PCI Compliance and Temporarily Storing the CVV2 Value

Posted on April 04, 2008

Share

I’ve been working with software provider in the restaurant space and one of the questions that came up was whether a restaurant can temporarily store the Card Verification Value (CVV2, CVC2 andCID)when taking a reservation to later charge the card if the customer does not show. The word from the PCI Security Standards Council has been that the CVV value can never be stored. There are however a few exceptions provided for merchants that have a need to ‘store and forward’ the data.

I spoke to a few folks about this including Brian Serra CISSP, QSA from Accuvant and Michael Dahn at the Aegenis Group. For merchants that are given an exception to temporarily store the CVV value, there is always a limited number of days the data can be retained. It’s also ultimately up the specific merchant’s acquirer whether the practice will be allowed – as they bear the responsibility for the merchant’s compliance.

Other related posts: The cost of a credit card breach PCI Compliance basics The cost to become PCI Compliant

Learn more about our solutions at our Services Page.

Share

Subscribe via email

Subscribe via RSS

Other Blogs @ Braintree

Braintrust - Insights from our development team
Inside Braintree - How we work, how we play

For Starters

Categories

 

Resources

New to processing?

Merchant Account Quick Guides

PCI Compliance Quick Guides

Developer Resources

© 2011 Braintree, Inc. All rights reserved. Braintree is a registered ISO/MSP of Wells Fargo Bank, N.A., Walnut Creek, CA