PCI Compliance and Temporarily Storing the CVV2 Value
Posted on 4 April, 2008 under Credit Card Processing, PCI DSS Compliance by Bryan Johnson
I’ve been working with software provider in the restaurant space and one of the questions that came up was whether a restaurant can temporarily store the CVV2 value when taking a reservation to later charge the card if the customer does not show. The word from the PCI Security Standards Council has been that the CVV2 value can never be stored. There are however a few exceptions provided for merchants that have a need to ’store and forward’ the data.
I spoke to a few folks about this including Brian Serra CISSP, QSA from Accuvant and Michael Dahn at the Aegenis Group. For merchants that are given an exception to temporarily store the CVV2 value, there is always a limited number of days the data can be retained. It’s also ultimately up the specific merchant’s acquirer whether the practice will be allowed - as they bear the responsibility for the merchant’s compliance.
6 Comments so far
CVV2, CVC2 ad the like - is typically used in MOTO and/or card not present transactions, I’m confused to as why a resturant would even ask for this information - as you stated in a another post CVV2 does not affect interchange, Was this desgined for chargeback protection in case the cardholder issued a chargeback for the reservation they didn’t attend ?
David - you’re right, outside of additional chargeback protection there is no reason why these restaurants should want to collect CVV2 data. But in this situation, I don’t think that chargeback protection is compelling as most restaurants would never actually charge a customer for not showing. Fraud is unlikely because criminals have better things to do than make reservations with stolen cc data. So in the end, this issue just boiled down to the software provider trying to balance the preferences of existing customers who had always collected this data before (under the assumption that it affects rates) and PCI requirements.
I recently returned from Europe where this is a much more common practice in the restaurant industry. There a couple of things worth noting. First, there actually are quite a few restaurants that charge diners if they fail to show for a reservation. The collection of the CVV is in fact about charge back protection. However, it goes one step further. Some restaurant simply can’t process a card without the CVV. While it’s ultimately not required to charge a card, their processing company has configured the equipment to REQUIRE the CVV (i.e. the restaurant doesn’t have a choice). The processor won’t modify the configuration because they end up paying a higher fee. Since this is common in a city like London, there isn’t an option to simply seek out a different processor. The bottom line is that a restaurant interested in charging a card, especially in Europe, has to collect the CVV.
@ Mike - thank you for your insights. Did you learn the difference in rate that a processor charges the merchant for not using the CVV2?
i want a cvv grapher softwere
@ Thomas - not sure what that is….