Dispelling Rumors – CVV/CVC

One of the things I hate about blogs is that they seem to generate more rumors than dispel. One of the reasons I created this blog was to get rid of some of the rumors surrounding the PCI process. Where these rumors come from, I’m not sure. However, the sooner they are dispelled, the more secure we will be.

The rumors I would like to dispel in this posting are related to why merchants seem to think they need to retain the card verification value or code otherwise known as CVV/CVC. It’s that three digit code on the backs of Visa or MasterCard cards and four digit value on the front of American Express cards. Actually, to be correct, American Express calls it the CID. Regardless of what it’s called, it is NOT allowed to be retained once a transaction has been processed.

The first rumor is that by using the CVV/CVC in transactions merchants reduce their interchange fees with their processor and the card brands. This is not true.

What is true is that by including the CVV/CVC value when a merchant submits a transaction for authorization, should a dispute or chargeback situation arise, the processor and/or card brands will reduce their fees on the dispute or chargeback. The rationale being that the processors and card brands assume that by having the CVV/CVC, it is less likely that the transaction will result in a dispute or chargeback.

The second rumor is that merchants conducting repeat transactions need to submit the CVV/CVC for the original and all subsequent transactions. Again, this is false.

There are two ways to conduct such recurring transactions. The easiest way is to use a processor that can provide you with a reference number from the original transaction and then process all subsequent transactions by allowing you to use the reference number so that your organization does not have to store the cardholder information. The other option is for your organization to store the cardholder’s name, account number and expiration date. Of course, if your organization is storing this information, you need to ensure it is stored securely either by encrypting it if on a computer or physically securing it if using a manual system.


6 Responses to “Dispelling Rumors – CVV/CVC”

  1. 1 Owen Griffiths
    July 12, 2013 at 4:54 AM

    I know this is an old thread, but was wondering about the reconfiguring of machines to stop printing merchant receipts with the full card number.

    If it is possible to do on a certain machine would it be an option that a user can set, or would the bank have to send some kind of configuration down the wire. I’ve read the instructions for the machine and receipts aren’t mentioned at all!

    Oh, and regarding CVV, is writing it on a form for processing and then immediately shredding (max. 5 mins later)counted as storage, I’d say it was…but was unsure whether this was acceptable.



    • July 12, 2013 at 1:17 PM

      In regards to your terminal question. I have encountered terminals that are sent out to merchants with no settings enabled to ensure that the terminal is PCI compliant, let alone complying with most countries’ legal requirements for not printing the full PAN on receipts. If you are getting your terminals from your bank or processor, I’m not sure why they allow this to happen, but they do. If you got your terminals from your acquiring bank or processor, then they should be able to assist you with configuring your terminals if there is no manual. If you purchased a terminal from a third party, I would call the third party and get them to assist you with properly configuring the terminal.

      If you are just going to shred it, why are you writing it down? Key it into your terminal, process the transaction and do NOT write anything down. If that does not work for whatever reason, you approach is okay, but you should really change to a solution that does not require anyone writing any cardholder data down on paper.

  2. 3 Bill
    July 3, 2012 at 4:35 PM

    I just completed an online transaction and the retailer sent me an order confirmation that included my CCV in clear text along with my expiration date, card type and last 4 of the c/c number. Is that a compliant use of the CCV, to have it in clear text? My first reaction was that it was a violation, but alas, I do not know. If it is a violation, can you tell which section, so that I can make the company aware.

    • July 3, 2012 at 5:34 PM

      It violates requirement 3.2 which states, “Do not store sensitive authentication data after authorization (even if encrypted).” It also violates requirement 4.2 which states, “Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat, etc.).”

      • 5 Bill
        July 3, 2012 at 5:37 PM

        awesome, thanks for the quick response. I’ll let them know when their business office on the East Coast opens tomorrow. There was also a Sushi place I went to a couple of years back that had my full c/c number printed on the receipt… Don’t know why folks aren’t more keyed into these requirements.

      • July 3, 2012 at 7:07 PM

        The receipt issue is not only a PCI issue, but also violates Federal law in the US. However, I would guess 98%+ of the receipt issues in the US and Europe have been addressed. On very rare occasions, you run across a merchant using a very old terminal that is either mis-configured or not even capable of masking the PAN.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


February 2009
    Mar »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,941 other followers


%d bloggers like this: