Merchants are prohibited from storing CVV, CVV2, CVC2 & CID per PCI standards

Posted on Monday, October 08, 2007

A Card Verification Value code, CVV, (CVV2 for Visa, CVC2 for MasterCard and CID for AMEX) is the three or four digit number located either on the front or back of a credit or debit card. Merchant's can request the CVV code from card holders as another way to screen fraudulent transactions. The idea is that someone using a stolen credit card is less likely to have this code so they will be unable to complete the transaction. With most payment systems, you can adjust settings to automatically reject transactions where the CVV code does not match the card number.

The effectiveness of this code is limited to the ability to keep it out of the hands of criminals, which is why it is prohibited by PCI Standards from being stored. For merchants who charge customers on a recurring basis, the CVV code can be used with the initial transaction but cannot be stored for future transactions. The use of the CVV code does not affect the rate you are charged. It only helps with reducing fraudulent transactions by verifying the identity of your customers. The CVV code is not needed to handle chargeback requests. So if you're currently storing CVV numbers, it may be a good idea to reassess your procedures and delete them from your system as soon as possible. Here is a simple graph demonstrating what can and cannot be stored.

 Other related posts:
PCI DSS Compliance and the cost of a credit card breach
PCI DSS Compliance basics for credit card security
Braintree solutions: The Smart Approach to PCI DSS Compliance

---

---

Post a comment

Your Name

Your Email Address
(required, but not displayed)

Your Web Address
(optional)

Your Comment