PCI Compliance and Temporarily Storing the CVV2 Value

Posted on Friday, April 04, 2008

I’ve been working with software provider in the restaurant space and one of the questions that came up was whether a restaurant can temporarily store the Card Verification Value (CVV2, CVC2 andCID)when taking a reservation to later charge the card if the customer does not show. The word from the PCI Security Standards Council has been that the CVV value can never be stored. There are however a few exceptions provided for merchants that have a need to ‘store and forward’ the data.

I spoke to a few folks about this including Brian Serra CISSP, QSA from Accuvant and Michael Dahn at the Aegenis Group. For merchants that are given an exception to temporarily store the CVV value, there is always a limited number of days the data can be retained. It’s also ultimately up the specific merchant’s acquirer whether the practice will be allowed – as they bear the responsibility for the merchant’s compliance.

Other related posts:
The cost of a credit card breach
PCI Compliance basics
The cost to become PCI Compliant

Comments

David Bergert said on Friday, April 04, 2008:

CVV2, CVC2 ad the like - is typically used in MOTO and/or card not present transactions, I'm confused to as why a resturant would even ask for this information - as you stated in a another post CVV2 does not affect interchange, Was this desgined for chargeback protection in case the cardholder issued a chargeback for the reservation they didn't attend ?

Bryan Johnson said on Tuesday, April 08, 2008:

David - you're right, outside of additional chargeback protection there is no reason why these restaurants should want to collect CVV2 data. But in this situation, I don't think that chargeback protection is compelling as most restaurants would never actually charge a customer for not showing. Fraud is unlikely because criminals have better things to do than make reservations with stolen cc data. So in the end, this issue just boiled down to the software provider trying to balance the preferences of existing customers who had always collected this data before (under the assumption that it affects rates) and PCI requirements.

Mike said on Thursday, April 10, 2008:

I recently returned from Europe where this is a much more common practice in the restaurant industry. There a couple of things worth noting. First, there actually are quite a few restaurants that charge diners if they fail to show for a reservation. The collection of the CVV is in fact about charge back protection. However, it goes one step further. Some restaurant simply can't process a card without the CVV. While it's ultimately not required to charge a card, their processing company has configured the equipment to REQUIRE the CVV (i.e. the restaurant doesn't have a choice). The processor won't modify the configuration because they end up paying a higher fee. Since this is common in a city like London, there isn't an option to simply seek out a different processor. The bottom line is that a restaurant interested in charging a card, especially in Europe, has to collect the CVV.

Bryan Johnson said on Saturday, April 12, 2008:

@ Mike - thank you for your insights. Did you learn the difference in rate that a processor charges the merchant for not using the CVV2?

thomas said on Thursday, May 29, 2008:

i want a cvv grapher softwere

Bryan Johnson said on Friday, May 30, 2008:

@ Thomas - not sure what that is....

Post a comment



(required, but not displayed)


(optional)


Subscribe via email

Subscribe via RSS

Search

For Starters

Categories

    Creative Commons License
    This work is licensed under a Creative Commons License.
     

    Resources

    New to processing?

    Merchant Account Quick Guides

    PCI Compliance Quick Guides

    Developer Resources

    © 2010 Braintree Payment Solutions. All rights reserved. Braintree is a registered ISO/MSP of Wells Fargo Bank, N.A., Walnut Creek, CA