FAQ #1319 Diff
Are merchants allowed to request card-verification codes/values from cardholders?
Earlier Version
Later Version
Removed
Added
Yes. Card verification codes/values (e.g., CVV2, CVC2, CID, or CAV2) are commonly requested during card-not-present (CNP) transactions such as e-commerce or mail order/telephone order (MOTO) to help verify that the customer is in possession of the card. Card verification codes/values are normaly three- or four- digit code printed on the front or back of a payment card.
Thesevalues are typically usedcodes/values are considered Sensitive Authentication Data (SAD). PCI DSS Requirement 3.3.1.2 strictly prohibits storing them after authorization — even if encrypted.
Merchants must ensure:
These codes are collected only when necessary forcard-not-present (CNP) transactions, where the card is not physically present at the merchant location (for example, during e-commerce or mail order/telephone order transactions). In many cases, it is necessary for the merchantauthorization
They are never stored post-authorization
Systems and processes are configured torequest this information in order to conduct a CNP transaction.
The card verification code or value (also referred to as CVV2, CVC2, CID, or CAV2) is the three- or four- digit code printed on the front or back of a payment card which provides additional assurance that the card is in the possession of the authorized cardholder. Card verification codes/values are considered to be sensitive authentication data (SAD) and merchants and other entities involved in payment card processing are required to strictly protect this data and securely delete it after authorization in accordance with PCI DSS Requirement 3.2.prevent retention
These
Merchants must ensure:
These codes are collected only when necessary for
They are never stored post-authorization
Systems and processes are configured to
The card verification code or value (also referred to as CVV2, CVC2, CID, or CAV2) is the three- or four- digit code printed on the front or back of a payment card which provides additional assurance that the card is in the possession of the authorized cardholder. Card verification codes/values are considered to be sensitive authentication data (SAD) and merchants and other entities involved in payment card processing are required to strictly protect this data and securely delete it after authorization in accordance with PCI DSS Requirement 3.2.
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.