Archive for February 7th, 2009

07
Feb
09

Dispelling Rumors – CVV/CVC

By PCIGuru Comments
Categories: PA-DSS, PCI DSS, Requirement 1 - Do not retain full magnetic stripe data, Requirement 2 - Protect stored cardholder data and Requirement 3 - Protect stored cardholder data
Tags: , ,

One of the things I hate about blogs is that they seem to generate more rumors than dispel. One of the reasons I created this blog was to get rid of some of the rumors surrounding the PCI process. Where these rumors come from, I’m not sure. However, the sooner they are dispelled, the more secure we will be.

The rumors I would like to dispel in this posting are related to why merchants seem to think they need to retain the card verification value or code otherwise known as CVV/CVC. It’s that three digit code on the backs of Visa or MasterCard cards and four digit value on the front of American Express cards. Actually, to be correct, American Express calls it the CID. Regardless of what it’s called, it is NOT allowed to be retained once a transaction has been processed.

The first rumor is that by using the CVV/CVC in transactions merchants reduce their interchange fees with their processor and the card brands. This is not true.

What is true is that by including the CVV/CVC value when a merchant submits a transaction for authorization, should a dispute or chargeback situation arise, the processor and/or card brands will reduce their fees on the dispute or chargeback. The rationale being that the processors and card brands assume that by having the CVV/CVC, it is less likely that the transaction will result in a dispute or chargeback.

The second rumor is that merchants conducting repeat transactions need to submit the CVV/CVC for the original and all subsequent transactions. Again, this is false.

There are two ways to conduct such recurring transactions. The easiest way is to use a processor that can provide you with a reference number from the original transaction and then process all subsequent transactions by allowing you to use the reference number so that your organization does not have to store the cardholder information. The other option is for your organization to store the cardholder’s name, account number and expiration date. Of course, if your organization is storing this information, you need to ensure it is stored securely either by encrypting it if on a computer or physically securing it if using a manual system.

Advertisement

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

February 2009
M T W T F S S
 1
2345678
9101112131415
16171819202122
232425262728