Merchants who continue to persist in storing credit card data including CVV codes do not meet PCI Compliance standards. It is never Ok to store the CVV code. One of the most common reasons is for corporate accounts. The merchant has the customer sign a document that says it’s Ok to charge their card for services rendered or hard goods delivered on an ongoing basis. The form contains an area for the customer to enter their card information, including the CVV code.
The merchant should omit storing the CVV code by simply not having a space for the CVV code on the form. At the time the first transaction is processed, call the customer for the CVV code. If you write it down, securely shred upon completion of the transaction. The purpose of the code is to protect against fraud by validating the card. Once you’ve run an AVS and CVV for card not present, there is no reason to store the CVV again. You already know the customer!
If you file other card data, it should be in a locked cabinet with restricted access. A better alternative might be a secure host based processing solution that offers recurring billing. The host stores encrypted data off site, and never the CVV.
Links for PCI Data Security Standards.
Links to blog articles about PCI Compliance for credit card processing – hit the ‘older articles’ button at the bottom of page for more articles.