Card Verification Codes: PCI Rules for Data Storage

In today’s dynamic payment industry, merchants often look to store cardholder data for various reasons, including card-on-file transactions and recurring payments. Developers and Independent Software Vendors (ISV) must be aware of how to meet these needs and develop payment solutions that can be used in a PCI compliant manner. One important aspect is to be aware of the rules that apply to the storage of specific types of account data, specifically the Card Verification Value or equivalent data.

Data associated with a credit card account, known as Account Data, can be classified as either Cardholder Data (CHD) or Sensitive Authentication Data (SAD). Card Verification Codes or Values are types of data necessary for the authorization of digital payments. They are considered Sensitive Authentication Data and are therefore subject to applicable PCI-DSS requirements. PCI-DSS requirements specify that SAD can never be stored after authorization.

Cardholders rely on merchants to protect payment card data to avoid compromise of Sensitive Authentication Data, thereby thwarting possible theft and misuse. In turn, the merchants depend on ISVs and developers of payment solutions to produce secure platforms that can be used in a PCI compliant environment.

What are card verification codes and values?

The term Card Verification Code or Value refers to the three or four digit code that is typically printed on the back (can be on the front) of a payment card. Depending on the card issuer, this information is called CID, CVC2, CVV2 or CAV2.

Card verification codes are a security feature typically used in a card-not-present environment (e-commerce, mail order/telephone order). The intent of this code is to ensure that the customer has the physical card during transactions where the merchant is unable to physically swipe the card. CVV data is not necessary for card-on-file transactions or recurring payments, and storage of this data is prohibited by the PCI-Data Security Standard.

Can any type of Sensitive Authentication Data be stored?

Payment Card Industry - Data Security Standard (PCI-DSS) requirement 3.2 states that Sensitive Authentication Data can never be stored after authorization is completed. This means that the data can be collected for the purposes of authorizing a payment transaction, but must be deleted once authorization is completed.

How can verification codes/values be erased?

Developers of payment solutions must develop secure deletion techniques to confirm deletion of Sensitive Authentication Data after payment authorization. Encryption of this data is not sufficient; all data must be securely deleted so that it is unrecoverable.

What if consumers authorized storage?

Customers/cardholders cannot authorize storage of this data. In the case of a recurring or card-on-file transaction, the CVV is not expected. PCI-DSS requirement 3.2.2 specifically prohibits storage of the card verification code or value after authorization. The only entity that can ever store this data is an issuer, and only under very specific reasons.

Conclusion

Cardholders and merchants rely on ISVs and developers of payment solutions to protect Sensitive Authentication Data (SAD). ISVs and developers can ensure this by being aware of the requirements surrounding data storage and by producing secure platforms that can be used in a PCI compliant environment. Contact us today to learn more about PCI compliance.

Richard Rohena

Manager of PCI Compliance Services

Richard is the Manager of PCI Compliance Services with Global Payments Integrated, providing developers of credit card payment solutions and merchants with a deep understanding of the Payment Card Industry Data Security Standard (PCI-DSS). He has over 8 years of experience working directly with developers and merchants to implement secure payment solutions in a manner compliant with the PCI-DSS.

View Profile

Richard Rohena