Did you know that the Frequently Asked Questions (FAQ) resource on the PCI SSC website is updated regularly to address common questions the PCI SSC receives from stakeholders? This searchable tool includes a library of questions and answers on a variety of topics across PCI Security Standards and programs. In this blog series we highlight some of our most viewed FAQs. Here we look at FAQ article 1280 on storage of card verification codes/values.
Q: Can card verification codes/values be stored for card-on-file or recurring transactions?
A: A card verification code or value (also referred to a CAV2, CVC2, CVV2, or CID, depending on the payment brand) is the 3- or 4- digit number printed on the front or back of a payment card. These values are considered sensitive authentication data (SAD), which, in accordance with PCI DSS Requirement 3.2, must not be stored after authorization.*
Card verification codes/values are typically used for authorization in card-not-present transactions. These values are not needed for card-on-file or recurring transactions, and storage for these purposes is prohibited under PCI DSS Requirement 3.2.
PCI DSS does not prohibit the collection of card verification codes/values prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes/values once the specific purchase or transaction for which it was collected has been authorized. Some service providers offer a concierge-style service, where cardholder details are retained by the provider to facilitate potential future transactions. Retention of card verification codes/values for this purpose is also prohibited under PCI DSS Requirement 3.2.
All card verification codes/values must be completely removed from the entity’s systems in order to comply with Requirement 3.2. The requirement to not store sensitive authentication data cannot be met by the use of cryptographic techniques. Any service or process that claims to “remove” card verification codes/values from storage, yet is able to retrieve them for future authorization, would need to be assessed (e.g. by a QSA or ISA), to confirm that all card verification codes/values have been truly removed from the entity’s systems and are not being stored in any way, shape or form.
It should also be noted that PCI DSS Requirement 3.2 applies regardless of any permission the entity may have received from their customer to store the sensitive authentication data on their behalf. A customer’s request or approval for an entity to retain the card verification codes/values has no validity for PCI DSS and does not constitute an allowance to store the data.
Merchants and their service providers should contact their acquirer (merchant bank) or the payment brands directly, as applicable, for guidance on how to process recurring or card-on-file transactions without requiring transmission or storage of the prohibited data. Contact details for the payment brands can be found in FAQ #1142 How do I contact the payment card brands?
* Only issuers or those providing issuing services may have a legitimate business need to store SAD after an authorization.