Customer requests or approvals do not override PCI DSS rules.
Merchants and service providers should consult their acquirer (merchant bank) or payment brands for guidance on processing recurring or card-on-file transactions without the need for transmitting or storing prohibited data.
The PCI DSS is a global standard and is applicable to all entities that process, transmit or store cardholder data regardless of geographic location.
You can get many more answers to your questions about PCI at this URL.
Related Article(s)
Related Articles
Credit Card Number Sharing: Security Measures Across Reservations
In the dynamic landscape of hospitality and reservation management, safeguarding sensitive information, particularly credit card details, is not just a best practice—it's a regulatory requirement. One of the primary reasons credit card numbers cannot ...
Token Number vs Real Credit Card Number
What is a Token Number? A token number is the credit card number encrypted. The number is only valid between Visual Matrix and the credit card processor. There are multiple types of token. Visual Matrix does encounter 2 types: - Merchant ...
See how a credit card was entered in Visual Matrix
When a property is using EMV, Visual Matrix does not show how the credit card was entered/captured. It will show "Y" or "N" in the "Swiped" column of the credit card details but this may not recognize every method like the contactless chip. There is ...
Credit Card Transaction Process
We do not think much about what goes into making the credit card process work. Simply insert a credit or debit card into a machine, and a few seconds later, the transaction is complete. However, behind this convenient payment option, the procedure ...
Credit Card Swipers
Credit Card Swipers are Plug and Play devices. They should show a green light when not being used. If they show a yellow or red light, the device more than likely needs to be replaced. If the light is green on the swiper and swiping a card in Visual ...