We’ve talked quite a bit about PCI DSS and PCI compliance recently. Today we want to talk about some of the requirements for storing particular types of PCI card data—namely, CVV.

When many people think of cardholder data, the first thing that comes to mind is the card number on the front of the payment card. There is, however, other information on the card, known as sensitive authentication data. We’ll explain that in detail in the following sections.

If your e-commerce company handles or stores cardholder data, it’s important to make sure you achieve and maintain PCI DSS (Payment Card Industry Data Security Standard) compliance. Not doing so can lead to expensive fines for your business or suspension from payment card processing. 

In this post, we’ll explore the CVV code, the rules for storing it, how that code relates to PCI data, and the role it plays in PCI compliance.

PCI Compliance CVV Guidance

What is CVV? 

CVV stands for “card verification value,” and all major brands of credit or debit cards (Visa, American Express, Mastercard, or Discover) include some form of CVV on every card. 

The CVV number (also known as CVV2, CVC2, CAV2, and CID) is a three- or four-digit code on the front or back of the card. Merchants and service providers use it to verify that you have the physical card during a credit card transaction, and thus to reduce the chance of fraud.

Is CVV Considered PCI Data? 

In short, yes.

The PCI SSC (Payment Card Industry Security Standards Council) was formed by the major credit card companies to manage the evolution of the PCI DSS (Payment Card Industry Data Security Standard).

According to the PCI DSS, payment card data includes the full primary account number (PAN), the cardholder’s full name, the credit card service code, and the expiration date. It also includes sensitive authentication data in the magnetic stripe on the back of the card, plus any CAV2, CVC2, CVV2, CID, PINs, and PIN blocks.

What are the PCI compliance rules for CVV storage?

We can take the following straight from the PCI standard itself:

“(3.2.2.) Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions) after payment processing authorization is complete.”

Put simply, once a merchant uses the CVV to verify card ownership at the point of sale, that CVV data should not be retained. 

How can I make sure I’m PCI-compliant regarding CVV storage?

Secure payment applications and payment processors that meet PCI DSS requirements will minimize the potential for security breaches and reduce the chance for compromise of PAN, full track data, card verification codes and values, PINs, and PIN blocks, along with the damaging fraud resulting from these breaches.

If you need help ensuring PCI compliance, ZenGRC can help. Our tool helps you track and manage your risks, identify where you are compliant with PCI DSS, where you fall short, and how to fill gaps. And its “single source of truth” repository keeps all your documentation in one place for easy retrieval at audit time.

Worry-free PCI DSS compliance is the Zen way. Contact us today for your free consultation.