Storing CVV codes so you can rebill

Merchants who continue to persist in storing credit card data including CVV codes do not meet PCI Compliance standards. It is never Ok to store the CVV code.  One of the most common reasons is for corporate accounts. The merchant has the customer sign a document that says it’s Ok to charge their card for services rendered or hard goods delivered on an ongoing basis. The form contains an area for the customer to enter their card information, including the CVV code.

The merchant should omit storing the CVV code by simply not having a space for the CVV code on the form.  At the time the first transaction is processed, call the customer for the CVV code. If you write it down, securely shred upon completion of the transaction. The purpose of the code is to protect against fraud by validating the card. Once you’ve run an AVS and CVV for card not present, there is no reason to store the CVV again. You already know the customer!

If you file other card data, it should be in a locked cabinet with restricted access. A better alternative might be a secure host based processing solution that offers recurring billing. The host stores encrypted data off site, and never the CVV.

Links for PCI Data Security Standards.

Links to blog articles about PCI Compliance for credit card processing – hit the ‘older articles’ button at the bottom of page for more articles.

2 thoughts on “Storing CVV codes so you can rebill

  1. I have a question about receiving a cvv number via email and getting the rest of the cc info via a secure (https) connection to a website. Since the cvv code is not stored on the site and the email is not given to the host, does this meet PCMI standards?

    • This would require some extensive digging and there is probably not enough information to answer with any accuracy. I’ll comment. Why would anyone need to capture CVV this way? Wouldn’t the CVV only be useful if you marry it with stored payment data at some point? So the stored payment information that you acquired via an SSL connection contains full card data?
      Whatever limitation exists that requires you to get the cvv via an email is more than likely a result of a risky payment processing work flow. The CVV question is Moot. The overall payment workflow is probably not PCI Compliant.

Leave a Reply

Your email address will not be published. Required fields are marked *