Braintree Payment Solutions
  Merchant Login  |   Braintree Developer Community  
 
1.877.434.2894  
 
 
 
 
 
 


For Starters

About this blog

My name is Bryan Johnson and I am the founder and CEO of Braintree. I maintain this blog because payment processing is one of the most difficult components for businesses to manage. It is complex and can pose some significant security, strategic and technical challenges. I try to educate, inform, share my insights and answer questions to help users make better decisions. I've been in the industry for a while now, getting my start in the trenches selling door to door. If you need a resource I am happy to chat.

Creative Commons License
This work is licensed under a Creative Commons License.


Simplify PCI DSS Compliance
     
 

Merchants are prohibited from storing CVV, CVV2, CVC2 & CID per PCI standards

Posted on 8 October, 2007 under PCI DSS Compliance by Bryan Johnson

A Card Verification Value code, CVV, (CVV2 for Visa, CVC2 for MasterCard and CID for AMEX) is the three or four digit number located either on the front or back of a credit or debit card. Merchant’s can request the CVV code from card holders as another way to screen fraudulent transactions. The idea is that someone using a stolen credit card is less likely to have this code so they will be unable to complete the transaction. With most payment systems, you can adjust settings to automatically reject transactions where the CVV code does not match the card number.

The effectiveness of this code is limited to the ability to keep it out of the hands of hackers and thief’s, which is why it is prohibited by PCI Standards from being stored.

For merchants who charge customers on a recurring basis, the CVV code can be used with the initial transaction but cannot be stored for future transactions.

The use of the CVV code does not affect the rate you are charged. It only helps with reducing fraudulent transactions by verifying the identity of your customers. The CVV code is not needed to handle chargeback requests.

So if you’re currently storing CVV numbers, it may be a good idea to reassess your procedures and delete them from your system as soon as possible. Here is a simple graph demonstrating what can and cannot be stored.

storage-chart.jpg

Other related posts:
PCI DSS Compliance and the cost of a credit card breach
PCI DSS Compliance basics for credit card security

Braintree solutions:
The Smart Approach to PCI DSS Compliance

Add this post to other sites: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • del.icio.us
  • Digg
  • Furl
  • NewsVine
  • Reddit
  • YahooMyWeb
  • StumbleUpon

2 Comments so far

# Posted by kiran H on 20 May, 2008:

This is a great article. I knew storing CVV is against PCI rules, but was trying to figure out whether is required for recurring transactions. Seems like it is not. But I dont see that documented on any of Visa, or mastercard site. Could you please clarify.

# Posted by Bryan Johnson on 30 May, 2008:

@ Kiran - Here is a link to the official PCI DSS standard. On page three you’ll see the permitted and non-permitted data that can be stored.

https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf

Post your Comment

 

 
     


Search

Categories

Recent Posts
 
 
 
  Company Profile  |   Support  |   Privacy Policy  |   Home  |  Site Map
 
 
  © Copyright 2007 - 2008 Braintree Payment Solutions. All Rights Reserved.
Main: 1.877.434.2894  |  Fax: 1.847.890.6644  |  Email: info@getbraintree.com
Corporate Headquarters: 848 West Bartlett Rd., Bartlett, IL 60103